Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumundo,tr/crypt.xp Ack.gen,w32/virut.ax, Tr/crypt.nspm.gen,worm/vanbot.ax.215


  • This topic is locked This topic is locked
24 replies to this topic

#1 dashing25

dashing25

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 17 May 2008 - 10:42 AM

Hi all
i am new here and reached this site through google
from last 15 days my comp is behaving unexpectedly. earlier i had mcaffe antivirus installed.when it did not solve my problem.i installed avira instead.
before using avira i was not able to access google and few other sites.now i am atleast able to surf web.
I have read few other posts where people are having same problems as i have and i ran some of these softwares on my comp--- VundoFix,Virtumundobegone,spybot search and destroy,Malwarebytes' Anti-Malware,SUPERAntiSpyware.exe,Ad-Aware 2007,ComboFix.exe,ATF-Cleaner.exe,SDFix.exe and kaspersky online antivirus scan.
All of them detected infections in my comp and resolved them but the infection is still there as i get constant messages from avira .

HEre is my latest Dss report (Another question is should i post my earlier reports . i have saved them. i ran again all other softwares and most of them r now showing my system as clean except SDfix which discovers new infections every time i run it.)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:36 PM, on 5/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Documents and Settings\GAMEMACHINE\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GAMEMA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: {0a541b5d-30ee-e629-aa94-3c96ad3f28e3} - {3e82f3da-69c3-49aa-926e-ee03d5b145a0} - C:\WINDOWS\System32\uwjiahyp.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [180072e9] rundll32.exe "C:\WINDOWS\System32\gtkhcmcd.dll",b
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DriveDiscoveryMemoryResident] C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-117609710-2139871995-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-117609710-2139871995-839522115-1003\..\Run: [DriveDiscoveryMemoryResident] C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe (User '?')
O4 - HKUS\S-1-5-21-117609710-2139871995-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-117609710-2139871995-839522115-1003 Startup: WireKeys.lnk = C:\Program Files\WiredPlane\WireKeys\WireKeys.exe (User '?')
O4 - Startup: WireKeys.lnk = C:\Program Files\WiredPlane\WireKeys\WireKeys.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Request Site Approval - res://C:\Program Files\ResilientWare\WebBounds\WebBounds.dll/3000
O8 - Extra context menu item: DiaryOne: Save full text - C:\Program Files\DiaryOne\Script\fullcatcher.htm
O8 - Extra context menu item: DiaryOne: Save selected text - C:\Program Files\DiaryOne\Script\catcher.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E48F89B-53DF-4E92-91C4-E2A4C4732091}: NameServer = 202.164.51.21,202.164.32.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C149ADC-55F0-45DD-BABE-6F68B12B2E07}: NameServer = 218.248.255.194 218.248.255.146
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Privacy Service (MPS9) - Unknown owner - C:\PROGRA~1\McAfee\MPS\mps.exe (file missing)
O23 - Service: Auto Power-on & Shut-down Service (PCAutoPowerOnService) - Unknown owner - C:\Program Files\Auto Power-on\PCAutoPowerOnService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

--
End of file - 9194 bytes

-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 20:38:04 0 --a------ C:\WINDOWS\System32\wmsoft12676.exe
2008-05-17 20:34:02 0 --a------ C:\WINDOWS\System32\wmsoft70615.exe
2008-05-17 20:34:01 81 --a------ C:\WINDOWS\System32\i
2008-05-17 11:19:36 68096 --a------ C:\WINDOWS\zip.exe
2008-05-17 11:19:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-17 11:19:35 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-17 11:19:35 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-17 11:19:35 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-17 11:19:35 98816 --a------ C:\WINDOWS\sed.exe
2008-05-17 11:19:35 80412 --a------ C:\WINDOWS\grep.exe
2008-05-17 11:19:35 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-17 10:40:26 0 --a------ C:\WINDOWS\System32\wmsoft06058.exe
2008-05-17 10:36:34 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36:14 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33:59 0 d-------- C:\Program Files\Lavasoft
2008-05-17 07:33:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:33:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:28:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:15:10 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-05-17 02:00:09 0 d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07:12 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 11:33:52 0 d-------- C:\Program Files\Trend Micro
2008-05-16 10:34:22 0 --a------ C:\WINDOWS\System32\wmsoft01101.exe
2008-05-16 09:10:47 0 --a------ C:\WINDOWS\System32\servupdate.exe
2008-05-16 08:47:36 0 d-------- C:\Program Files\Avira
2008-05-16 08:02:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 07:26:58 0 --a------ C:\WINDOWS\System32\wmsoft05133.exe
2008-05-16 06:06:34 1635 --a------ C:\WINDOWS\System32\uujkip.exe
2008-05-16 06:06:34 1635 --a------ C:\WINDOWS\System32\qegi.exe
2008-05-16 05:08:28 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-05-16 05:08:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07:06 143360 --a------ C:\WINDOWS\System32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-05-16 05:03:50 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02:09 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-15 12:13:10 0 d-------- C:\Program Files\Vodei
2008-05-15 11:42:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:39:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-15 11:38:59 0 d-------- C:\WINDOWS\System32\dFrnx06
2008-05-15 11:38:59 0 d-------- C:\Temp
2008-05-15 11:38:43 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-15 10:39:53 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29:25 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-05-15 10:27:25 0 d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31:08 0 d-------- C:\Videos
2008-05-15 03:30:21 0 d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 16:59:23 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Mozilla
2008-05-11 12:02:02 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58:38 2 --a------ C:\WINDOWS\System32\LOGFILES
2008-05-11 10:42:50 1495552 --a------ C:\WINDOWS\System32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2008-05-11 10:42:50 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 03:10:27 0 d-------- C:\Program Files\efs
2008-05-08 00:00:07 0 d-------- C:\tst10
2008-05-07 22:05:31 0 d-------- C:\Program Files\Auto Power-on
2008-05-07 16:32:14 0 d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40:29 0 d-------- C:\clusters
2008-05-06 11:55:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-05-17 11:39:02 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-17 07:33:29 0 d-------- C:\Program Files\Common Files
2008-05-16 08:14:10 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-16 05:41:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-15 11:47:53 0 d-------- C:\Program Files\Google
2008-05-15 11:47:43 0 d-------- C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 11:47:18 0 d-------- C:\Program Files\Okoker Sudoku
2008-05-15 11:47:04 0 d-------- C:\Program Files\Personal Chess Trainer
2008-05-15 11:46:39 0 d-------- C:\Program Files\Picture Merge Genius
2008-05-15 11:45:47 0 d-------- C:\Program Files\WinAVI VideoConverter
2008-05-15 11:45:31 0 d-------- C:\Program Files\Yahoo!
2008-05-15 11:44:54 0 d-------- C:\Program Files\YouTube Video Downloader
2008-05-14 16:49:31 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-14 16:47:53 2891 --a------ C:\WINDOWS\mozver.dat
2008-05-13 04:27:35 0 d-------- C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-09 22:24:09 0 d-------- C:\Program Files\Britannica 7.0
2008-05-09 00:07:00 0 d-------- C:\Program Files\Oxford
2008-03-22 11:54:05 0 d-------- C:\Program Files\Winamp


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e82f3da-69c3-49aa-926e-ee03d5b145a0}]
C:\WINDOWS\System32\uwjiahyp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/06/2003 09:49 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/06/2003 09:37 PM]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 10:50 AM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/2006 10:49 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/06/2006 06:37 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [12/05/2006 10:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/18/2008 02:05 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"180072e9"="C:\WINDOWS\System32\gtkhcmcd.dll" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 03:08 PM]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-05-17 20:49:09 ------------

Edited by Grinler, 21 May 2008 - 02:08 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:19 PM

Posted 17 May 2008 - 07:16 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

What I'd like you to do first is to delete SDFix from your computer and then we will download the most current version.
These specialized tools are updated frequently, so we want to be sure we're working with the most current version.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 18 May 2008 - 06:29 AM

Hi Sam thanks for the quick reply :thumbsup:
I did as u told me to do and here are my reports:






SDFix: Version 1.183
Run by GAMEMACHINE on Sun 05/18/2008 at 04:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\wmsoft10145.exe - Deleted
C:\WINDOWS\system32\wmsoft13420.exe - Deleted
C:\WINDOWS\system32\wmsoft14354.exe - Deleted
C:\WINDOWS\system32\wmsoft14856.exe - Deleted
C:\WINDOWS\system32\wmsoft41843.exe - Deleted
C:\WINDOWS\system32\wmsoft60043.exe - Deleted
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Folder C:\Temp\tmpvc14 - Removed
Folder C:\WINDOWS\system32\dFrnx06 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 16:48:57
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\$winnt32$_test]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,c4,d7,af,7c,0a,27,5b,38,d5,99,c6,77,14,a5,a1,ef,27,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41]
"ujdew"=hex:20,02,00,00,78,d7,af,7c,56,4f,5e,39,01,22,f9,b9,d0,6f,00,4e,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg410]
"ujdew"=hex:20,02,00,00,a4,7c,6d,1d,ea,12,a1,20,35,f9,be,40,f4,37,64,44,07,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg411]
"ujdew"=hex:20,02,00,00,e9,7b,6d,1d,49,0d,67,81,f8,4e,d4,ab,3b,2b,58,30,b2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg412]
"ujdew"=hex:20,02,00,00,0d,7b,6d,1d,25,57,09,6d,24,7c,81,b6,b7,97,a2,1b,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg413]
"ujdew"=hex:20,02,00,00,a0,7a,6d,1d,5e,d7,fb,78,e9,e5,66,e0,98,c2,4b,71,5b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg414]
"ujdew"=hex:20,02,00,00,d4,79,6d,1d,7a,c0,23,46,45,32,0e,6b,c4,32,ea,d4,d7,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg415]
"ujdew"=hex:20,02,00,00,77,79,6d,1d,c3,ee,88,f3,ba,c1,d2,cc,85,70,eb,b2,04,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg416]
"ujdew"=hex:20,02,00,00,eb,78,6d,1d,af,72,a6,76,d6,b0,41,77,81,15,ed,17,50,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg417]
"ujdew"=hex:20,02,00,00,1f,78,6d,1d,4b,6c,ce,43,82,0c,e9,f9,cd,85,8f,fb,2c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg418]
"ujdew"=hex:20,02,00,00,b2,67,6d,1d,e4,13,5b,c5,77,e6,e9,d8,de,60,38,69,69,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg419]
"ujdew"=hex:20,02,00,00,d6,66,6d,1d,50,66,0d,b1,b3,0b,a2,2b,aa,cc,82,4c,f5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42]
"ujdew"=hex:20,02,00,00,eb,d6,af,7c,af,78,54,4a,d6,46,f5,fb,81,83,f8,aa,50,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg420]
"ujdew"=hex:20,02,00,00,6b,66,6d,1d,2f,92,2e,29,56,1a,7a,a6,01,f9,3e,ba,d0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg421]
"ujdew"=hex:20,02,00,00,8e,65,6d,1d,08,82,b8,a2,0b,7d,b4,48,42,e5,7f,15,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg422]
"ujdew"=hex:20,02,00,00,32,65,6d,1d,64,03,39,02,f7,df,fb,1a,5e,a4,79,7b,e9,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg423]
"ujdew"=hex:20,02,00,00,55,64,6d,1d,4d,f3,d3,bb,ac,32,35,3d,9f,87,c6,d6,46,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg424]
"ujdew"=hex:20,02,00,00,8b,63,6d,1d,4f,99,2a,2d,76,34,df,d0,a1,f0,6c,8a,f0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg425]
"ujdew"=hex:20,02,00,00,2e,63,6d,1d,28,c7,93,5a,ab,bb,a3,ba,62,37,6d,60,2d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg426]
"ujdew"=hex:20,02,00,00,42,62,6d,1d,54,63,cf,e4,67,c3,61,0d,0e,88,5f,cb,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg427]
"ujdew"=hex:20,02,00,00,e6,61,6d,1d,80,e3,4f,44,23,2d,b5,df,1a,4f,66,29,e5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg428]
"ujdew"=hex:20,02,00,00,0a,61,6d,1d,7c,36,f1,37,6f,53,6e,2a,96,ab,a0,0c,41,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg429]
"ujdew"=hex:20,02,00,00,ae,60,6d,1d,a8,b6,71,97,2b,bd,b5,f4,e2,6a,ab,72,ad,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43]
"ujdew"=hex:20,02,00,00,8c,0e,66,ad,d2,c2,43,d6,dd,21,12,80,fc,58,19,6c,ef,..
"ljej40"=hex:87,66,11,6b,cd,5f,1c,d7,8d,90,a9,aa,f2,50,f6,b6,f2,af,25,47,71,..
"ljej41"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej42"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej43"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej44"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg430]
"ujdew"=hex:20,02,00,00,f2,6f,6d,1d,a4,1e,75,80,37,c0,21,c2,9e,3d,9e,3e,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44]
"ujdew"=hex:20,02,00,00,20,0e,66,ad,de,a4,4d,14,69,65,6b,da,18,14,cb,d1,db,..
"ljej40"=hex:2e,f6,f6,b6,b6,1f,22,3a,0c,cb,d8,17,05,23,5c,6e,0b,90,6a,29,1a,..
"ljej41"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej42"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej43"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej44"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg45]
"ujdew"=hex:20,02,00,00,05,0d,66,ad,5d,ae,21,bc,7c,c3,d3,6d,6f,cc,bf,83,96,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg46]
"ujdew"=hex:20,02,00,00,c5,7e,6d,1d,9d,9c,f8,e4,bc,ea,7e,5f,af,30,10,c0,d6,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg47]
"ujdew"=hex:20,02,00,00,79,7e,6d,1d,39,c4,ff,e5,e8,73,b1,e1,6b,fb,72,a6,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg48]
"ujdew"=hex:20,02,00,00,9d,7d,6d,1d,95,0e,a1,51,d4,a1,6d,ec,e7,67,bd,89,8e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg49]
"ujdew"=hex:20,02,00,00,31,7d,6d,1d,91,e0,ab,97,60,e5,c2,06,03,13,6f,6f,fa,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0E93EB77-8A1E-26FB-5BBA-AD76E28B6A28}]
"abpfmgklphkjkalbbkdnllgppeeedjfgaa"=hex:61,62,62,66,68,62,61,64,6e,6e,67,66,65,6a,62,6a,66,69,62,6c,64,..
"bbpfmgklphkjkalbbkenojhdidalbndfgkbb"=hex:61,62,69,65,70,6c,64,67,70,64,67,6f,6e,6e,6e,70,70,66,65,70,62,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1388F7A-C4B0-3DA9-A7E1-79A2C806CF92}]
"iafokneencdbmgdaeg"=hex:69,61,66,64,6a,6a,63,66,68,6d,6f,70,6e,6d,66,64,66,6f,00,00
"haloiodoacfnopdm"=hex:69,61,66,64,6a,6a,63,66,68,6d,6f,70,6e,6d,66,64,66,6f,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!







Deckard's System Scanner v20071014.68
Run by GAMEMACHINE on 2008-05-18 16:52:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 1.28 GiB (less than 15%) free.


-- HijackThis (run as GAMEMACHINE.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:01 PM, on 5/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\GAMEMACHINE\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\GAMEMA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: {0a541b5d-30ee-e629-aa94-3c96ad3f28e3} - {3e82f3da-69c3-49aa-926e-ee03d5b145a0} - C:\WINDOWS\System32\uwjiahyp.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\System32\pmnliIbb.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [180072e9] rundll32.exe "C:\WINDOWS\System32\gtkhcmcd.dll",b
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DriveDiscoveryMemoryResident] C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AutoPowerOn] C:\Program Files\AutoPowerOn\AutoPowerOn.exe
O4 - Startup: WireKeys.lnk = C:\Program Files\WiredPlane\WireKeys\WireKeys.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Request Site Approval - res://C:\Program Files\ResilientWare\WebBounds\WebBounds.dll/3000
O8 - Extra context menu item: DiaryOne: Save full text - C:\Program Files\DiaryOne\Script\fullcatcher.htm
O8 - Extra context menu item: DiaryOne: Save selected text - C:\Program Files\DiaryOne\Script\catcher.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E48F89B-53DF-4E92-91C4-E2A4C4732091}: NameServer = 202.164.51.21,202.164.32.82
O20 - Winlogon Notify: pmnliIbb - C:\WINDOWS\SYSTEM32\pmnliIbb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)
O23 - Service: McAfee Privacy Service (MPS9) - Unknown owner - C:\PROGRA~1\McAfee\MPS\mps.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

--
End of file - 8380 bytes

-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 16:33:41 0 --a------ C:\WINDOWS\System32\wmsoft05143.exe
2008-05-18 16:32:51 0 --a------ C:\WINDOWS\System32\wmsoft03164.exe
2008-05-18 06:13:49 57344 --a------ C:\WINDOWS\System32\pmnliIbb.dll
2008-05-18 06:13:23 0 --a------ C:\WINDOWS\System32\xfyphieu.exe
2008-05-18 06:13:23 9216 --a------ C:\WINDOWS\System32\eiodjo.exe
2008-05-18 04:22:42 0 d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14:32 0 d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 11:19:36 68096 --a------ C:\WINDOWS\zip.exe
2008-05-17 11:19:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-17 11:19:35 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-17 11:19:35 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-17 11:19:35 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-17 11:19:35 98816 --a------ C:\WINDOWS\sed.exe
2008-05-17 11:19:35 80412 --a------ C:\WINDOWS\grep.exe
2008-05-17 11:19:35 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-17 10:40:26 0 --a------ C:\WINDOWS\System32\wmsoft06058.exe
2008-05-17 10:36:34 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36:14 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36:14 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33:59 0 d-------- C:\Program Files\Lavasoft
2008-05-17 07:33:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:33:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:28:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:15:10 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-05-17 02:00:09 0 d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07:12 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07:07 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 11:33:52 0 d-------- C:\Program Files\Trend Micro
2008-05-16 10:34:22 0 --a------ C:\WINDOWS\System32\wmsoft01101.exe
2008-05-16 09:10:47 0 --a------ C:\WINDOWS\System32\servupdate.exe
2008-05-16 08:47:36 0 d-------- C:\Program Files\Avira
2008-05-16 08:02:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 07:26:58 0 --a------ C:\WINDOWS\System32\wmsoft05133.exe
2008-05-16 06:06:34 1635 --a------ C:\WINDOWS\System32\uujkip.exe
2008-05-16 06:06:34 1635 --a------ C:\WINDOWS\System32\qegi.exe
2008-05-16 05:08:28 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-05-16 05:08:22 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07:06 143360 --a------ C:\WINDOWS\System32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2008-05-16 05:03:50 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02:09 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-15 12:13:10 0 d-------- C:\Program Files\Vodei
2008-05-15 11:42:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:39:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-05-15 11:38:59 0 d-------- C:\Temp
2008-05-15 11:38:43 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-15 10:39:53 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29:25 4212 ---h----- C:\WINDOWS\System32\zllictbl.dat
2008-05-15 10:27:25 0 d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31:08 0 d-------- C:\Videos
2008-05-15 03:30:21 0 d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 16:59:23 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Mozilla
2008-05-11 12:02:02 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58:38 2 --a------ C:\WINDOWS\System32\LOGFILES
2008-05-11 10:42:50 1495552 --a------ C:\WINDOWS\System32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk>
2008-05-11 10:42:50 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 03:10:27 0 d-------- C:\Program Files\efs
2008-05-08 00:00:07 0 d-------- C:\tst10
2008-05-07 16:32:14 0 d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40:29 0 d-------- C:\clusters
2008-05-06 11:55:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Google


-- Find3M Report ---------------------------------------------------------------

2008-05-18 16:34:38 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-18 03:21:51 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-17 07:33:29 0 d-------- C:\Program Files\Common Files
2008-05-16 05:41:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-15 11:47:53 0 d-------- C:\Program Files\Google
2008-05-15 11:47:43 0 d-------- C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 11:47:18 0 d-------- C:\Program Files\Okoker Sudoku
2008-05-15 11:47:04 0 d-------- C:\Program Files\Personal Chess Trainer
2008-05-15 11:46:39 0 d-------- C:\Program Files\Picture Merge Genius
2008-05-15 11:45:47 0 d-------- C:\Program Files\WinAVI VideoConverter
2008-05-15 11:45:31 0 d-------- C:\Program Files\Yahoo!
2008-05-15 11:44:54 0 d-------- C:\Program Files\YouTube Video Downloader
2008-05-14 16:49:31 0 d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-14 16:47:53 2891 --a------ C:\WINDOWS\mozver.dat
2008-05-13 04:27:35 0 d-------- C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-09 22:24:09 0 d-------- C:\Program Files\Britannica 7.0
2008-05-09 00:07:00 0 d-------- C:\Program Files\Oxford
2008-03-22 11:54:05 0 d-------- C:\Program Files\Winamp


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e82f3da-69c3-49aa-926e-ee03d5b145a0}]
C:\WINDOWS\System32\uwjiahyp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
05/18/2008 06:14 AM 57344 --a------ C:\WINDOWS\System32\pmnliIbb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [04/06/2003 09:49 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [04/06/2003 09:37 PM]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [07/09/2001 10:50 AM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/2006 10:49 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/06/2006 06:37 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [12/05/2006 10:55 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [02/18/2008 02:05 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM]
"180072e9"="C:\WINDOWS\System32\gtkhcmcd.dll" []
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" []
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/20/2002 03:08 PM]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [04/25/2008 12:20 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\System32\pmnliIbb.dll [05/18/2008 06:14 AM 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnliIbb]
pmnliIbb.dll 05/18/2008 06:14 AM 57344 C:\WINDOWS\system32\pmnliIbb.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton AntiVirus\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-05-18 16:53:41 ------------

Edited by dashing25, 18 May 2008 - 06:31 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:19 PM

Posted 18 May 2008 - 09:51 AM

We need to do the same thing with Combofix so we have the current version.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"


===================


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 18 May 2008 - 12:33 PM

Hello again Sam :thumbsup:

ComboFix 08-05-15.3 - GAMEMACHINE 2008-05-18 22:51:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.407 [GMT 5.5:30]
Running from: C:\Documents and Settings\GAMEMACHINE\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 22:45 . 2008-05-18 22:45 57 --a------ C:\WINDOWS\system32\o
2008-05-18 19:53 . 2008-05-18 19:53 0 -ra------ C:\WINDOWS\system32\TFTP3180
2008-05-18 19:52 . 2008-05-18 19:52 0 --a------ C:\WINDOWS\system32\wmsoft71021.exe
2008-05-18 19:48 . 2008-05-18 19:48 0 --a------ C:\WINDOWS\system32\wmsoft77662.exe
2008-05-18 19:46 . 2008-05-18 19:46 0 --a------ C:\WINDOWS\system32\wmsoft70282.exe
2008-05-18 19:42 . 2008-05-18 19:42 0 --a------ C:\WINDOWS\system32\wmsoft13387.exe
2008-05-18 19:41 . 2008-05-18 19:41 0 --a------ C:\WINDOWS\system32\wmsoft15538.exe
2008-05-18 18:52 . 2008-05-18 18:52 0 --a------ C:\WINDOWS\system32\wmsoft20405.exe
2008-05-18 18:49 . 2008-05-18 18:49 0 --a------ C:\WINDOWS\system32\wmsoft16405.exe
2008-05-18 18:48 . 2008-05-18 18:48 0 --a------ C:\WINDOWS\system32\wmsoft54443.exe
2008-05-18 18:47 . 2008-05-18 18:47 0 --a------ C:\WINDOWS\system32\wmsoft88264.exe
2008-05-18 18:44 . 2008-05-18 18:44 0 --a------ C:\WINDOWS\system32\wmsoft46885.exe
2008-05-18 18:44 . 2008-05-18 18:44 0 --a------ C:\WINDOWS\system32\wmsoft46655.exe
2008-05-18 18:42 . 2008-05-18 18:42 0 --a------ C:\WINDOWS\system32\wmsoft64600.exe
2008-05-18 18:42 . 2008-05-18 18:42 0 --a------ C:\WINDOWS\system32\wmsoft06767.exe
2008-05-18 18:41 . 2008-05-18 18:41 0 --a------ C:\WINDOWS\system32\wmsoft54817.exe
2008-05-18 18:40 . 2008-05-18 18:40 0 --a------ C:\WINDOWS\system32\wmsoft58467.exe
2008-05-18 18:38 . 2008-05-18 18:38 0 --a------ C:\WINDOWS\system32\wmsoft40278.exe
2008-05-18 18:34 . 2008-05-18 18:34 0 --a------ C:\WINDOWS\system32\wmsoft88485.exe
2008-05-18 18:32 . 2008-05-18 18:32 0 --a------ C:\WINDOWS\system32\wmsoft13352.exe
2008-05-18 18:31 . 2008-05-18 18:31 0 --a------ C:\WINDOWS\system32\wmsoft36285.exe
2008-05-18 18:30 . 2008-05-18 18:30 0 --a------ C:\WINDOWS\system32\wmsoft38738.exe
2008-05-18 18:29 . 2008-05-18 18:29 0 --a------ C:\WINDOWS\system32\wmsoft15431.exe
2008-05-18 18:27 . 2008-05-18 18:27 0 --a------ C:\WINDOWS\system32\wmsoft84406.exe
2008-05-18 18:27 . 2008-05-18 18:27 0 --a------ C:\WINDOWS\system32\wmsoft67008.exe
2008-05-18 18:27 . 2008-05-18 18:27 0 --a------ C:\WINDOWS\system32\wmsoft31118.exe
2008-05-18 18:24 . 2008-05-18 18:24 0 --a------ C:\WINDOWS\system32\wmsoft34375.exe
2008-05-18 18:19 . 2008-05-18 18:19 0 --a------ C:\WINDOWS\system32\wmsoft28683.exe
2008-05-18 18:17 . 2008-05-18 18:17 0 --a------ C:\WINDOWS\system32\wmsoft55385.exe
2008-05-18 18:16 . 2008-05-18 18:16 0 --a------ C:\WINDOWS\system32\wmsoft70503.exe
2008-05-18 18:16 . 2008-05-18 18:16 0 --a------ C:\WINDOWS\system32\wmsoft38873.exe
2008-05-18 18:12 . 2008-05-18 18:12 0 --a------ C:\WINDOWS\system32\wmsoft54346.exe
2008-05-18 18:10 . 2008-05-18 18:10 0 --a------ C:\WINDOWS\system32\wmsoft44438.exe
2008-05-18 17:20 . 2008-05-18 17:20 0 --a------ C:\WINDOWS\system32\wmsoft82645.exe
2008-05-18 17:20 . 2008-05-18 17:20 0 --a------ C:\WINDOWS\system32\wmsoft42186.exe
2008-05-18 17:19 . 2008-05-18 17:19 0 --a------ C:\WINDOWS\system32\wmsoft68424.exe
2008-05-18 16:58 . 2008-05-18 16:58 0 -ra------ C:\WINDOWS\system32\TFTP3428
2008-05-18 16:55 . 2008-05-18 19:52 78 --a------ C:\WINDOWS\system32\i
2008-05-18 16:55 . 2008-05-18 16:55 0 --a------ C:\WINDOWS\system32\wmsoft22868.exe
2008-05-18 16:33 . 2008-05-18 16:33 0 --a------ C:\WINDOWS\system32\wmsoft05143.exe
2008-05-18 16:32 . 2008-05-18 16:32 0 --a------ C:\WINDOWS\system32\wmsoft03164.exe
2008-05-18 06:13 . 2008-05-18 06:14 57,344 --a------ C:\WINDOWS\system32\pmnliIbb.dll
2008-05-18 06:13 . 2008-05-18 06:13 9,216 --a------ C:\WINDOWS\system32\eiodjo.exe
2008-05-18 04:22 . 2008-05-18 04:22 <DIR> d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14 . 2008-05-17 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 10:40 . 2008-05-17 10:40 0 --a------ C:\WINDOWS\system32\wmsoft06058.exe
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33 . 2008-05-17 07:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 07:33 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:33 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:28 . 2008-05-17 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 07:28 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:00 . 2008-05-17 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:33 . 2008-05-16 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 10:34 . 2008-05-16 10:34 0 --a------ C:\WINDOWS\system32\wmsoft01101.exe
2008-05-16 09:10 . 2008-05-18 19:39 0 --a------ C:\WINDOWS\system32\servupdate.exe
2008-05-16 08:47 . 2008-05-16 08:47 <DIR> d-------- C:\Program Files\Avira
2008-05-16 08:02 . 2008-05-16 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 07:26 . 2008-05-16 07:26 0 --a------ C:\WINDOWS\system32\wmsoft05133.exe
2008-05-16 06:06 . 2008-05-16 06:06 1,635 --a------ C:\WINDOWS\system32\uujkip.exe
2008-05-16 06:06 . 2008-05-16 06:06 1,635 --a------ C:\WINDOWS\system32\qegi.exe
2008-05-16 05:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-16 05:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-16 05:08 . 2008-05-16 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-16 05:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-16 05:03 . 2008-05-16 05:41 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02 . 2008-05-16 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-16 03:56 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-16 03:56 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-16 03:56 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Program Files\Vodei
2008-05-15 11:42 . 2008-05-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:38 . 2008-05-18 16:48 <DIR> d-------- C:\Temp
2008-05-15 10:39 . 2008-05-15 10:39 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29 . 2008-05-15 11:04 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-15 10:27 . 2008-05-15 12:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26 . 2008-05-15 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31 . 2008-05-15 03:31 <DIR> d-------- C:\Videos
2008-05-15 03:30 . 2008-05-17 05:20 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 21:45 . 2008-05-14 21:45 176 --a------ C:\WINDOWS\wininit.ini
2008-05-14 03:55 . 2008-05-16 04:36 109,834 --a------ C:\WINDOWS\BM1b334175.xml
2008-05-11 12:02 . 2008-05-11 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58 . 2008-05-11 11:58 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-05-11 10:42 . 2008-05-11 10:42 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-11 10:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-05-08 17:35 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 17:35 . 2002-08-29 03:40 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 17:35 . 2001-08-17 13:51 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 17:35 . 2001-08-17 22:37 48,128 --a------ C:\WINDOWS\system32\irprops.cpl
2008-05-08 17:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 17:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-05-08 17:35 . 2001-08-17 22:36 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 03:10 . 2008-05-08 03:10 <DIR> d-------- C:\Program Files\efs
2008-05-08 00:32 . 2008-05-08 00:32 168,230 --a------ C:\tst10.rar
2008-05-08 00:00 . 2008-05-08 01:40 <DIR> d-------- C:\tst10
2008-05-07 22:47 . 2008-05-17 23:00 18 --a------ C:\WINDOWS\power-on-task.ini
2008-05-07 16:32 . 2008-05-07 16:32 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40 . 2008-05-17 11:40 <DIR> d-------- C:\clusters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 17:18 368,704 ----a-w C:\WINDOWS\system32\nnnnOiIC.dll
2008-05-18 14:00 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-18 13:00 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-16 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 00:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 09:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-05-15 07:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 06:17 --------- d-----w C:\Program Files\Personal Chess Trainer
2008-05-15 06:17 --------- d-----w C:\Program Files\Okoker Sudoku
2008-05-15 06:17 --------- d-----w C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 06:17 --------- d-----w C:\Program Files\Google
2008-05-15 06:16 --------- d-----w C:\Program Files\Picture Merge Genius
2008-05-15 06:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 06:15 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-05-15 06:14 --------- d-----w C:\Program Files\YouTube Video Downloader
2008-05-14 11:19 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-12 22:57 --------- d-----w C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-09 16:54 --------- d-----w C:\Program Files\Britannica 7.0
2008-05-08 18:37 --------- d-----w C:\Program Files\Oxford
2008-05-05 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-03-22 06:24 --------- d-----w C:\Program Files\Winamp
2007-05-29 10:57 87,608 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\inst.exe
2007-05-29 10:57 47,360 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\pcouffin.sys
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e82f3da-69c3-49aa-926e-ee03d5b145a0}]
C:\WINDOWS\System32\uwjiahyp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
2008-05-18 06:14 57344 --a------ C:\WINDOWS\system32\pmnliIbb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [2008-04-25 12:20 3021312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 22:49 15872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-18 14:05 98304]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"180072e9"="C:\WINDOWS\System32\gtkhcmcd.dll" [ ]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-03 15:05:12 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\system32\pmnliIbb.dll [2008-05-18 06:14 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnliIbb]
pmnliIbb.dll 2008-05-18 06:14 57344 C:\WINDOWS\system32\pmnliIbb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R0 HFXP2;HFXP2;C:\WINDOWS\System32\DRIVERS\HFXP2.SYS [2006-08-01 20:20]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S1 pcii;pcii;C:\WINDOWS\System32\drivers\pcii.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\APLMp50.sys [2005-02-16 13:36]
S3 pctvvbi;PCTVVBI;C:\WINDOWS\System32\DRIVERS\pctvvbi.sys [2002-04-02 15:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 23:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-15 23:34:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-17 17:43:00 C:\WINDOWS\Tasks\reboot.job"
- C:\tst10\reboot.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 22:52:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [3516] 0x8317FB30

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnliIbb.dll
.
Completion time: 2008-05-18 22:55:17
ComboFix-quarantined-files.txt 2008-05-18 17:24:25
ComboFix2.txt 2008-05-17 05:58:18

Pre-Run: 1,436,672,000 bytes free
Post-Run: 1,425,436,672 bytes free

235

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:19 PM

Posted 19 May 2008 - 06:56 AM

You've got a lot going on it in that log, but we going to try to get it all right now. This fix will comprise of three phases. Be sure the follow the instructions carefully and in order. Save the requested logs and post them back here once you have completed all three steps.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
pcii

File::
C:\WINDOWS\System32\drivers\pcii.sys
C:\WINDOWS\system32\o
C:\WINDOWS\system32\TFTP3180
C:\WINDOWS\system32\wmsoft71021.exe
C:\WINDOWS\system32\wmsoft77662.exe
C:\WINDOWS\system32\wmsoft70282.exe
C:\WINDOWS\system32\wmsoft13387.exe
C:\WINDOWS\system32\wmsoft15538.exe
C:\WINDOWS\system32\wmsoft20405.exe
C:\WINDOWS\system32\wmsoft16405.exe
C:\WINDOWS\system32\wmsoft54443.exe
C:\WINDOWS\system32\wmsoft88264.exe
C:\WINDOWS\system32\wmsoft46885.exe
C:\WINDOWS\system32\wmsoft46655.exe
C:\WINDOWS\system32\wmsoft64600.exe
C:\WINDOWS\system32\wmsoft06767.exe
C:\WINDOWS\system32\wmsoft54817.exe
C:\WINDOWS\system32\wmsoft58467.exe
C:\WINDOWS\system32\wmsoft40278.exe
C:\WINDOWS\system32\wmsoft88485.exe
C:\WINDOWS\system32\wmsoft13352.exe
C:\WINDOWS\system32\wmsoft36285.exe
C:\WINDOWS\system32\wmsoft38738.exe
C:\WINDOWS\system32\wmsoft15431.exe
C:\WINDOWS\system32\wmsoft84406.exe
C:\WINDOWS\system32\wmsoft67008.exe
C:\WINDOWS\system32\wmsoft31118.exe
C:\WINDOWS\system32\wmsoft34375.exe
C:\WINDOWS\system32\wmsoft28683.exe
C:\WINDOWS\system32\wmsoft55385.exe
C:\WINDOWS\system32\wmsoft70503.exe
C:\WINDOWS\system32\wmsoft38873.exe
C:\WINDOWS\system32\wmsoft54346.exe
C:\WINDOWS\system32\wmsoft44438.exe
C:\WINDOWS\system32\wmsoft82645.exe
C:\WINDOWS\system32\wmsoft42186.exe
C:\WINDOWS\system32\wmsoft68424.exe
C:\WINDOWS\system32\TFTP3428
C:\WINDOWS\system32\i
C:\WINDOWS\system32\wmsoft22868.exe
C:\WINDOWS\system32\wmsoft05143.exe
C:\WINDOWS\system32\wmsoft03164.exe
C:\WINDOWS\system32\pmnliIbb.dll
C:\WINDOWS\system32\eiodjo.exe
C:\WINDOWS\system32\wmsoft06058.exe
C:\WINDOWS\system32\wmsoft01101.exe
C:\WINDOWS\system32\servupdate.exe
C:\WINDOWS\system32\wmsoft05133.exe
C:\WINDOWS\system32\uujkip.exe
C:\WINDOWS\system32\qegi.exe
C:\WINDOWS\system32\epoPGPsdk.dll
C:\WINDOWS\system32\nnnnOiIC.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e82f3da-69c3-49aa-926e-ee03d5b145a0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"180072e9"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnliIbb]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum



====================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb in your next reply.


Let me know of any problems that you have along the way.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 May 2008 - 12:30 PM

I did one mistake , i forgot to disable my antivirus program. :thumbsup:

Here r the reports:

ComboFix 08-05-15.3 - GAMEMACHINE 2008-05-19 21:04:50.4 - NTFSx86

Running from: C:\Documents and Settings\GAMEMACHINE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\GAMEMACHINE\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\drivers\pcii.sys
C:\WINDOWS\system32\eiodjo.exe
C:\WINDOWS\system32\epoPGPsdk.dll
C:\WINDOWS\system32\i
C:\WINDOWS\system32\nnnnOiIC.dll
C:\WINDOWS\system32\o
C:\WINDOWS\system32\pmnliIbb.dll
C:\WINDOWS\system32\qegi.exe
C:\WINDOWS\system32\servupdate.exe
C:\WINDOWS\system32\TFTP3180
C:\WINDOWS\system32\TFTP3428
C:\WINDOWS\system32\uujkip.exe
C:\WINDOWS\system32\wmsoft01101.exe
C:\WINDOWS\system32\wmsoft03164.exe
C:\WINDOWS\system32\wmsoft05133.exe
C:\WINDOWS\system32\wmsoft05143.exe
C:\WINDOWS\system32\wmsoft06058.exe
C:\WINDOWS\system32\wmsoft06767.exe
C:\WINDOWS\system32\wmsoft13352.exe
C:\WINDOWS\system32\wmsoft13387.exe
C:\WINDOWS\system32\wmsoft15431.exe
C:\WINDOWS\system32\wmsoft15538.exe
C:\WINDOWS\system32\wmsoft16405.exe
C:\WINDOWS\system32\wmsoft20405.exe
C:\WINDOWS\system32\wmsoft22868.exe
C:\WINDOWS\system32\wmsoft28683.exe
C:\WINDOWS\system32\wmsoft31118.exe
C:\WINDOWS\system32\wmsoft34375.exe
C:\WINDOWS\system32\wmsoft36285.exe
C:\WINDOWS\system32\wmsoft38738.exe
C:\WINDOWS\system32\wmsoft38873.exe
C:\WINDOWS\system32\wmsoft40278.exe
C:\WINDOWS\system32\wmsoft42186.exe
C:\WINDOWS\system32\wmsoft44438.exe
C:\WINDOWS\system32\wmsoft46655.exe
C:\WINDOWS\system32\wmsoft46885.exe
C:\WINDOWS\system32\wmsoft54346.exe
C:\WINDOWS\system32\wmsoft54443.exe
C:\WINDOWS\system32\wmsoft54817.exe
C:\WINDOWS\system32\wmsoft55385.exe
C:\WINDOWS\system32\wmsoft58467.exe
C:\WINDOWS\system32\wmsoft64600.exe
C:\WINDOWS\system32\wmsoft67008.exe
C:\WINDOWS\system32\wmsoft68424.exe
C:\WINDOWS\system32\wmsoft70282.exe
C:\WINDOWS\system32\wmsoft70503.exe
C:\WINDOWS\system32\wmsoft71021.exe
C:\WINDOWS\system32\wmsoft77662.exe
C:\WINDOWS\system32\wmsoft82645.exe
C:\WINDOWS\system32\wmsoft84406.exe
C:\WINDOWS\system32\wmsoft88264.exe
C:\WINDOWS\system32\wmsoft88485.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\eiodjo.exe
C:\WINDOWS\system32\epoPGPsdk.dll
C:\WINDOWS\system32\hhQAdJjl.ini
C:\WINDOWS\system32\hhQAdJjl.ini2
C:\WINDOWS\system32\i
C:\WINDOWS\system32\nnnnOiIC.dll
C:\WINDOWS\system32\pmnliIbb.dll
C:\WINDOWS\system32\qegi.exe
C:\WINDOWS\system32\servupdate.exe
C:\WINDOWS\system32\TFTP3180
C:\WINDOWS\system32\TFTP3428
C:\WINDOWS\system32\uujkip.exe
C:\WINDOWS\system32\wmsoft01101.exe
C:\WINDOWS\system32\wmsoft03164.exe
C:\WINDOWS\system32\wmsoft05133.exe
C:\WINDOWS\system32\wmsoft05143.exe
C:\WINDOWS\system32\wmsoft06058.exe
C:\WINDOWS\system32\wmsoft06767.exe
C:\WINDOWS\system32\wmsoft13352.exe
C:\WINDOWS\system32\wmsoft13387.exe
C:\WINDOWS\system32\wmsoft15431.exe
C:\WINDOWS\system32\wmsoft15538.exe
C:\WINDOWS\system32\wmsoft16405.exe
C:\WINDOWS\system32\wmsoft20405.exe
C:\WINDOWS\system32\wmsoft22868.exe
C:\WINDOWS\system32\wmsoft28683.exe
C:\WINDOWS\system32\wmsoft31118.exe
C:\WINDOWS\system32\wmsoft34375.exe
C:\WINDOWS\system32\wmsoft36285.exe
C:\WINDOWS\system32\wmsoft38738.exe
C:\WINDOWS\system32\wmsoft38873.exe
C:\WINDOWS\system32\wmsoft40278.exe
C:\WINDOWS\system32\wmsoft42186.exe
C:\WINDOWS\system32\wmsoft44438.exe
C:\WINDOWS\system32\wmsoft46655.exe
C:\WINDOWS\system32\wmsoft46885.exe
C:\WINDOWS\system32\wmsoft54346.exe
C:\WINDOWS\system32\wmsoft54443.exe
C:\WINDOWS\system32\wmsoft54817.exe
C:\WINDOWS\system32\wmsoft55385.exe
C:\WINDOWS\system32\wmsoft58467.exe
C:\WINDOWS\system32\wmsoft64600.exe
C:\WINDOWS\system32\wmsoft67008.exe
C:\WINDOWS\system32\wmsoft68424.exe
C:\WINDOWS\system32\wmsoft70282.exe
C:\WINDOWS\system32\wmsoft70503.exe
C:\WINDOWS\system32\wmsoft71021.exe
C:\WINDOWS\system32\wmsoft77662.exe
C:\WINDOWS\system32\wmsoft82645.exe
C:\WINDOWS\system32\wmsoft84406.exe
C:\WINDOWS\system32\wmsoft88264.exe
C:\WINDOWS\system32\wmsoft88485.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PCII
-------\Service_pcii


((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.

2008-05-19 21:03 . 2008-05-19 21:03 0 --a------ C:\WINDOWS\system32\wmsoft00526.exe
2008-05-19 19:03 . 2008-05-19 19:03 0 --a------ C:\WINDOWS\system32\wmsoft75526.exe
2008-05-19 19:03 . 2008-05-19 19:03 0 --a------ C:\WINDOWS\system32\wmsoft65020.exe
2008-05-19 19:03 . 2008-05-19 19:03 0 --a------ C:\WINDOWS\system32\wmsoft22401.exe
2008-05-19 19:02 . 2008-05-19 19:02 0 --a------ C:\WINDOWS\system32\wmsoft08144.exe
2008-05-19 11:00 . 2008-05-19 11:00 0 --a------ C:\WINDOWS\system32\wmsoft62753.exe
2008-05-19 10:58 . 2008-05-19 10:58 0 --a------ C:\WINDOWS\system32\wmsoft48374.exe
2008-05-19 10:56 . 2008-05-19 10:56 0 --a------ C:\WINDOWS\system32\wmsoft80847.exe
2008-05-19 10:51 . 2008-05-19 10:51 0 --a------ C:\WINDOWS\system32\wmsoft75078.exe
2008-05-19 10:43 . 2008-05-19 10:43 0 --a------ C:\WINDOWS\system32\wmsoft68631.exe
2008-05-19 10:41 . 2008-05-19 10:41 0 --a------ C:\WINDOWS\system32\wmsoft87517.exe
2008-05-19 10:40 . 2008-05-19 10:40 0 --a------ C:\WINDOWS\system32\wmsoft78227.exe
2008-05-19 10:40 . 2008-05-19 10:40 0 --a------ C:\WINDOWS\system32\wmsoft31174.exe
2008-05-19 10:36 . 2008-05-19 10:36 0 --a------ C:\WINDOWS\system32\wmsoft88063.exe
2008-05-19 10:33 . 2008-05-19 10:33 0 --a------ C:\WINDOWS\system32\wmsoft36082.exe
2008-05-19 10:31 . 2008-05-19 10:31 0 --a------ C:\WINDOWS\system32\wmsoft71506.exe
2008-05-19 10:21 . 2008-05-19 10:21 0 --a------ C:\WINDOWS\system32\wmsoft54767.exe
2008-05-19 10:20 . 2008-05-19 10:20 0 --a------ C:\WINDOWS\system32\wmsoft64362.exe
2008-05-19 10:20 . 2008-05-19 10:20 0 --a------ C:\WINDOWS\system32\wmsoft16362.exe
2008-05-19 10:15 . 2008-05-19 10:15 0 --a------ C:\WINDOWS\system32\wmsoft64178.exe
2008-05-19 10:04 . 2008-05-19 10:04 0 --a------ C:\WINDOWS\system32\wmsoft24778.exe
2008-05-19 09:50 . 2008-05-19 09:50 0 --a------ C:\WINDOWS\system32\wmsoft37521.exe
2008-05-19 09:43 . 2008-05-19 09:43 0 --a------ C:\WINDOWS\system32\wmsoft42478.exe
2008-05-19 09:35 . 2008-05-19 09:35 0 --a------ C:\WINDOWS\system32\wmsoft07255.exe
2008-05-19 09:34 . 2008-05-19 09:34 0 --a------ C:\WINDOWS\system32\wmsoft72123.exe
2008-05-19 09:31 . 2008-05-19 09:31 0 --a------ C:\WINDOWS\system32\wmsoft21827.exe
2008-05-19 09:30 . 2008-05-19 09:30 0 --a------ C:\WINDOWS\system32\wmsoft01026.exe
2008-05-19 09:27 . 2008-05-19 09:27 0 --a------ C:\WINDOWS\system32\wmsoft37510.exe
2008-05-19 09:26 . 2008-05-19 09:26 0 --a------ C:\WINDOWS\system32\wmsoft76577.exe
2008-05-19 09:21 . 2008-05-19 09:21 0 --a------ C:\WINDOWS\system32\wmsoft73231.exe
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Deckard
2008-05-19 08:00 . 2008-05-19 08:00 4 --a------ C:\WINDOWS\system32\18006067
2008-05-19 07:47 . 2008-05-19 07:47 0 --a------ C:\WINDOWS\system32\wmsoft35808.exe
2008-05-19 07:45 . 2008-05-19 07:45 0 --a------ C:\WINDOWS\system32\wmsoft14282.exe
2008-05-19 07:43 . 2008-05-19 07:43 0 --a------ C:\WINDOWS\system32\wmsoft67603.exe
2008-05-19 07:38 . 2008-05-19 07:38 0 --a------ C:\WINDOWS\system32\wmsoft51673.exe
2008-05-19 07:15 . 2008-05-19 07:15 0 --a------ C:\WINDOWS\system32\wmsoft06615.exe
2008-05-19 06:59 . 2008-05-19 06:59 0 --a------ C:\WINDOWS\system32\wmsoft24458.exe
2008-05-19 06:45 . 2008-05-19 06:45 0 --a------ C:\WINDOWS\system32\wmsoft44357.exe
2008-05-19 06:34 . 2008-05-19 06:39 8,231 --a------ C:\WINDOWS\system32\dxoqqqtr.dll
2008-05-19 06:32 . 2008-05-19 06:32 0 --a------ C:\WINDOWS\system32\wmsoft66473.exe
2008-05-19 05:58 . 2008-05-19 05:58 117,248 --a------ C:\WINDOWS\system32\edgyitrx.dll
2008-05-19 05:58 . 2008-05-19 06:26 354 --ahs---- C:\WINDOWS\system32\xrtiygde.ini
2008-05-19 05:56 . 2008-05-19 05:56 124,928 --a------ C:\WINDOWS\system32\hkxcfhex.dll
2008-05-19 05:53 . 2008-05-19 05:53 371,200 --a------ C:\WINDOWS\system32\ljJdAQhh.dll
2008-05-19 03:38 . 2008-05-19 03:48 8,420 --a------ C:\WINDOWS\system32\geBqPIxx.dll
2008-05-19 01:00 . 2008-05-19 01:00 0 --a------ C:\WINDOWS\system32\wmsoft42234.exe
2008-05-19 00:58 . 2008-05-19 00:58 0 --a------ C:\WINDOWS\system32\wmsoft42610.exe
2008-05-19 00:57 . 2008-05-19 00:57 0 --a------ C:\WINDOWS\system32\wmsoft71000.exe
2008-05-19 00:56 . 2008-05-19 00:56 0 --a------ C:\WINDOWS\system32\wmsoft86625.exe
2008-05-19 00:49 . 2008-05-19 00:49 0 --a------ C:\WINDOWS\system32\wmsoft73040.exe
2008-05-19 00:49 . 2008-05-19 00:49 0 --a------ C:\WINDOWS\system32\wmsoft58528.exe
2008-05-18 23:13 . 2008-05-18 23:13 0 --a------ C:\WINDOWS\system32\wmsoft07106.exe
2008-05-18 23:07 . 2008-05-18 23:07 0 --a------ C:\WINDOWS\system32\wmsoft05011.exe
2008-05-18 23:06 . 2008-05-18 23:06 0 --a------ C:\WINDOWS\system32\wmsoft47786.exe
2008-05-18 22:59 . 2008-05-19 00:57 0 --a------ C:\WINDOWS\system32\windowsupdate.exe
2008-05-18 22:58 . 2008-05-18 22:58 0 --a------ C:\WINDOWS\system32\wmsoft37467.exe
2008-05-18 22:58 . 2008-05-18 22:58 0 --a------ C:\WINDOWS\system32\wmsoft02858.exe
2008-05-18 04:22 . 2008-05-18 04:22 <DIR> d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14 . 2008-05-17 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33 . 2008-05-17 07:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 07:33 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:33 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:28 . 2008-05-17 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 07:28 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:00 . 2008-05-17 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:33 . 2008-05-16 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 08:47 . 2008-05-16 08:47 <DIR> d-------- C:\Program Files\Avira
2008-05-16 08:02 . 2008-05-16 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 05:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-16 05:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-16 05:08 . 2008-05-16 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-16 05:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-16 05:03 . 2008-05-16 05:41 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02 . 2008-05-16 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-16 03:56 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-16 03:56 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-16 03:56 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Program Files\Vodei
2008-05-15 11:42 . 2008-05-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:38 . 2008-05-18 16:48 <DIR> d-------- C:\Temp
2008-05-15 10:39 . 2008-05-15 10:39 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29 . 2008-05-15 11:04 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-15 10:27 . 2008-05-15 12:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26 . 2008-05-15 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31 . 2008-05-15 03:31 <DIR> d-------- C:\Videos
2008-05-15 03:30 . 2008-05-19 03:50 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 21:45 . 2008-05-14 21:45 176 --a------ C:\WINDOWS\wininit.ini
2008-05-14 03:55 . 2008-05-19 05:56 109,807 --a------ C:\WINDOWS\BM1b334175.xml
2008-05-11 12:02 . 2008-05-11 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58 . 2008-05-11 11:58 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-05-11 10:42 . 2008-05-11 10:42 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 17:35 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 17:35 . 2002-08-29 03:40 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 17:35 . 2001-08-17 13:51 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 17:35 . 2001-08-17 22:37 48,128 --a------ C:\WINDOWS\system32\irprops.cpl
2008-05-08 17:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 17:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-05-08 17:35 . 2001-08-17 22:36 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 03:10 . 2008-05-08 03:10 <DIR> d-------- C:\Program Files\efs
2008-05-08 00:32 . 2008-05-08 00:32 168,230 --a------ C:\tst10.rar
2008-05-08 00:00 . 2008-05-08 01:40 <DIR> d-------- C:\tst10
2008-05-07 22:47 . 2008-05-17 23:00 18 --a------ C:\WINDOWS\power-on-task.ini
2008-05-07 16:32 . 2008-05-07 16:32 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40 . 2008-05-17 11:40 <DIR> d-------- C:\clusters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 03:48 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-18 13:00 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-16 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 00:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 09:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-05-15 07:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 06:17 --------- d-----w C:\Program Files\Personal Chess Trainer
2008-05-15 06:17 --------- d-----w C:\Program Files\Okoker Sudoku
2008-05-15 06:17 --------- d-----w C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 06:17 --------- d-----w C:\Program Files\Google
2008-05-15 06:16 --------- d-----w C:\Program Files\Picture Merge Genius
2008-05-15 06:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 06:15 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-05-15 06:14 --------- d-----w C:\Program Files\YouTube Video Downloader
2008-05-14 11:19 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-12 22:57 --------- d-----w C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-09 16:54 --------- d-----w C:\Program Files\Britannica 7.0
2008-05-08 18:37 --------- d-----w C:\Program Files\Oxford
2008-05-05 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-03-22 06:24 --------- d-----w C:\Program Files\Winamp
2007-05-29 10:57 87,608 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\inst.exe
2007-05-29 10:57 47,360 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\pcouffin.sys
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-18_22.54.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:20:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-19 15:38:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 14:32:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDB97B1-D509-4053-866F-CC347CD80BBA}]
2008-05-19 05:53 371200 --a------ C:\WINDOWS\System32\ljJdAQhh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [2008-04-25 12:20 3021312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 22:49 15872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-18 14:05 98304]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-03 15:05:12 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R0 HFXP2;HFXP2;C:\WINDOWS\System32\DRIVERS\HFXP2.SYS [2006-08-01 20:20]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\APLMp50.sys [2005-02-16 13:36]
S3 pctvvbi;PCTVVBI;C:\WINDOWS\System32\DRIVERS\pctvvbi.sys [2002-04-02 15:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 23:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-15 23:34:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-18 17:43:00 C:\WINDOWS\Tasks\reboot.job"
- C:\tst10\reboot.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 21:10:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-19 21:14:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 15:44:13
ComboFix2.txt 2008-05-18 17:25:20
ComboFix3.txt 2008-05-17 05:58:18

Pre-Run: 1,470,971,904 bytes free
Post-Run: 1,429,401,600 bytes free

364

































SDFix: Version 1.183
Run by GAMEMACHINE on Mon 05/19/2008 at 09:21 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\wmsoft14282.exe - Deleted
C:\WINDOWS\system32\wmsoft16362.exe - Deleted
C:\WINDOWS\system32\wmsoft21827.exe - Deleted
C:\WINDOWS\system32\wmsoft22401.exe - Deleted
C:\WINDOWS\system32\wmsoft24458.exe - Deleted
C:\WINDOWS\system32\wmsoft24778.exe - Deleted
C:\WINDOWS\system32\wmsoft31174.exe - Deleted
C:\WINDOWS\system32\wmsoft35808.exe - Deleted
C:\WINDOWS\system32\wmsoft36082.exe - Deleted
C:\WINDOWS\system32\wmsoft37467.exe - Deleted
C:\WINDOWS\system32\wmsoft37510.exe - Deleted
C:\WINDOWS\system32\wmsoft37521.exe - Deleted
C:\WINDOWS\system32\wmsoft42234.exe - Deleted
C:\WINDOWS\system32\wmsoft42478.exe - Deleted
C:\WINDOWS\system32\wmsoft42610.exe - Deleted
C:\WINDOWS\system32\wmsoft44357.exe - Deleted
C:\WINDOWS\system32\wmsoft47786.exe - Deleted
C:\WINDOWS\system32\wmsoft48374.exe - Deleted
C:\WINDOWS\system32\wmsoft51673.exe - Deleted
C:\WINDOWS\system32\wmsoft54767.exe - Deleted
C:\WINDOWS\system32\wmsoft58528.exe - Deleted
C:\WINDOWS\system32\wmsoft62753.exe - Deleted
C:\WINDOWS\system32\wmsoft64178.exe - Deleted
C:\WINDOWS\system32\wmsoft64362.exe - Deleted
C:\WINDOWS\system32\wmsoft65020.exe - Deleted
C:\WINDOWS\system32\wmsoft66473.exe - Deleted
C:\WINDOWS\system32\wmsoft67603.exe - Deleted
C:\WINDOWS\system32\wmsoft68631.exe - Deleted
C:\WINDOWS\system32\wmsoft71000.exe - Deleted
C:\WINDOWS\system32\wmsoft71506.exe - Deleted
C:\WINDOWS\system32\wmsoft72123.exe - Deleted
C:\WINDOWS\system32\wmsoft73040.exe - Deleted
C:\WINDOWS\system32\wmsoft73231.exe - Deleted
C:\WINDOWS\system32\wmsoft75078.exe - Deleted
C:\WINDOWS\system32\wmsoft75526.exe - Deleted
C:\WINDOWS\system32\wmsoft76577.exe - Deleted
C:\WINDOWS\system32\wmsoft78227.exe - Deleted
C:\WINDOWS\system32\wmsoft80847.exe - Deleted
C:\WINDOWS\system32\wmsoft86625.exe - Deleted
C:\WINDOWS\system32\wmsoft87517.exe - Deleted
C:\WINDOWS\system32\wmsoft88063.exe - Deleted
C:\WINDOWS\system32\WindowsUpdate.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 21:27:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\$winnt32$_test]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,c4,d7,af,7c,0a,27,5b,38,d5,99,c6,77,14,a5,a1,ef,27,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41]
"ujdew"=hex:20,02,00,00,78,d7,af,7c,56,4f,5e,39,01,22,f9,b9,d0,6f,00,4e,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg410]
"ujdew"=hex:20,02,00,00,a4,7c,6d,1d,ea,12,a1,20,35,f9,be,40,f4,37,64,44,07,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg411]
"ujdew"=hex:20,02,00,00,e9,7b,6d,1d,49,0d,67,81,f8,4e,d4,ab,3b,2b,58,30,b2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg412]
"ujdew"=hex:20,02,00,00,0d,7b,6d,1d,25,57,09,6d,24,7c,81,b6,b7,97,a2,1b,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg413]
"ujdew"=hex:20,02,00,00,a0,7a,6d,1d,5e,d7,fb,78,e9,e5,66,e0,98,c2,4b,71,5b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg414]
"ujdew"=hex:20,02,00,00,d4,79,6d,1d,7a,c0,23,46,45,32,0e,6b,c4,32,ea,d4,d7,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg415]
"ujdew"=hex:20,02,00,00,77,79,6d,1d,c3,ee,88,f3,ba,c1,d2,cc,85,70,eb,b2,04,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg416]
"ujdew"=hex:20,02,00,00,eb,78,6d,1d,af,72,a6,76,d6,b0,41,77,81,15,ed,17,50,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg417]
"ujdew"=hex:20,02,00,00,1f,78,6d,1d,4b,6c,ce,43,82,0c,e9,f9,cd,85,8f,fb,2c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg418]
"ujdew"=hex:20,02,00,00,b2,67,6d,1d,e4,13,5b,c5,77,e6,e9,d8,de,60,38,69,69,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg419]
"ujdew"=hex:20,02,00,00,d6,66,6d,1d,50,66,0d,b1,b3,0b,a2,2b,aa,cc,82,4c,f5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42]
"ujdew"=hex:20,02,00,00,eb,d6,af,7c,af,78,54,4a,d6,46,f5,fb,81,83,f8,aa,50,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg420]
"ujdew"=hex:20,02,00,00,6b,66,6d,1d,2f,92,2e,29,56,1a,7a,a6,01,f9,3e,ba,d0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg421]
"ujdew"=hex:20,02,00,00,8e,65,6d,1d,08,82,b8,a2,0b,7d,b4,48,42,e5,7f,15,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg422]
"ujdew"=hex:20,02,00,00,32,65,6d,1d,64,03,39,02,f7,df,fb,1a,5e,a4,79,7b,e9,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg423]
"ujdew"=hex:20,02,00,00,55,64,6d,1d,4d,f3,d3,bb,ac,32,35,3d,9f,87,c6,d6,46,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg424]
"ujdew"=hex:20,02,00,00,8b,63,6d,1d,4f,99,2a,2d,76,34,df,d0,a1,f0,6c,8a,f0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg425]
"ujdew"=hex:20,02,00,00,2e,63,6d,1d,28,c7,93,5a,ab,bb,a3,ba,62,37,6d,60,2d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg426]
"ujdew"=hex:20,02,00,00,42,62,6d,1d,54,63,cf,e4,67,c3,61,0d,0e,88,5f,cb,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg427]
"ujdew"=hex:20,02,00,00,e6,61,6d,1d,80,e3,4f,44,23,2d,b5,df,1a,4f,66,29,e5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg428]
"ujdew"=hex:20,02,00,00,0a,61,6d,1d,7c,36,f1,37,6f,53,6e,2a,96,ab,a0,0c,41,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg429]
"ujdew"=hex:20,02,00,00,ae,60,6d,1d,a8,b6,71,97,2b,bd,b5,f4,e2,6a,ab,72,ad,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43]
"ujdew"=hex:20,02,00,00,8c,0e,66,ad,d2,c2,43,d6,dd,21,12,80,fc,58,19,6c,ef,..
"ljej40"=hex:87,66,11,6b,cd,5f,1c,d7,8d,90,a9,aa,f2,50,f6,b6,f2,af,25,47,71,..
"ljej41"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej42"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej43"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej44"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg430]
"ujdew"=hex:20,02,00,00,f2,6f,6d,1d,a4,1e,75,80,37,c0,21,c2,9e,3d,9e,3e,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44]
"ujdew"=hex:20,02,00,00,20,0e,66,ad,de,a4,4d,14,69,65,6b,da,18,14,cb,d1,db,..
"ljej40"=hex:2e,f6,f6,b6,b6,1f,22,3a,0c,cb,d8,17,05,23,5c,6e,0b,90,6a,29,1a,..
"ljej41"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej42"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej43"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej44"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg45]
"ujdew"=hex:20,02,00,00,05,0d,66,ad,5d,ae,21,bc,7c,c3,d3,6d,6f,cc,bf,83,96,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg46]
"ujdew"=hex:20,02,00,00,c5,7e,6d,1d,9d,9c,f8,e4,bc,ea,7e,5f,af,30,10,c0,d6,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg47]
"ujdew"=hex:20,02,00,00,79,7e,6d,1d,39,c4,ff,e5,e8,73,b1,e1,6b,fb,72,a6,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg48]
"ujdew"=hex:20,02,00,00,9d,7d,6d,1d,95,0e,a1,51,d4,a1,6d,ec,e7,67,bd,89,8e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg49]
"ujdew"=hex:20,02,00,00,31,7d,6d,1d,91,e0,ab,97,60,e5,c2,06,03,13,6f,6f,fa,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0E93EB77-8A1E-26FB-5BBA-AD76E28B6A28}]
"abpfmgklphkjkalbbkdnllgppeeedjfgaa"=hex:61,62,62,66,68,62,61,64,6e,6e,67,66,65,6a,62,6a,66,69,62,6c,64,..
"bbpfmgklphkjkalbbkenojhdidalbndfgkbb"=hex:61,62,69,65,70,6c,64,67,70,64,67,6f,6e,6e,6e,70,70,66,65,70,62,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1388F7A-C4B0-3DA9-A7E1-79A2C806CF92}]
"iafokneencdbmgdaeg"=hex:69,61,66,64,6a,6a,63,66,68,6d,6f,70,6e,6d,66,64,66,6f,00,00
"haloiodoacfnopdm"=hex:69,61,66,64,6a,6a,63,66,68,6d,6f,70,6e,6d,66,64,66,6f,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!

#8 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 May 2008 - 12:31 PM

This is DrWeb report



eiodjo.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Packed.162;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Deleted.;
A0000034.EXE;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Program.PsExec.170;Incurable.Deleted.;
A0000043.bat;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Probably SCRIPT.Virus;Incurable.Deleted.;
A0001288.exe;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Tool.Prockill;Incurable.Deleted.;
A0002261.exe;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Trojan.Packed.162;Deleted.;
A0002265.exe;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Trojan.Packed.162;Deleted.;
A0005308.exe;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Tool.Prockill;Incurable.Deleted.;
A0005360.bat;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Probably SCRIPT.Virus;Incurable.Deleted.;
A0005403.bat;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Probably SCRIPT.Virus;Incurable.Deleted.;
A0005444.bat;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP2;Probably SCRIPT.Virus;Incurable.Deleted.;
A0018490.exe;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4;Trojan.Packed.162;Deleted.;
A0018563.EXE;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4;Program.PsExec.170;Incurable.Deleted.;
A0018572.bat;C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4;Probably SCRIPT.Virus;Incurable.Deleted.;
firewall.VIR;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.2665;Deleted.;

















While i am browsing the net , sometimes i get a message like
"Window is shutting down in 1 minute ...................
because remote procedure call service failed unexpectedly"
I have attached the image file below

When i check the task manager,there are many cmd.exe and ftp.exe's opened.

Attached Files

  • Attached File  22.JPG   17.6KB   5 downloads

Edited by dashing25, 19 May 2008 - 01:43 PM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:19 PM

Posted 19 May 2008 - 05:41 PM

Open up SDFix again and follow these steps.
  • Type 3 to Download/Run SAV32CLI from Sophos.
  • Follow the on screen prompts and extract the Sophos files to C:\SAV32CLI
  • When the main scanning screen is displayed type 6 to run a Full scan
  • SAV32CLI will start and scan the system for infected files
  • Please be patient as this scan may take some time
  • When the scan has finished post back the SophosReport.txt from the SDFix folder

Also run Combofix once again and post that new log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 May 2008 - 09:01 PM

Hi


Sophos Anti-Virus
Version 4.29.0 [Win32/Intel]
Virus data version 4.29E, May 2008
Includes detection for 402085 viruses, trojans and worms
Copyright © 1989-2008 Sophos Plc, www.sophos.com

System time 06:13:41, System date 20 May 2008
Command line qualifiers are: -f -remove -nc -nb -dn --stop-scan -idedir=C:\SDFix\IDE -p=C:\SDFix\SophosReport.txt

IDE directory is: C:\SDFix\IDE

File tvido-a.ide is older than 90 days
File chir-b.ide is older than 90 days
File tiny-dc.ide is older than 90 days
File autor-bd.ide is older than 90 days
File autor-be.ide is older than 90 days
File sdbo-djz.ide is older than 90 days
File cimuz-cv.ide is older than 90 days
File gampas-q.ide is older than 90 days
File virut-x.ide is older than 90 days
File he4hoo-e.ide is older than 90 days
File daymay-a.ide is older than 90 days
File injec-cb.ide is older than 90 days
File keylo-jz.ide is older than 90 days
File ntroo-cv.ide is older than 90 days
File dwnl-hav.ide is older than 90 days
File silly-bu.ide is older than 90 days
File agen-gpc.ide is older than 90 days
File bankd-dg.ide is older than 90 days
File pushu-h.ide is older than 90 days
File psw-es.ide is older than 90 days
File psw-et.ide is older than 90 days
File rexplo-b.ide is older than 90 days
File looke-ec.ide is older than 90 days
File ldpin-ro.ide is older than 90 days
File dorf-aw.ide is older than 90 days
File agen-gph.ide is older than 90 days
File banlo-ex.ide is older than 90 days
File rieve-a.ide is older than 90 days
File vb-dyr.ide is older than 90 days
File mailb-ck.ide is older than 90 days
File cyberl-a.ide is older than 90 days
File spwa-gen.ide is older than 90 days
File psyme-hm.ide is older than 90 days
File dwnl-hba.ide is older than 90 days
File zbot-d.ide is older than 90 days
File dload-bl.ide is older than 90 days
File injec-cc.ide is older than 90 days
File alman-e.ide is older than 90 days
File autor-bg.ide is older than 90 days
File autom-d.ide is older than 90 days
File dref-b.ide is older than 90 days
File agen-gpp.ide is older than 90 days
File zbot-e.ide is older than 90 days
File defusx-a.ide is older than 90 days
File agen-gpr.ide is older than 90 days
File tinydl-r.ide is older than 90 days
File downld-p.ide is older than 90 days
File agen-gpv.ide is older than 90 days
File zonie-a.ide is older than 90 days
File vb-dys.ide is older than 90 days
File silly-bw.ide is older than 90 days
File pushdo-h.ide is older than 90 days
File sheldo-a.ide is older than 90 days
File smal-eld.ide is older than 90 days
File agen-gpx.ide is older than 90 days
File bifro-vn.ide is older than 90 days
File looke-ed.ide is older than 90 days
File autor-bk.ide is older than 90 days
File swizzo-c.ide is older than 90 days
File dloa-bim.ide is older than 90 days
File iespy-f.ide is older than 90 days
File cblade-h.ide is older than 90 days
File pasala-a.ide is older than 90 days
File dloa-bio.ide is older than 90 days
File messy-a.ide is older than 90 days
File msnemy-a.ide is older than 90 days
Using IDE file otakbo-a.ide
Using IDE file forbo-gv.ide
Using IDE file bckd-qlw.ide
Using IDE file smal-ele.ide
Using IDE file braban-h.ide
Using IDE file cabat-d.ide
Using IDE file ntroo-cz.ide
Using IDE file dropp-tv.ide
Using IDE file agen-gmy.ide
Using IDE file autor-bo.ide
Using IDE file pushin-a.ide
Using IDE file spy-aj.ide
Using IDE file agen-gpz.ide
Using IDE file bront-ds.ide
Using IDE file bobax-eh.ide
Using IDE file grumbl-a.ide
Using IDE file tibs-ub.ide
Using IDE file joom-a.ide
Using IDE file pccli-lj.ide
Using IDE file autor-bp.ide
Using IDE file rbot-gwj.ide
Using IDE file bront-dt.ide
Using IDE file onlin-an.ide
Using IDE file fakev-ar.ide
Using IDE file baload-a.ide
Using IDE file cashgr-u.ide
Using IDE file autome-a.ide
Using IDE file bront-du.ide
Using IDE file silly-by.ide
Using IDE file pccli-ll.ide
Using IDE file zapch-dz.ide
Using IDE file killfi-j.ide
Using IDE file ircb-aaq.ide
Using IDE file agen-gqo.ide
Using IDE file sohan-as.ide
Using IDE file meiti-a.ide
Using IDE file zlob-j.ide
Using IDE file dwnl-hbk.ide
Using IDE file looke-ee.ide
Using IDE file silly-bz.ide
Using IDE file proxy-ig.ide
Using IDE file sdbo-dkb.ide
Using IDE file dwnl-hbl.ide
Using IDE file banhos-i.ide
Using IDE file poison-r.ide
Using IDE file winsat-b.ide
Using IDE file ntroo-da.ide
Using IDE file bagle-tq.ide
Using IDE file downld-t.ide
Using IDE file dload-br.ide
Using IDE file bckd-qly.ide
Using IDE file wlload-a.ide
Using IDE file zbot-h.ide
Using IDE file agen-gqv.ide
Using IDE file vbsmai-a.ide
Using IDE file mdro-bqg.ide
Using IDE file looke-ef.ide
Using IDE file zlobdr-h.ide
Using IDE file anpir-a.ide
Using IDE file scrapk-a.ide
Using IDE file exepag-a.ide
Using IDE file sillyw-a.ide
Using IDE file gina-al.ide
Using IDE file alimik-a.ide
Using IDE file sdbo-dkd.ide
Using IDE file vb-dyv.ide
Using IDE file agen-grd.ide
Using IDE file agen-gre.ide
Using IDE file repet-a.ide
Using IDE file agen-grg.ide
Using IDE file renos-ap.ide
Using IDE file virfir-a.ide
Using IDE file agen-gri.ide
Using IDE file rjump-j.ide
Using IDE file autor-bc.ide
Using IDE file chmdro-b.ide
Using IDE file agen-grj.ide
Using IDE file pakabo-a.ide
Using IDE file agen-grk.ide
Using IDE file bho-ez.ide
Using IDE file zlob-ail.ide
Using IDE file agen-grl.ide
Using IDE file batsec-a.ide
Using IDE file bckd-qmd.ide
Using IDE file dloa-biz.ide
Using IDE file autor-by.ide
Using IDE file bckd-qme.ide
Using IDE file agen-grq.ide
Using IDE file agen-grr.ide
Using IDE file dload-bu.ide
Using IDE file injec-cd.ide
Using IDE file bagle-tm.ide
Using IDE file agen-grt.ide
Using IDE file anuir-a.ide
Using IDE file satin-a.ide
Using IDE file bdoo-ajn.ide
Using IDE file agent-e.ide
Using IDE file dloa-bjc.ide
Using IDE file obfjs-b.ide
Using IDE file tvido-b.ide
Using IDE file pws-aqf.ide
Using IDE file cheuko-d.ide
Using IDE file rbot-gwl.ide
Using IDE file agen-gsb.ide
Using IDE file click-es.ide
Using IDE file munfor-b.ide
Using IDE file tehni-a.ide
Using IDE file zlob-aiw.ide
Using IDE file dowadv-c.ide
Using IDE file bagz-j.ide
Using IDE file bronto-x.ide
Using IDE file autor-bz.ide
Using IDE file dnsch-mg.ide
Using IDE file slolan-a.ide
Using IDE file fomur-a.ide
Using IDE file agen-gsh.ide
Using IDE file agen-gsj.ide
Using IDE file tanto-i.ide
Using IDE file zlob-aiz.ide
Using IDE file push-gen.ide
Using IDE file mumawo-a.ide
Using IDE file popupp-a.ide
Using IDE file badsrc-a.ide
Using IDE file servu-fg.ide
Using IDE file rootk-cd.ide
Using IDE file agen-gst.ide
Using IDE file agen-gsv.ide
Using IDE file zlob-aja.ide
Using IDE file prora-do.ide
Using IDE file autor-ca.ide
Using IDE file rbot-gwn.ide
Using IDE file crypdr-a.ide
Using IDE file exchan-b.ide
Using IDE file shodi-i.ide
Using IDE file agen-gtb.ide
Using IDE file bagle-tr.ide
Using IDE file rkmail-a.ide
Using IDE file shutdo-h.ide
Using IDE file silly-cb.ide
Using IDE file ntroo-dd.ide
Using IDE file pws-aqp.ide
Using IDE file autor-cd.ide
Using IDE file zbot-j.ide
Using IDE file autor-ce.ide
Using IDE file banlo-b.ide
Using IDE file dloa-bjk.ide
Using IDE file swizz-nq.ide
Using IDE file fujac-at.ide
Using IDE file pccli-lx.ide
Using IDE file agen-gti.ide
Using IDE file grum-i.ide
Using IDE file pws-aqq.ide
Using IDE file drop-l.ide
Using IDE file dloa-bjm.ide
Using IDE file espole-a.ide
Using IDE file psyme-ht.ide
Using IDE file kobak-a.ide
Using IDE file dloa-bjo.ide
Using IDE file sanji-a.ide
Using IDE file silly-cc.ide
Using IDE file bckd-qmk.ide
Using IDE file zaap-a.ide
Using IDE file bckd-qml.ide
Using IDE file dwnl-hbu.ide
Using IDE file dnsch-mh.ide
Using IDE file pdfex-e.ide
Using IDE file agen-gtr.ide
Using IDE file autor-ch.ide
Using IDE file bank-ele.ide
Using IDE file aspshe-a.ide
Using IDE file bckd-qmo.ide
Using IDE file lowzo-ea.ide
Using IDE file banlo-fb.ide
Using IDE file bizv-zla.ide
Using IDE file vb-dyy.ide
Using IDE file prora-dq.ide
Using IDE file pushdo-i.ide
Using IDE file detna-ad.ide
Using IDE file sdbo-dkg.ide
Using IDE file vbbot-ao.ide
Using IDE file encpk-cy.ide
Using IDE file tibs-uc.ide
Using IDE file drop-n.ide
Using IDE file tibs-ud.ide
Using IDE file hupig-sz.ide
Using IDE file macswp-b.ide
Using IDE file bank-ekz.ide
Using IDE file oscor-m.ide
Using IDE file spywa-ax.ide
Using IDE file starte-h.ide
Using IDE file honk-g.ide
Using IDE file autor-cn.ide
Using IDE file vb-dyz.ide
Using IDE file flood-im.ide
Using IDE file nymod-a.ide
Using IDE file backdr-s.ide
Using IDE file ldpin-rq.ide
Using IDE file agen-gum.ide
Using IDE file bifro-vq.ide
Using IDE file silly-ce.ide
Using IDE file zlob-ajn.ide
Using IDE file agen-guo.ide
Using IDE file killa-el.ide
Using IDE file agen-gup.ide
Using IDE file graybi-p.ide
Using IDE file dorf-ba.ide
Using IDE file tileb-kt.ide
Using IDE file mdro-bre.ide
Using IDE file fakea-ax.ide
Using IDE file legm-ars.ide
Using IDE file agen-gus.ide
Using IDE file badmid-a.ide
Using IDE file psyme-hx.ide
Using IDE file silly-cf.ide
Using IDE file agen-guu.ide
Using IDE file agen-guv.ide
Using IDE file kapuce-c.ide
Using IDE file fakea-az.ide
Using IDE file fursto-a.ide
Using IDE file onlin-ar.ide
Using IDE file bckd-qmu.ide
Using IDE file dloa-bkf.ide
Using IDE file sysloc-a.ide
Using IDE file agen-gvf.ide
Using IDE file piltot-a.ide
Using IDE file vbdrop-f.ide
Using IDE file hupig-ta.ide
Using IDE file fakea-ba.ide
Using IDE file fakeav-j.ide
Using IDE file mdro-bri.ide
Using IDE file bckd-qmv.ide
Using IDE file spycor-a.ide
Using IDE file dorf-bc.ide
Using IDE file dorf-bd.ide
Using IDE file calif-a.ide
Using IDE file dwnl-hce.ide
Using IDE file lydra-ad.ide
Using IDE file dwnl-zll.ide
Using IDE file vb-dzc.ide
Using IDE file ircb-abi.ide
Using IDE file encloa-b.ide
Using IDE file delf-fad.ide
Using IDE file bifro-vt.ide
Using IDE file ircb-abb.ide
Using IDE file agen-gvl.ide
Using IDE file bakave-a.ide
Using IDE file ifram-aa.ide
Using IDE file agen-gvk.ide
Using IDE file smal-eli.ide
Using IDE file poison-t.ide
Using IDE file isetsp-c.ide
Using IDE file psyme-ib.ide
Using IDE file ircb-abc.ide
Using IDE file bifro-vu.ide
Using IDE file hupig-tb.ide
Using IDE file autoin-j.ide
Using IDE file autor-cw.ide
Using IDE file bank-elf.ide
Using IDE file psyme-id.ide
Using IDE file autor-cx.ide
Using IDE file bho-ff.ide
Using IDE file bkdoor-j.ide
Using IDE file vb-dze.ide
Using IDE file fakev-aw.ide
Using IDE file zlob-aka.ide
Using IDE file dorfht-c.ide
Using IDE file agen-gvw.ide
Using IDE file ircb-abj.ide
Using IDE file agen-gvx.ide
Using IDE file delf-fah.ide
Using IDE file agen-gwa.ide
Using IDE file pdfex-g.ide
Using IDE file autor-cz.ide
Using IDE file zlob-akd.ide
Using IDE file ircb-abk.ide
Using IDE file drop-zlb.ide
Using IDE file bifros-j.ide
Using IDE file rbot-gwt.ide
Using IDE file keylo-kc.ide
Using IDE file silly-cg.ide
Using IDE file dwnl-hck.ide
Using IDE file fakeav-n.ide
Using IDE file banlo-fe.ide
Using IDE file mdro-bro.ide
Using IDE file autor-de.ide
Using IDE file bank-c.ide
Using IDE file vb-dzh.ide
Using IDE file rbot-gwv.ide
Using IDE file netsk-bs.ide
Using IDE file xorer-d.ide
Using IDE file autor-dg.ide
Using IDE file adcli-et.ide
Using IDE file fakeav-p.ide
Using IDE file autor-dh.ide
Using IDE file tibs-uf.ide
Using IDE file autor-di.ide
Using IDE file autor-dj.ide
Using IDE file rbot-gww.ide
Using IDE file passte-a.ide
Using IDE file mdro-brq.ide
Using IDE file mdro-brr.ide
Using IDE file vb-dzi.ide
Using IDE file banc-bdy.ide
Using IDE file srizbi-a.ide
Using IDE file injec-ch.ide
Using IDE file dorf-be.ide
Using IDE file tiotua-p.ide
Using IDE file pws-aqz.ide
Using IDE file ambler-e.ide
Using IDE file petbot-a.ide
Using IDE file autor-dk.ide
Using IDE file mdro-brt.ide
Using IDE file looke-eg.ide
Using IDE file rootk-ck.ide
Using IDE file autor-dl.ide
Using IDE file dwnl-hcp.ide
Using IDE file rkagen-e.ide
Using IDE file fanbot-g.ide
Using IDE file mdro-brw.ide
Using IDE file malas-b.ide
Using IDE file spambo-b.ide
Using IDE file autor-do.ide
Using IDE file keylo-ke.ide
Using IDE file bank-eli.ide
Using IDE file gampas-r.ide
Using IDE file servu-fh.ide
Using IDE file dloa-bla.ide
Using IDE file mdro-bry.ide
Using IDE file mdro-brz.ide
Using IDE file zlob-ako.ide
Using IDE file xiao-a.ide
Using IDE file fakev-az.ide
Using IDE file vb-dzk.ide
Using IDE file banspy-e.ide
Using IDE file agen-gxf.ide
Using IDE file poison-v.ide
Using IDE file inja-gen.ide
Using IDE file agen-gxg.ide
Using IDE file ntroo-dg.ide
Using IDE file corefl-m.ide
Using IDE file farf-gen.ide
Using IDE file bckd-qnf.ide
Using IDE file ircb-abm.ide
Using IDE file linea-dl.ide
Using IDE file zlob-akp.ide
Using IDE file conho-am.ide
Using IDE file dwnl-hcq.ide
Using IDE file spy-am.ide
Using IDE file melt-gen.ide
Using IDE file buzus-a.ide
Using IDE file mats-gen.ide
Using IDE file ifram-ab.ide
Using IDE file liger-a.ide
Using IDE file agen-gxq.ide
Using IDE file goldu-gf.ide
Using IDE file merc-a.ide
Using IDE file porpup-a.ide
Using IDE file bckd-qnh.ide
Using IDE file dzan-e.ide
Using IDE file deltre-x.ide
Using IDE file rkdrop-a.ide
Using IDE file mdro-bsc.ide
Using IDE file dorf-bg.ide
Using IDE file codeba-a.ide
Using IDE file downld-y.ide
Using IDE file agen-gxz.ide
Using IDE file boost-a.ide
Using IDE file downld-z.ide
Using IDE file killa-ep.ide
Using IDE file killf-bt.ide
Using IDE file agen-gyd.ide
Using IDE file bagle-ts.ide
Using IDE file shahro-a.ide
Using IDE file dwnl-hcx.ide
Using IDE file dzan-f.ide
Using IDE file sdbo-dkk.ide
Using IDE file dloa-bli.ide
Using IDE file socks-d.ide
Using IDE file lingos-e.ide
Using IDE file pdfex-f.ide
Using IDE file kbot-a.ide
Using IDE file heular-a.ide
Using IDE file wimad-e.ide
Using IDE file killa-er.ide
Using IDE file jshell-a.ide
Using IDE file autoin-k.ide
Using IDE file bank-elo.ide
Using IDE file irrita-a.ide
Using IDE file banlo-fh.ide
Using IDE file agen-gyt.ide
Using IDE file ircb-abp.ide
Using IDE file salit-ao.ide
Using IDE file rootk-cn.ide
Using IDE file angel-c.ide
Using IDE file spyage-i.ide
Using IDE file maha-t.ide
Using IDE file agen-gyy.ide
Using IDE file shark-d.ide
Using IDE file pushdo-j.ide
Using IDE file thili-a.ide
Using IDE file socks-f.ide
Using IDE file autor-dw.ide
Using IDE file fakev-bb.ide
Using IDE file shlbac-a.ide
Using IDE file vb-dzo.ide
Using IDE file agen-glt.ide
Using IDE file zbot-n.ide
Using IDE file danmec-y.ide
Using IDE file salit-ap.ide
Using IDE file autoit-h.ide
Using IDE file sohan-av.ide
Using IDE file banhos-n.ide
Using IDE file banspy-f.ide
Using IDE file loxar-l.ide
Using IDE file iyus-v.ide
Using IDE file sohan-ax.ide
Using IDE file autor-dy.ide
Using IDE file vimes-a.ide
Using IDE file agen-gzj.ide
Using IDE file servu-fj.ide
Using IDE file zlobar-b.ide
Using IDE file autor-ea.ide
Using IDE file autor-eb.ide
Using IDE file sohan-ay.ide
Using IDE file psyme-iy.ide
Using IDE file zipwir-a.ide
Using IDE file jshlex-a.ide
Using IDE file mdro-brh.ide
Using IDE file zlob-akv.ide
Using IDE file mdro-bsj.ide
Using IDE file tileb-ku.ide
Using IDE file zapch-ea.ide
Using IDE file fakev-be.ide
Using IDE file traf-a.ide
Using IDE file namor-a.ide
Using IDE file dwnl-hdr.ide
Using IDE file dloa-blt.ide
Using IDE file mdro-bsk.ide
Using IDE file hupig-tc.ide
Using IDE file click-eu.ide
Using IDE file ntroo-di.ide
Using IDE file agen-gys.ide
Using IDE file agen-gzq.ide
Using IDE file tileb-kv.ide
Using IDE file dorf-bl.ide

Full Scanning

>>> Virus 'Mal/VB-M' found in file C:\Documents and Settings\GAMEMACHINE\Desktop\VundoFix.exe
Removal successful
Could not open C:\hiberfil.sys
>>> Virus 'Mal/LineDLL-B' found in file C:\Program Files\AutoPowerOn\APSMacro.dll
Removal successful
>>> Virus 'Mal/Packer' found in file C:\Program Files\flashplayerpro\Flash Player Pro.exe
Removal successful
>>> Virus 'Mal/Dropper-O' found in file C:\Program Files\Replay AV 8\ReplayAVv804_Crack.exe
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0018492.dll
Removal successful
>>> Virus 'Mal/VB-M' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023901.exe
Removal successful
>>> Virus 'Mal/LineDLL-B' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023902.dll
Removal successful
>>> Virus 'Mal/Packer' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023903.exe
Removal successful
>>> Virus 'Mal/Dropper-O' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023904.exe
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\WINDOWS\system32\dxoqqqtr.dll
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\WINDOWS\system32\geBqPIxx.dll
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\WINDOWS\system32\hkxcfhex.dll
Removal successful
>>> Virus 'Mal/BotFTP-A' found in file C:\WINDOWS\system32\i
Removal successful
>>> Virus 'Mal/Packer' found in file D:\TBOX\desktop\New Folder\DriveDiscovery_2.1\Drive_Discovery_v2.1_Keygen_Only-DIGERATI\Drive_Discovery_v2.1_Keygen_Only-DIGERATI\keygen.exe
Removal successful

4 boot sectors swept.
19981 files swept in 22 minutes and 56 seconds.
1 error was encountered.
14 viruses were discovered.
14 files out of 19981 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.














2.
ComboFix 08-05-15.3 - GAMEMACHINE 2008-05-20 7:22:46.7 - NTFSx86

Running from: C:\Documents and Settings\GAMEMACHINE\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\system32\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-20 06:06 . 2008-05-20 06:06 <DIR> d-------- C:\SAV32CLI
2008-05-20 04:30 . 2008-05-20 04:30 0 --a------ C:\WINDOWS\system32\wmsoft11246.exe
2008-05-20 03:27 . 2008-05-20 03:27 0 --a------ C:\WINDOWS\system32\wmsoft23623.exe
2008-05-20 02:29 . 2008-05-20 02:29 0 --a------ C:\WINDOWS\system32\windowsupdate.exe
2008-05-20 00:02 . 2008-05-20 00:02 0 --a------ C:\WINDOWS\system32\wmsoft44744.exe
2008-05-20 00:00 . 2008-05-20 00:00 0 --a------ C:\WINDOWS\system32\wmsoft80864.exe
2008-05-20 00:00 . 2008-05-20 00:00 0 --a------ C:\WINDOWS\system32\wmsoft31417.exe
2008-05-19 23:51 . 2008-05-19 23:51 0 --a------ C:\WINDOWS\system32\wmsoft52882.exe
2008-05-19 23:49 . 2008-05-19 23:49 0 --a------ C:\WINDOWS\system32\wmsoft43684.exe
2008-05-19 23:48 . 2008-05-19 23:48 0 --a------ C:\WINDOWS\system32\wmsoft47045.exe
2008-05-19 23:48 . 2008-05-19 23:48 0 --a------ C:\WINDOWS\system32\wmsoft41566.exe
2008-05-19 23:48 . 2008-05-19 23:48 0 --a------ C:\WINDOWS\system32\wmsoft01463.exe
2008-05-19 23:46 . 2008-05-19 23:46 0 --a------ C:\WINDOWS\system32\wmsoft23550.exe
2008-05-19 23:41 . 2008-05-19 23:41 0 --a------ C:\WINDOWS\system32\wmsoft88223.exe
2008-05-19 23:36 . 2008-05-19 23:36 0 --a------ C:\WINDOWS\system32\servupdate.exe
2008-05-19 23:35 . 2008-05-19 23:35 0 --a------ C:\WINDOWS\system32\wmsoft52244.exe
2008-05-19 23:33 . 2008-05-19 23:33 0 --a------ C:\WINDOWS\system32\wmsoft14854.exe
2008-05-19 23:31 . 2008-05-19 23:31 0 --a------ C:\WINDOWS\system32\wmsoft15855.exe
2008-05-19 23:29 . 2008-05-19 23:29 0 --a------ C:\WINDOWS\system32\wmsoft78232.exe
2008-05-19 21:33 . 2008-05-19 21:33 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\DoctorWeb
2008-05-19 21:19 . 2008-05-20 06:13 <DIR> d-------- C:\SDFix
2008-05-19 21:03 . 2008-05-19 21:03 0 --a------ C:\WINDOWS\system32\wmsoft00526.exe
2008-05-19 19:02 . 2008-05-19 19:02 0 --a------ C:\WINDOWS\system32\wmsoft08144.exe
2008-05-19 09:35 . 2008-05-19 09:35 0 --a------ C:\WINDOWS\system32\wmsoft07255.exe
2008-05-19 09:30 . 2008-05-19 09:30 0 --a------ C:\WINDOWS\system32\wmsoft01026.exe
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Deckard
2008-05-19 08:00 . 2008-05-19 08:00 4 --a------ C:\WINDOWS\system32\18006067
2008-05-19 07:15 . 2008-05-19 07:15 0 --a------ C:\WINDOWS\system32\wmsoft06615.exe
2008-05-19 05:58 . 2008-05-19 05:58 117,248 --a------ C:\WINDOWS\system32\edgyitrx.dll
2008-05-19 05:58 . 2008-05-19 06:26 354 --ahs---- C:\WINDOWS\system32\xrtiygde.ini
2008-05-18 23:13 . 2008-05-18 23:13 0 --a------ C:\WINDOWS\system32\wmsoft07106.exe
2008-05-18 23:07 . 2008-05-18 23:07 0 --a------ C:\WINDOWS\system32\wmsoft05011.exe
2008-05-18 22:58 . 2008-05-18 22:58 0 --a------ C:\WINDOWS\system32\wmsoft02858.exe
2008-05-18 04:22 . 2008-05-20 06:16 <DIR> d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14 . 2008-05-17 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33 . 2008-05-17 07:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 07:33 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:33 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:28 . 2008-05-17 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 07:28 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:00 . 2008-05-17 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:33 . 2008-05-16 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 08:47 . 2008-05-16 08:47 <DIR> d-------- C:\Program Files\Avira
2008-05-16 08:02 . 2008-05-16 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 05:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-16 05:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-16 05:08 . 2008-05-16 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-16 05:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-16 05:03 . 2008-05-16 05:41 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02 . 2008-05-16 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-16 03:56 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-16 03:56 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-16 03:56 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Program Files\Vodei
2008-05-15 11:42 . 2008-05-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:38 . 2008-05-18 16:48 <DIR> d-------- C:\Temp
2008-05-15 10:39 . 2008-05-15 10:39 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29 . 2008-05-15 11:04 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-15 10:27 . 2008-05-15 12:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26 . 2008-05-15 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31 . 2008-05-15 03:31 <DIR> d-------- C:\Videos
2008-05-15 03:30 . 2008-05-19 03:50 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 21:45 . 2008-05-14 21:45 176 --a------ C:\WINDOWS\wininit.ini
2008-05-14 03:55 . 2008-05-19 05:56 109,807 --a------ C:\WINDOWS\BM1b334175.xml
2008-05-11 12:02 . 2008-05-11 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58 . 2008-05-11 11:58 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-05-11 10:42 . 2008-05-11 10:42 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 17:35 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 17:35 . 2002-08-29 03:40 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 17:35 . 2001-08-17 13:51 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 17:35 . 2001-08-17 22:37 48,128 --a------ C:\WINDOWS\system32\irprops.cpl
2008-05-08 17:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 17:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-05-08 17:35 . 2001-08-17 22:36 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 03:10 . 2008-05-08 03:10 <DIR> d-------- C:\Program Files\efs
2008-05-08 00:32 . 2008-05-08 00:32 168,230 --a------ C:\tst10.rar
2008-05-08 00:00 . 2008-05-08 01:40 <DIR> d-------- C:\tst10
2008-05-07 22:47 . 2008-05-17 23:00 18 --a------ C:\WINDOWS\power-on-task.ini
2008-05-07 16:32 . 2008-05-07 16:32 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40 . 2008-05-17 11:40 <DIR> d-------- C:\clusters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 01:52 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-20 00:50 --------- d-----w C:\Program Files\Replay AV 8
2008-05-20 00:48 --------- d-----w C:\Program Files\flashplayerpro
2008-05-19 22:58 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-16 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 00:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 09:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-05-15 07:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 06:17 --------- d-----w C:\Program Files\Personal Chess Trainer
2008-05-15 06:17 --------- d-----w C:\Program Files\Okoker Sudoku
2008-05-15 06:17 --------- d-----w C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 06:17 --------- d-----w C:\Program Files\Google
2008-05-15 06:16 --------- d-----w C:\Program Files\Picture Merge Genius
2008-05-15 06:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 06:15 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-05-15 06:14 --------- d-----w C:\Program Files\YouTube Video Downloader
2008-05-14 11:19 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-12 22:57 --------- d-----w C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-09 16:54 --------- d-----w C:\Program Files\Britannica 7.0
2008-05-08 18:37 --------- d-----w C:\Program Files\Oxford
2008-05-05 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-03-22 06:24 --------- d-----w C:\Program Files\Winamp
2007-05-29 10:57 87,608 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\inst.exe
2007-05-29 10:57 47,360 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\pcouffin.sys
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-18_22.54.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:20:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 00:29:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 14:32:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-18 11:10:15 5,021,696 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-19 17:44:27 5,001,216 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-18 11:10:15 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-19 17:44:27 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDB97B1-D509-4053-866F-CC347CD80BBA}]
C:\WINDOWS\System32\ljJdAQhh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [2008-04-25 12:20 3021312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 22:49 15872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-18 14:05 98304]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-03 15:05:12 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 23:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-15 23:34:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-18 17:43:00 C:\WINDOWS\Tasks\reboot.job"
- C:\tst10\reboot.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 07:23:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-20 7:26:16
ComboFix-quarantined-files.txt 2008-05-20 01:55:30
ComboFix2.txt 2008-05-19 17:40:43
ComboFix3.txt 2008-05-19 15:44:19
ComboFix4.txt 2008-05-18 17:25:20
ComboFix5.txt 2008-05-17 05:58:18

Pre-Run: 713,814,016 bytes free
Post-Run: 701,763,584 bytes free

216

#11 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 19 May 2008 - 09:04 PM

Hi


Sophos Anti-Virus
Version 4.29.0 [Win32/Intel]
Virus data version 4.29E, May 2008
Includes detection for 402085 viruses, trojans and worms
Copyright 1989-2008 Sophos Plc, www.sophos.com

System time 06:13:41, System date 20 May 2008
Command line qualifiers are: -f -remove -nc -nb -dn --stop-scan -idedir=C:\SDFix\IDE -p=C:\SDFix\SophosReport.txt

IDE directory is: C:\SDFix\IDE

File tvido-a.ide is older than 90 days
File chir-b.ide is older than 90 days
File tiny-dc.ide is older than 90 days
File autor-bd.ide is older than 90 days
File autor-be.ide is older than 90 days
File sdbo-djz.ide is older than 90 days
File cimuz-cv.ide is older than 90 days
File gampas-q.ide is older than 90 days
File virut-x.ide is older than 90 days
File he4hoo-e.ide is older than 90 days
File daymay-a.ide is older than 90 days
File injec-cb.ide is older than 90 days
File keylo-jz.ide is older than 90 days
File ntroo-cv.ide is older than 90 days
File dwnl-hav.ide is older than 90 days
File silly-bu.ide is older than 90 days
File agen-gpc.ide is older than 90 days
File bankd-dg.ide is older than 90 days
File pushu-h.ide is older than 90 days
File psw-es.ide is older than 90 days
File psw-et.ide is older than 90 days
File rexplo-b.ide is older than 90 days
File looke-ec.ide is older than 90 days
File ldpin-ro.ide is older than 90 days
File dorf-aw.ide is older than 90 days
File agen-gph.ide is older than 90 days
File banlo-ex.ide is older than 90 days
File rieve-a.ide is older than 90 days
File vb-dyr.ide is older than 90 days
File mailb-ck.ide is older than 90 days
File cyberl-a.ide is older than 90 days
File spwa-gen.ide is older than 90 days
File psyme-hm.ide is older than 90 days
File dwnl-hba.ide is older than 90 days
File zbot-d.ide is older than 90 days
File dload-bl.ide is older than 90 days
File injec-cc.ide is older than 90 days
File alman-e.ide is older than 90 days
File autor-bg.ide is older than 90 days
File autom-d.ide is older than 90 days
File dref-b.ide is older than 90 days
File agen-gpp.ide is older than 90 days
File zbot-e.ide is older than 90 days
File defusx-a.ide is older than 90 days
File agen-gpr.ide is older than 90 days
File tinydl-r.ide is older than 90 days
File downld-p.ide is older than 90 days
File agen-gpv.ide is older than 90 days
File zonie-a.ide is older than 90 days
File vb-dys.ide is older than 90 days
File silly-bw.ide is older than 90 days
File pushdo-h.ide is older than 90 days
File sheldo-a.ide is older than 90 days
File smal-eld.ide is older than 90 days
File agen-gpx.ide is older than 90 days
File bifro-vn.ide is older than 90 days
File looke-ed.ide is older than 90 days
File autor-bk.ide is older than 90 days
File swizzo-c.ide is older than 90 days
File dloa-bim.ide is older than 90 days
File iespy-f.ide is older than 90 days
File cblade-h.ide is older than 90 days
File pasala-a.ide is older than 90 days
File dloa-bio.ide is older than 90 days
File messy-a.ide is older than 90 days
File msnemy-a.ide is older than 90 days
Using IDE file otakbo-a.ide
Using IDE file forbo-gv.ide
Using IDE file bckd-qlw.ide
Using IDE file smal-ele.ide
Using IDE file braban-h.ide
Using IDE file cabat-d.ide
Using IDE file ntroo-cz.ide
Using IDE file dropp-tv.ide
Using IDE file agen-gmy.ide
Using IDE file autor-bo.ide
Using IDE file pushin-a.ide
Using IDE file spy-aj.ide
Using IDE file agen-gpz.ide
Using IDE file bront-ds.ide
Using IDE file bobax-eh.ide
Using IDE file grumbl-a.ide
Using IDE file tibs-ub.ide
Using IDE file joom-a.ide
Using IDE file pccli-lj.ide
Using IDE file autor-bp.ide
Using IDE file rbot-gwj.ide
Using IDE file bront-dt.ide
Using IDE file onlin-an.ide
Using IDE file fakev-ar.ide
Using IDE file baload-a.ide
Using IDE file cashgr-u.ide
Using IDE file autome-a.ide
Using IDE file bront-du.ide
Using IDE file silly-by.ide
Using IDE file pccli-ll.ide
Using IDE file zapch-dz.ide
Using IDE file killfi-j.ide
Using IDE file ircb-aaq.ide
Using IDE file agen-gqo.ide
Using IDE file sohan-as.ide
Using IDE file meiti-a.ide
Using IDE file zlob-j.ide
Using IDE file dwnl-hbk.ide
Using IDE file looke-ee.ide
Using IDE file silly-bz.ide
Using IDE file proxy-ig.ide
Using IDE file sdbo-dkb.ide
Using IDE file dwnl-hbl.ide
Using IDE file banhos-i.ide
Using IDE file poison-r.ide
Using IDE file winsat-b.ide
Using IDE file ntroo-da.ide
Using IDE file bagle-tq.ide
Using IDE file downld-t.ide
Using IDE file dload-br.ide
Using IDE file bckd-qly.ide
Using IDE file wlload-a.ide
Using IDE file zbot-h.ide
Using IDE file agen-gqv.ide
Using IDE file vbsmai-a.ide
Using IDE file mdro-bqg.ide
Using IDE file looke-ef.ide
Using IDE file zlobdr-h.ide
Using IDE file anpir-a.ide
Using IDE file scrapk-a.ide
Using IDE file exepag-a.ide
Using IDE file sillyw-a.ide
Using IDE file gina-al.ide
Using IDE file alimik-a.ide
Using IDE file sdbo-dkd.ide
Using IDE file vb-dyv.ide
Using IDE file agen-grd.ide
Using IDE file agen-gre.ide
Using IDE file repet-a.ide
Using IDE file agen-grg.ide
Using IDE file renos-ap.ide
Using IDE file virfir-a.ide
Using IDE file agen-gri.ide
Using IDE file rjump-j.ide
Using IDE file autor-bc.ide
Using IDE file chmdro-b.ide
Using IDE file agen-grj.ide
Using IDE file pakabo-a.ide
Using IDE file agen-grk.ide
Using IDE file bho-ez.ide
Using IDE file zlob-ail.ide
Using IDE file agen-grl.ide
Using IDE file batsec-a.ide
Using IDE file bckd-qmd.ide
Using IDE file dloa-biz.ide
Using IDE file autor-by.ide
Using IDE file bckd-qme.ide
Using IDE file agen-grq.ide
Using IDE file agen-grr.ide
Using IDE file dload-bu.ide
Using IDE file injec-cd.ide
Using IDE file bagle-tm.ide
Using IDE file agen-grt.ide
Using IDE file anuir-a.ide
Using IDE file satin-a.ide
Using IDE file bdoo-ajn.ide
Using IDE file agent-e.ide
Using IDE file dloa-bjc.ide
Using IDE file obfjs-b.ide
Using IDE file tvido-b.ide
Using IDE file pws-aqf.ide
Using IDE file cheuko-d.ide
Using IDE file rbot-gwl.ide
Using IDE file agen-gsb.ide
Using IDE file click-es.ide
Using IDE file munfor-b.ide
Using IDE file tehni-a.ide
Using IDE file zlob-aiw.ide
Using IDE file dowadv-c.ide
Using IDE file bagz-j.ide
Using IDE file bronto-x.ide
Using IDE file autor-bz.ide
Using IDE file dnsch-mg.ide
Using IDE file slolan-a.ide
Using IDE file fomur-a.ide
Using IDE file agen-gsh.ide
Using IDE file agen-gsj.ide
Using IDE file tanto-i.ide
Using IDE file zlob-aiz.ide
Using IDE file push-gen.ide
Using IDE file mumawo-a.ide
Using IDE file popupp-a.ide
Using IDE file badsrc-a.ide
Using IDE file servu-fg.ide
Using IDE file rootk-cd.ide
Using IDE file agen-gst.ide
Using IDE file agen-gsv.ide
Using IDE file zlob-aja.ide
Using IDE file prora-do.ide
Using IDE file autor-ca.ide
Using IDE file rbot-gwn.ide
Using IDE file crypdr-a.ide
Using IDE file exchan-b.ide
Using IDE file shodi-i.ide
Using IDE file agen-gtb.ide
Using IDE file bagle-tr.ide
Using IDE file rkmail-a.ide
Using IDE file shutdo-h.ide
Using IDE file silly-cb.ide
Using IDE file ntroo-dd.ide
Using IDE file pws-aqp.ide
Using IDE file autor-cd.ide
Using IDE file zbot-j.ide
Using IDE file autor-ce.ide
Using IDE file banlo-b.ide
Using IDE file dloa-bjk.ide
Using IDE file swizz-nq.ide
Using IDE file fujac-at.ide
Using IDE file pccli-lx.ide
Using IDE file agen-gti.ide
Using IDE file grum-i.ide
Using IDE file pws-aqq.ide
Using IDE file drop-l.ide
Using IDE file dloa-bjm.ide
Using IDE file espole-a.ide
Using IDE file psyme-ht.ide
Using IDE file kobak-a.ide
Using IDE file dloa-bjo.ide
Using IDE file sanji-a.ide
Using IDE file silly-cc.ide
Using IDE file bckd-qmk.ide
Using IDE file zaap-a.ide
Using IDE file bckd-qml.ide
Using IDE file dwnl-hbu.ide
Using IDE file dnsch-mh.ide
Using IDE file pdfex-e.ide
Using IDE file agen-gtr.ide
Using IDE file autor-ch.ide
Using IDE file bank-ele.ide
Using IDE file aspshe-a.ide
Using IDE file bckd-qmo.ide
Using IDE file lowzo-ea.ide
Using IDE file banlo-fb.ide
Using IDE file bizv-zla.ide
Using IDE file vb-dyy.ide
Using IDE file prora-dq.ide
Using IDE file pushdo-i.ide
Using IDE file detna-ad.ide
Using IDE file sdbo-dkg.ide
Using IDE file vbbot-ao.ide
Using IDE file encpk-cy.ide
Using IDE file tibs-uc.ide
Using IDE file drop-n.ide
Using IDE file tibs-ud.ide
Using IDE file hupig-sz.ide
Using IDE file macswp-b.ide
Using IDE file bank-ekz.ide
Using IDE file oscor-m.ide
Using IDE file spywa-ax.ide
Using IDE file starte-h.ide
Using IDE file honk-g.ide
Using IDE file autor-cn.ide
Using IDE file vb-dyz.ide
Using IDE file flood-im.ide
Using IDE file nymod-a.ide
Using IDE file backdr-s.ide
Using IDE file ldpin-rq.ide
Using IDE file agen-gum.ide
Using IDE file bifro-vq.ide
Using IDE file silly-ce.ide
Using IDE file zlob-ajn.ide
Using IDE file agen-guo.ide
Using IDE file killa-el.ide
Using IDE file agen-gup.ide
Using IDE file graybi-p.ide
Using IDE file dorf-ba.ide
Using IDE file tileb-kt.ide
Using IDE file mdro-bre.ide
Using IDE file fakea-ax.ide
Using IDE file legm-ars.ide
Using IDE file agen-gus.ide
Using IDE file badmid-a.ide
Using IDE file psyme-hx.ide
Using IDE file silly-cf.ide
Using IDE file agen-guu.ide
Using IDE file agen-guv.ide
Using IDE file kapuce-c.ide
Using IDE file fakea-az.ide
Using IDE file fursto-a.ide
Using IDE file onlin-ar.ide
Using IDE file bckd-qmu.ide
Using IDE file dloa-bkf.ide
Using IDE file sysloc-a.ide
Using IDE file agen-gvf.ide
Using IDE file piltot-a.ide
Using IDE file vbdrop-f.ide
Using IDE file hupig-ta.ide
Using IDE file fakea-ba.ide
Using IDE file fakeav-j.ide
Using IDE file mdro-bri.ide
Using IDE file bckd-qmv.ide
Using IDE file spycor-a.ide
Using IDE file dorf-bc.ide
Using IDE file dorf-bd.ide
Using IDE file calif-a.ide
Using IDE file dwnl-hce.ide
Using IDE file lydra-ad.ide
Using IDE file dwnl-zll.ide
Using IDE file vb-dzc.ide
Using IDE file ircb-abi.ide
Using IDE file encloa-b.ide
Using IDE file delf-fad.ide
Using IDE file bifro-vt.ide
Using IDE file ircb-abb.ide
Using IDE file agen-gvl.ide
Using IDE file bakave-a.ide
Using IDE file ifram-aa.ide
Using IDE file agen-gvk.ide
Using IDE file smal-eli.ide
Using IDE file poison-t.ide
Using IDE file isetsp-c.ide
Using IDE file psyme-ib.ide
Using IDE file ircb-abc.ide
Using IDE file bifro-vu.ide
Using IDE file hupig-tb.ide
Using IDE file autoin-j.ide
Using IDE file autor-cw.ide
Using IDE file bank-elf.ide
Using IDE file psyme-id.ide
Using IDE file autor-cx.ide
Using IDE file bho-ff.ide
Using IDE file bkdoor-j.ide
Using IDE file vb-dze.ide
Using IDE file fakev-aw.ide
Using IDE file zlob-aka.ide
Using IDE file dorfht-c.ide
Using IDE file agen-gvw.ide
Using IDE file ircb-abj.ide
Using IDE file agen-gvx.ide
Using IDE file delf-fah.ide
Using IDE file agen-gwa.ide
Using IDE file pdfex-g.ide
Using IDE file autor-cz.ide
Using IDE file zlob-akd.ide
Using IDE file ircb-abk.ide
Using IDE file drop-zlb.ide
Using IDE file bifros-j.ide
Using IDE file rbot-gwt.ide
Using IDE file keylo-kc.ide
Using IDE file silly-cg.ide
Using IDE file dwnl-hck.ide
Using IDE file fakeav-n.ide
Using IDE file banlo-fe.ide
Using IDE file mdro-bro.ide
Using IDE file autor-de.ide
Using IDE file bank-c.ide
Using IDE file vb-dzh.ide
Using IDE file rbot-gwv.ide
Using IDE file netsk-bs.ide
Using IDE file xorer-d.ide
Using IDE file autor-dg.ide
Using IDE file adcli-et.ide
Using IDE file fakeav-p.ide
Using IDE file autor-dh.ide
Using IDE file tibs-uf.ide
Using IDE file autor-di.ide
Using IDE file autor-dj.ide
Using IDE file rbot-gww.ide
Using IDE file passte-a.ide
Using IDE file mdro-brq.ide
Using IDE file mdro-brr.ide
Using IDE file vb-dzi.ide
Using IDE file banc-bdy.ide
Using IDE file srizbi-a.ide
Using IDE file injec-ch.ide
Using IDE file dorf-be.ide
Using IDE file tiotua-p.ide
Using IDE file pws-aqz.ide
Using IDE file ambler-e.ide
Using IDE file petbot-a.ide
Using IDE file autor-dk.ide
Using IDE file mdro-brt.ide
Using IDE file looke-eg.ide
Using IDE file rootk-ck.ide
Using IDE file autor-dl.ide
Using IDE file dwnl-hcp.ide
Using IDE file rkagen-e.ide
Using IDE file fanbot-g.ide
Using IDE file mdro-brw.ide
Using IDE file malas-b.ide
Using IDE file spambo-b.ide
Using IDE file autor-do.ide
Using IDE file keylo-ke.ide
Using IDE file bank-eli.ide
Using IDE file gampas-r.ide
Using IDE file servu-fh.ide
Using IDE file dloa-bla.ide
Using IDE file mdro-bry.ide
Using IDE file mdro-brz.ide
Using IDE file zlob-ako.ide
Using IDE file xiao-a.ide
Using IDE file fakev-az.ide
Using IDE file vb-dzk.ide
Using IDE file banspy-e.ide
Using IDE file agen-gxf.ide
Using IDE file poison-v.ide
Using IDE file inja-gen.ide
Using IDE file agen-gxg.ide
Using IDE file ntroo-dg.ide
Using IDE file corefl-m.ide
Using IDE file farf-gen.ide
Using IDE file bckd-qnf.ide
Using IDE file ircb-abm.ide
Using IDE file linea-dl.ide
Using IDE file zlob-akp.ide
Using IDE file conho-am.ide
Using IDE file dwnl-hcq.ide
Using IDE file spy-am.ide
Using IDE file melt-gen.ide
Using IDE file buzus-a.ide
Using IDE file mats-gen.ide
Using IDE file ifram-ab.ide
Using IDE file liger-a.ide
Using IDE file agen-gxq.ide
Using IDE file goldu-gf.ide
Using IDE file merc-a.ide
Using IDE file porpup-a.ide
Using IDE file bckd-qnh.ide
Using IDE file dzan-e.ide
Using IDE file deltre-x.ide
Using IDE file rkdrop-a.ide
Using IDE file mdro-bsc.ide
Using IDE file dorf-bg.ide
Using IDE file codeba-a.ide
Using IDE file downld-y.ide
Using IDE file agen-gxz.ide
Using IDE file boost-a.ide
Using IDE file downld-z.ide
Using IDE file killa-ep.ide
Using IDE file killf-bt.ide
Using IDE file agen-gyd.ide
Using IDE file bagle-ts.ide
Using IDE file shahro-a.ide
Using IDE file dwnl-hcx.ide
Using IDE file dzan-f.ide
Using IDE file sdbo-dkk.ide
Using IDE file dloa-bli.ide
Using IDE file socks-d.ide
Using IDE file lingos-e.ide
Using IDE file pdfex-f.ide
Using IDE file kbot-a.ide
Using IDE file heular-a.ide
Using IDE file wimad-e.ide
Using IDE file killa-er.ide
Using IDE file jshell-a.ide
Using IDE file autoin-k.ide
Using IDE file bank-elo.ide
Using IDE file irrita-a.ide
Using IDE file banlo-fh.ide
Using IDE file agen-gyt.ide
Using IDE file ircb-abp.ide
Using IDE file salit-ao.ide
Using IDE file rootk-cn.ide
Using IDE file angel-c.ide
Using IDE file spyage-i.ide
Using IDE file maha-t.ide
Using IDE file agen-gyy.ide
Using IDE file shark-d.ide
Using IDE file pushdo-j.ide
Using IDE file thili-a.ide
Using IDE file socks-f.ide
Using IDE file autor-dw.ide
Using IDE file fakev-bb.ide
Using IDE file shlbac-a.ide
Using IDE file vb-dzo.ide
Using IDE file agen-glt.ide
Using IDE file zbot-n.ide
Using IDE file danmec-y.ide
Using IDE file salit-ap.ide
Using IDE file autoit-h.ide
Using IDE file sohan-av.ide
Using IDE file banhos-n.ide
Using IDE file banspy-f.ide
Using IDE file loxar-l.ide
Using IDE file iyus-v.ide
Using IDE file sohan-ax.ide
Using IDE file autor-dy.ide
Using IDE file vimes-a.ide
Using IDE file agen-gzj.ide
Using IDE file servu-fj.ide
Using IDE file zlobar-b.ide
Using IDE file autor-ea.ide
Using IDE file autor-eb.ide
Using IDE file sohan-ay.ide
Using IDE file psyme-iy.ide
Using IDE file zipwir-a.ide
Using IDE file jshlex-a.ide
Using IDE file mdro-brh.ide
Using IDE file zlob-akv.ide
Using IDE file mdro-bsj.ide
Using IDE file tileb-ku.ide
Using IDE file zapch-ea.ide
Using IDE file fakev-be.ide
Using IDE file traf-a.ide
Using IDE file namor-a.ide
Using IDE file dwnl-hdr.ide
Using IDE file dloa-blt.ide
Using IDE file mdro-bsk.ide
Using IDE file hupig-tc.ide
Using IDE file click-eu.ide
Using IDE file ntroo-di.ide
Using IDE file agen-gys.ide
Using IDE file agen-gzq.ide
Using IDE file tileb-kv.ide
Using IDE file dorf-bl.ide

Full Scanning

>>> Virus 'Mal/VB-M' found in file C:\Documents and Settings\GAMEMACHINE\Desktop\VundoFix.exe
Removal successful
Could not open C:\hiberfil.sys
>>> Virus 'Mal/LineDLL-B' found in file C:\Program Files\AutoPowerOn\APSMacro.dll
Removal successful
>>> Virus 'Mal/Packer' found in file C:\Program Files\flashplayerpro\Flash Player Pro.exe
Removal successful
>>> Virus 'Mal/Dropper-O' found in file C:\Program Files\Replay AV 8\ReplayAVv804_Crack.exe
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0018492.dll
Removal successful
>>> Virus 'Mal/VB-M' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023901.exe
Removal successful
>>> Virus 'Mal/LineDLL-B' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023902.dll
Removal successful
>>> Virus 'Mal/Packer' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023903.exe
Removal successful
>>> Virus 'Mal/Dropper-O' found in file C:\System Volume Information\_restore{5596031F-4AA3-40C0-A1ED-C100284BDCA6}\RP4\A0023904.exe
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\WINDOWS\system32\dxoqqqtr.dll
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\WINDOWS\system32\geBqPIxx.dll
Removal successful
>>> Virus 'Troj/Virtum-Gen' found in file C:\WINDOWS\system32\hkxcfhex.dll
Removal successful
>>> Virus 'Mal/BotFTP-A' found in file C:\WINDOWS\system32\i
Removal successful
>>> Virus 'Mal/Packer' found in file D:\TBOX\desktop\New Folder\DriveDiscovery_2.1\Drive_Discovery_v2.1_Keygen_Only-DIGERATI\Drive_Discovery_v2.1_Keygen_Only-DIGERATI\keygen.exe
Removal successful

4 boot sectors swept.
19981 files swept in 22 minutes and 56 seconds.
1 error was encountered.
14 viruses were discovered.
14 files out of 19981 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.














2.
ComboFix 08-05-15.3 - GAMEMACHINE 2008-05-20 7:22:46.7 - NTFSx86

Running from: C:\Documents and Settings\GAMEMACHINE\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\system32\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-20 06:06 . 2008-05-20 06:06 <DIR> d-------- C:\SAV32CLI
2008-05-20 04:30 . 2008-05-20 04:30 0 --a------ C:\WINDOWS\system32\wmsoft11246.exe
2008-05-20 03:27 . 2008-05-20 03:27 0 --a------ C:\WINDOWS\system32\wmsoft23623.exe
2008-05-20 02:29 . 2008-05-20 02:29 0 --a------ C:\WINDOWS\system32\windowsupdate.exe
2008-05-20 00:02 . 2008-05-20 00:02 0 --a------ C:\WINDOWS\system32\wmsoft44744.exe
2008-05-20 00:00 . 2008-05-20 00:00 0 --a------ C:\WINDOWS\system32\wmsoft80864.exe
2008-05-20 00:00 . 2008-05-20 00:00 0 --a------ C:\WINDOWS\system32\wmsoft31417.exe
2008-05-19 23:51 . 2008-05-19 23:51 0 --a------ C:\WINDOWS\system32\wmsoft52882.exe
2008-05-19 23:49 . 2008-05-19 23:49 0 --a------ C:\WINDOWS\system32\wmsoft43684.exe
2008-05-19 23:48 . 2008-05-19 23:48 0 --a------ C:\WINDOWS\system32\wmsoft47045.exe
2008-05-19 23:48 . 2008-05-19 23:48 0 --a------ C:\WINDOWS\system32\wmsoft41566.exe
2008-05-19 23:48 . 2008-05-19 23:48 0 --a------ C:\WINDOWS\system32\wmsoft01463.exe
2008-05-19 23:46 . 2008-05-19 23:46 0 --a------ C:\WINDOWS\system32\wmsoft23550.exe
2008-05-19 23:41 . 2008-05-19 23:41 0 --a------ C:\WINDOWS\system32\wmsoft88223.exe
2008-05-19 23:36 . 2008-05-19 23:36 0 --a------ C:\WINDOWS\system32\servupdate.exe
2008-05-19 23:35 . 2008-05-19 23:35 0 --a------ C:\WINDOWS\system32\wmsoft52244.exe
2008-05-19 23:33 . 2008-05-19 23:33 0 --a------ C:\WINDOWS\system32\wmsoft14854.exe
2008-05-19 23:31 . 2008-05-19 23:31 0 --a------ C:\WINDOWS\system32\wmsoft15855.exe
2008-05-19 23:29 . 2008-05-19 23:29 0 --a------ C:\WINDOWS\system32\wmsoft78232.exe
2008-05-19 21:33 . 2008-05-19 21:33 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\DoctorWeb
2008-05-19 21:19 . 2008-05-20 06:13 <DIR> d-------- C:\SDFix
2008-05-19 21:03 . 2008-05-19 21:03 0 --a------ C:\WINDOWS\system32\wmsoft00526.exe
2008-05-19 19:02 . 2008-05-19 19:02 0 --a------ C:\WINDOWS\system32\wmsoft08144.exe
2008-05-19 09:35 . 2008-05-19 09:35 0 --a------ C:\WINDOWS\system32\wmsoft07255.exe
2008-05-19 09:30 . 2008-05-19 09:30 0 --a------ C:\WINDOWS\system32\wmsoft01026.exe
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Deckard
2008-05-19 08:00 . 2008-05-19 08:00 4 --a------ C:\WINDOWS\system32\18006067
2008-05-19 07:15 . 2008-05-19 07:15 0 --a------ C:\WINDOWS\system32\wmsoft06615.exe
2008-05-19 05:58 . 2008-05-19 05:58 117,248 --a------ C:\WINDOWS\system32\edgyitrx.dll
2008-05-19 05:58 . 2008-05-19 06:26 354 --ahs---- C:\WINDOWS\system32\xrtiygde.ini
2008-05-18 23:13 . 2008-05-18 23:13 0 --a------ C:\WINDOWS\system32\wmsoft07106.exe
2008-05-18 23:07 . 2008-05-18 23:07 0 --a------ C:\WINDOWS\system32\wmsoft05011.exe
2008-05-18 22:58 . 2008-05-18 22:58 0 --a------ C:\WINDOWS\system32\wmsoft02858.exe
2008-05-18 04:22 . 2008-05-20 06:16 <DIR> d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14 . 2008-05-17 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33 . 2008-05-17 07:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 07:33 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:33 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:28 . 2008-05-17 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 07:28 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:00 . 2008-05-17 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:33 . 2008-05-16 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 08:47 . 2008-05-16 08:47 <DIR> d-------- C:\Program Files\Avira
2008-05-16 08:02 . 2008-05-16 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 05:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-16 05:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-16 05:08 . 2008-05-16 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-16 05:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-16 05:03 . 2008-05-16 05:41 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02 . 2008-05-16 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-16 03:56 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-16 03:56 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-16 03:56 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Program Files\Vodei
2008-05-15 11:42 . 2008-05-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:38 . 2008-05-18 16:48 <DIR> d-------- C:\Temp
2008-05-15 10:39 . 2008-05-15 10:39 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29 . 2008-05-15 11:04 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-15 10:27 . 2008-05-15 12:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26 . 2008-05-15 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31 . 2008-05-15 03:31 <DIR> d-------- C:\Videos
2008-05-15 03:30 . 2008-05-19 03:50 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 21:45 . 2008-05-14 21:45 176 --a------ C:\WINDOWS\wininit.ini
2008-05-14 03:55 . 2008-05-19 05:56 109,807 --a------ C:\WINDOWS\BM1b334175.xml
2008-05-11 12:02 . 2008-05-11 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58 . 2008-05-11 11:58 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-05-11 10:42 . 2008-05-11 10:42 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 17:35 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 17:35 . 2002-08-29 03:40 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 17:35 . 2001-08-17 13:51 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 17:35 . 2001-08-17 22:37 48,128 --a------ C:\WINDOWS\system32\irprops.cpl
2008-05-08 17:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 17:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-05-08 17:35 . 2001-08-17 22:36 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 03:10 . 2008-05-08 03:10 <DIR> d-------- C:\Program Files\efs
2008-05-08 00:32 . 2008-05-08 00:32 168,230 --a------ C:\tst10.rar
2008-05-08 00:00 . 2008-05-08 01:40 <DIR> d-------- C:\tst10
2008-05-07 22:47 . 2008-05-17 23:00 18 --a------ C:\WINDOWS\power-on-task.ini
2008-05-07 16:32 . 2008-05-07 16:32 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40 . 2008-05-17 11:40 <DIR> d-------- C:\clusters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 01:52 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-20 00:50 --------- d-----w C:\Program Files\Replay AV 8
2008-05-20 00:48 --------- d-----w C:\Program Files\flashplayerpro
2008-05-19 22:58 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-16 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 00:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 09:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-05-15 07:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 06:17 --------- d-----w C:\Program Files\Personal Chess Trainer
2008-05-15 06:17 --------- d-----w C:\Program Files\Okoker Sudoku
2008-05-15 06:17 --------- d-----w C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 06:17 --------- d-----w C:\Program Files\Google
2008-05-15 06:16 --------- d-----w C:\Program Files\Picture Merge Genius
2008-05-15 06:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 06:15 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-05-15 06:14 --------- d-----w C:\Program Files\YouTube Video Downloader
2008-05-14 11:19 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-12 22:57 --------- d-----w C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-09 16:54 --------- d-----w C:\Program Files\Britannica 7.0
2008-05-08 18:37 --------- d-----w C:\Program Files\Oxford
2008-05-05 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-03-22 06:24 --------- d-----w C:\Program Files\Winamp
2007-05-29 10:57 87,608 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\inst.exe
2007-05-29 10:57 47,360 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\pcouffin.sys
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-18_22.54.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:20:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 00:29:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 14:32:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-18 11:10:15 5,021,696 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-19 17:44:27 5,001,216 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-18 11:10:15 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-19 17:44:27 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDB97B1-D509-4053-866F-CC347CD80BBA}]
C:\WINDOWS\System32\ljJdAQhh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [2008-04-25 12:20 3021312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 22:49 15872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-18 14:05 98304]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-03 15:05:12 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 23:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-15 23:34:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-18 17:43:00 C:\WINDOWS\Tasks\reboot.job"
- C:\tst10\reboot.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 07:23:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-20 7:26:16
ComboFix-quarantined-files.txt 2008-05-20 01:55:30
ComboFix2.txt 2008-05-19 17:40:43
ComboFix3.txt 2008-05-19 15:44:19
ComboFix4.txt 2008-05-18 17:25:20
ComboFix5.txt 2008-05-17 05:58:18

Pre-Run: 713,814,016 bytes free
Post-Run: 701,763,584 bytes free

216









sorry for posting it twice ... internet got disconnected

Edited by dashing25, 19 May 2008 - 09:11 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:19 PM

Posted 20 May 2008 - 10:27 AM

No problem. Let's hit this again.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\wmsoft11246.exe
C:\WINDOWS\system32\wmsoft23623.exe
C:\WINDOWS\system32\windowsupdate.exe
C:\WINDOWS\system32\wmsoft44744.exe
C:\WINDOWS\system32\wmsoft80864.exe
C:\WINDOWS\system32\wmsoft31417.exe
C:\WINDOWS\system32\wmsoft52882.exe
C:\WINDOWS\system32\wmsoft43684.exe
C:\WINDOWS\system32\wmsoft47045.exe
C:\WINDOWS\system32\wmsoft41566.exe
C:\WINDOWS\system32\wmsoft01463.exe
C:\WINDOWS\system32\wmsoft23550.exe
C:\WINDOWS\system32\wmsoft88223.exe
C:\WINDOWS\system32\servupdate.exe
C:\WINDOWS\system32\wmsoft52244.exe
C:\WINDOWS\system32\wmsoft14854.exe
C:\WINDOWS\system32\wmsoft15855.exe
C:\WINDOWS\system32\wmsoft78232.exe
C:\WINDOWS\system32\wmsoft00526.exe
C:\WINDOWS\system32\wmsoft08144.exe
C:\WINDOWS\system32\wmsoft07255.exe
C:\WINDOWS\system32\wmsoft01026.exe
C:\WINDOWS\system32\18006067
C:\WINDOWS\system32\wmsoft06615.exe
C:\WINDOWS\system32\edgyitrx.dll
C:\WINDOWS\system32\xrtiygde.ini
C:\WINDOWS\system32\wmsoft07106.exe
C:\WINDOWS\system32\wmsoft05011.exe
C:\WINDOWS\system32\wmsoft02858.exe
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 20 May 2008 - 02:38 PM

Here is the new Combofix log:


ComboFix 08-05-15.3 - GAMEMACHINE 2008-05-21 0:56:28.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.410 [GMT 5.5:30]
Running from: C:\Documents and Settings\GAMEMACHINE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\GAMEMACHINE\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\18006067
C:\WINDOWS\system32\edgyitrx.dll
C:\WINDOWS\system32\servupdate.exe
C:\WINDOWS\system32\windowsupdate.exe
C:\WINDOWS\system32\wmsoft00526.exe
C:\WINDOWS\system32\wmsoft01026.exe
C:\WINDOWS\system32\wmsoft01463.exe
C:\WINDOWS\system32\wmsoft02858.exe
C:\WINDOWS\system32\wmsoft05011.exe
C:\WINDOWS\system32\wmsoft06615.exe
C:\WINDOWS\system32\wmsoft07106.exe
C:\WINDOWS\system32\wmsoft07255.exe
C:\WINDOWS\system32\wmsoft08144.exe
C:\WINDOWS\system32\wmsoft11246.exe
C:\WINDOWS\system32\wmsoft14854.exe
C:\WINDOWS\system32\wmsoft15855.exe
C:\WINDOWS\system32\wmsoft23550.exe
C:\WINDOWS\system32\wmsoft23623.exe
C:\WINDOWS\system32\wmsoft31417.exe
C:\WINDOWS\system32\wmsoft41566.exe
C:\WINDOWS\system32\wmsoft43684.exe
C:\WINDOWS\system32\wmsoft44744.exe
C:\WINDOWS\system32\wmsoft47045.exe
C:\WINDOWS\system32\wmsoft52244.exe
C:\WINDOWS\system32\wmsoft52882.exe
C:\WINDOWS\system32\wmsoft78232.exe
C:\WINDOWS\system32\wmsoft80864.exe
C:\WINDOWS\system32\wmsoft88223.exe
C:\WINDOWS\system32\xrtiygde.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\18006067
C:\WINDOWS\system32\edgyitrx.dll
C:\WINDOWS\system32\firewall.exe
C:\WINDOWS\system32\servupdate.exe
C:\WINDOWS\system32\windowsupdate.exe
C:\WINDOWS\system32\wmsoft00526.exe
C:\WINDOWS\system32\wmsoft01026.exe
C:\WINDOWS\system32\wmsoft01463.exe
C:\WINDOWS\system32\wmsoft02858.exe
C:\WINDOWS\system32\wmsoft05011.exe
C:\WINDOWS\system32\wmsoft06615.exe
C:\WINDOWS\system32\wmsoft07106.exe
C:\WINDOWS\system32\wmsoft07255.exe
C:\WINDOWS\system32\wmsoft08144.exe
C:\WINDOWS\system32\wmsoft11246.exe
C:\WINDOWS\system32\wmsoft14854.exe
C:\WINDOWS\system32\wmsoft15855.exe
C:\WINDOWS\system32\wmsoft23550.exe
C:\WINDOWS\system32\wmsoft23623.exe
C:\WINDOWS\system32\wmsoft31417.exe
C:\WINDOWS\system32\wmsoft41566.exe
C:\WINDOWS\system32\wmsoft43684.exe
C:\WINDOWS\system32\wmsoft44744.exe
C:\WINDOWS\system32\wmsoft47045.exe
C:\WINDOWS\system32\wmsoft52244.exe
C:\WINDOWS\system32\wmsoft52882.exe
C:\WINDOWS\system32\wmsoft78232.exe
C:\WINDOWS\system32\wmsoft80864.exe
C:\WINDOWS\system32\wmsoft88223.exe
C:\WINDOWS\system32\xrtiygde.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-20 16:46 . 2008-05-20 16:46 0 --a------ C:\WINDOWS\system32\wmsoft30304.exe
2008-05-20 16:28 . 2008-05-20 16:28 0 --a------ C:\WINDOWS\system32\wmsoft32555.exe
2008-05-20 16:25 . 2008-05-20 16:25 0 --a------ C:\WINDOWS\system32\wmsoft06056.exe
2008-05-20 16:19 . 2008-05-20 16:19 0 --a------ C:\WINDOWS\system32\wmsoft04785.exe
2008-05-20 16:12 . 2008-05-20 16:12 0 --a------ C:\WINDOWS\system32\wmsoft40150.exe
2008-05-20 16:05 . 2008-05-20 16:05 0 --a------ C:\WINDOWS\system32\wmsoft88683.exe
2008-05-20 16:02 . 2008-05-20 16:02 0 --a------ C:\WINDOWS\system32\wmsoft82712.exe
2008-05-20 15:58 . 2008-05-20 15:58 0 --a------ C:\WINDOWS\system32\wmsoft55873.exe
2008-05-20 12:11 . 2008-05-20 12:11 0 --a------ C:\WINDOWS\system32\wmsoft56863.exe
2008-05-20 12:09 . 2008-05-20 12:09 0 --a------ C:\WINDOWS\system32\wmsoft77608.exe
2008-05-20 11:58 . 2008-05-20 11:58 0 --a------ C:\WINDOWS\system32\wmsoft84477.exe
2008-05-20 09:40 . 2008-05-20 09:40 0 --a------ C:\WINDOWS\system32\wmsoft41178.exe
2008-05-20 07:59 . 2008-05-20 16:46 79 --a------ C:\WINDOWS\system32\i
2008-05-20 07:59 . 2008-05-20 07:59 0 --a------ C:\WINDOWS\system32\wmsoft76064.exe
2008-05-20 06:06 . 2008-05-20 06:06 <DIR> d-------- C:\SAV32CLI
2008-05-19 21:33 . 2008-05-19 21:33 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\DoctorWeb
2008-05-19 21:19 . 2008-05-20 07:59 <DIR> d-------- C:\SDFix
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Deckard
2008-05-18 04:22 . 2008-05-20 06:16 <DIR> d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14 . 2008-05-17 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33 . 2008-05-17 07:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 07:33 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:33 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:28 . 2008-05-17 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 07:28 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:00 . 2008-05-17 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:33 . 2008-05-16 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 08:47 . 2008-05-16 08:47 <DIR> d-------- C:\Program Files\Avira
2008-05-16 08:02 . 2008-05-16 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 05:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-16 05:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-16 05:08 . 2008-05-16 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-16 05:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-16 05:03 . 2008-05-16 05:41 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02 . 2008-05-16 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-16 03:56 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-16 03:56 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-16 03:56 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Program Files\Vodei
2008-05-15 11:42 . 2008-05-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:38 . 2008-05-18 16:48 <DIR> d-------- C:\Temp
2008-05-15 10:39 . 2008-05-15 10:39 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29 . 2008-05-15 11:04 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-15 10:27 . 2008-05-15 12:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26 . 2008-05-15 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31 . 2008-05-15 03:31 <DIR> d-------- C:\Videos
2008-05-15 03:30 . 2008-05-19 03:50 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 21:45 . 2008-05-14 21:45 176 --a------ C:\WINDOWS\wininit.ini
2008-05-14 03:55 . 2008-05-19 05:56 109,807 --a------ C:\WINDOWS\BM1b334175.xml
2008-05-11 12:02 . 2008-05-11 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58 . 2008-05-11 11:58 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-05-11 10:42 . 2008-05-11 10:42 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 17:35 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 17:35 . 2002-08-29 03:40 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 17:35 . 2001-08-17 13:51 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 17:35 . 2001-08-17 22:37 48,128 --a------ C:\WINDOWS\system32\irprops.cpl
2008-05-08 17:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 17:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-05-08 17:35 . 2001-08-17 22:36 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 03:10 . 2008-05-08 03:10 <DIR> d-------- C:\Program Files\efs
2008-05-08 00:32 . 2008-05-08 00:32 168,230 --a------ C:\tst10.rar
2008-05-08 00:00 . 2008-05-08 01:40 <DIR> d-------- C:\tst10
2008-05-07 22:47 . 2008-05-17 23:00 18 --a------ C:\WINDOWS\power-on-task.ini
2008-05-07 16:32 . 2008-05-07 16:32 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40 . 2008-05-17 11:40 <DIR> d-------- C:\clusters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 04:17 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-20 00:50 --------- d-----w C:\Program Files\Replay AV 8
2008-05-20 00:48 --------- d-----w C:\Program Files\flashplayerpro
2008-05-19 22:58 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-16 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 00:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 09:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-05-15 07:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 06:17 --------- d-----w C:\Program Files\Personal Chess Trainer
2008-05-15 06:17 --------- d-----w C:\Program Files\Okoker Sudoku
2008-05-15 06:17 --------- d-----w C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 06:17 --------- d-----w C:\Program Files\Google
2008-05-15 06:16 --------- d-----w C:\Program Files\Picture Merge Genius
2008-05-15 06:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 06:15 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-05-15 06:14 --------- d-----w C:\Program Files\YouTube Video Downloader
2008-05-14 11:19 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-12 22:57 --------- d-----w C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-09 16:54 --------- d-----w C:\Program Files\Britannica 7.0
2008-05-08 18:37 --------- d-----w C:\Program Files\Oxford
2008-05-05 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-03-22 06:24 --------- d-----w C:\Program Files\Winamp
2007-05-29 10:57 87,608 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\inst.exe
2007-05-29 10:57 47,360 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\pcouffin.sys
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-18_22.54.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:20:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 19:24:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 14:32:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-18 11:10:15 5,021,696 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-19 17:44:27 5,001,216 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-18 11:10:15 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-19 17:44:27 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-05-14 22:20:59 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-20 10:04:05 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-14 22:20:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-20 10:04:05 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDB97B1-D509-4053-866F-CC347CD80BBA}]
C:\WINDOWS\System32\ljJdAQhh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [2008-04-25 12:20 3021312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 22:49 15872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-18 14:05 98304]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-03 15:05:12 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2008-01-21 18:11]
R0 HFXP2;HFXP2;C:\WINDOWS\System32\DRIVERS\HFXP2.SYS [2006-08-01 20:20]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2008-01-21 18:12]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
S2 Distributed Allocated Memory Unit;Distributed Allocated Memory Unit;"C:\WINDOWS\system32\dllcache\mravsc32.exe" []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\APLMp50.sys [2005-02-16 13:36]
S3 pctvvbi;PCTVVBI;C:\WINDOWS\System32\DRIVERS\pctvvbi.sys [2002-04-02 15:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 23:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-15 23:34:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-18 17:43:00 C:\WINDOWS\Tasks\reboot.job"
- C:\tst10\reboot.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 00:57:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-21 1:00:07
ComboFix-quarantined-files.txt 2008-05-20 19:29:12
ComboFix2.txt 2008-05-20 03:17:52
ComboFix3.txt 2008-05-20 01:56:17
ComboFix4.txt 2008-05-19 17:40:43
ComboFix5.txt 2008-05-19 15:44:19

Pre-Run: 629,555,200 bytes free
Post-Run: 621,821,952 bytes free

274

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:19 PM

Posted 21 May 2008 - 09:49 AM

Run this script through Combofix once again.

File::
C:\WINDOWS\system32\wmsoft30304.exe
C:\WINDOWS\system32\wmsoft32555.exe
C:\WINDOWS\system32\wmsoft06056.exe
C:\WINDOWS\system32\wmsoft04785.exe
C:\WINDOWS\system32\wmsoft40150.exe
C:\WINDOWS\system32\wmsoft88683.exe
C:\WINDOWS\system32\wmsoft82712.exe
C:\WINDOWS\system32\wmsoft55873.exe
C:\WINDOWS\system32\wmsoft56863.exe
C:\WINDOWS\system32\wmsoft77608.exe
C:\WINDOWS\system32\wmsoft84477.exe
C:\WINDOWS\system32\wmsoft41178.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\wmsoft76064.exe


These files are being created quickly, but they are easy to identity. You want to delete all the files that are named with this format.

wmsoftxxxxx.exe

They should all have been created within the past day or so and found in your C:\Windows\System32 folder.
You may be able to delete these manually without using combofix.


Once you get rid of them all, go ahead and run SDfix as you did before. Then post that log and a new combofix log in your next reply.
Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 dashing25

dashing25
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 21 May 2008 - 02:04 PM

Three little queries:
1. When i run SDFix it gives this message
"System\CurrentControlSet\Control\VirtualDeviceDrivers. Virtual Device Driver Format in the registry is invalid. Choose 'close' to terminate the program ".


I have alcohol installed .is it due to that software or some other reason.

2. I have noticed tht files like wmsoftxxxxx.exe get created whenever i open web browser . If i do not open the browser but remain connected, nothing happens and i do not get any virus detection messages from avira .

3. When i manually tried to delete wmsoftxxxxx.exe's using unlocker assitant. these files were being
used by ftp.exe

Here r the two reports:
1.

SDFix: Version 1.183
Run by GAMEMACHINE on Wed 05/21/2008 at 11:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
Distributed Allocated Memory Unit

Path :
"C:\WINDOWS\system32\dllcache\mravsc32.exe"

Distributed Allocated Memory Unit - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\o - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 23:35:02
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\$winnt32$_test]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,c4,d7,af,7c,0a,27,5b,38,d5,99,c6,77,14,a5,a1,ef,27,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41]
"ujdew"=hex:20,02,00,00,78,d7,af,7c,56,4f,5e,39,01,22,f9,b9,d0,6f,00,4e,33,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg410]
"ujdew"=hex:20,02,00,00,a4,7c,6d,1d,ea,12,a1,20,35,f9,be,40,f4,37,64,44,07,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg411]
"ujdew"=hex:20,02,00,00,e9,7b,6d,1d,49,0d,67,81,f8,4e,d4,ab,3b,2b,58,30,b2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg412]
"ujdew"=hex:20,02,00,00,0d,7b,6d,1d,25,57,09,6d,24,7c,81,b6,b7,97,a2,1b,1e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg413]
"ujdew"=hex:20,02,00,00,a0,7a,6d,1d,5e,d7,fb,78,e9,e5,66,e0,98,c2,4b,71,5b,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg414]
"ujdew"=hex:20,02,00,00,d4,79,6d,1d,7a,c0,23,46,45,32,0e,6b,c4,32,ea,d4,d7,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg415]
"ujdew"=hex:20,02,00,00,77,79,6d,1d,c3,ee,88,f3,ba,c1,d2,cc,85,70,eb,b2,04,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg416]
"ujdew"=hex:20,02,00,00,eb,78,6d,1d,af,72,a6,76,d6,b0,41,77,81,15,ed,17,50,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg417]
"ujdew"=hex:20,02,00,00,1f,78,6d,1d,4b,6c,ce,43,82,0c,e9,f9,cd,85,8f,fb,2c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg418]
"ujdew"=hex:20,02,00,00,b2,67,6d,1d,e4,13,5b,c5,77,e6,e9,d8,de,60,38,69,69,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg419]
"ujdew"=hex:20,02,00,00,d6,66,6d,1d,50,66,0d,b1,b3,0b,a2,2b,aa,cc,82,4c,f5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42]
"ujdew"=hex:20,02,00,00,eb,d6,af,7c,af,78,54,4a,d6,46,f5,fb,81,83,f8,aa,50,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg420]
"ujdew"=hex:20,02,00,00,6b,66,6d,1d,2f,92,2e,29,56,1a,7a,a6,01,f9,3e,ba,d0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg421]
"ujdew"=hex:20,02,00,00,8e,65,6d,1d,08,82,b8,a2,0b,7d,b4,48,42,e5,7f,15,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg422]
"ujdew"=hex:20,02,00,00,32,65,6d,1d,64,03,39,02,f7,df,fb,1a,5e,a4,79,7b,e9,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg423]
"ujdew"=hex:20,02,00,00,55,64,6d,1d,4d,f3,d3,bb,ac,32,35,3d,9f,87,c6,d6,46,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg424]
"ujdew"=hex:20,02,00,00,8b,63,6d,1d,4f,99,2a,2d,76,34,df,d0,a1,f0,6c,8a,f0,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg425]
"ujdew"=hex:20,02,00,00,2e,63,6d,1d,28,c7,93,5a,ab,bb,a3,ba,62,37,6d,60,2d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg426]
"ujdew"=hex:20,02,00,00,42,62,6d,1d,54,63,cf,e4,67,c3,61,0d,0e,88,5f,cb,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg427]
"ujdew"=hex:20,02,00,00,e6,61,6d,1d,80,e3,4f,44,23,2d,b5,df,1a,4f,66,29,e5,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg428]
"ujdew"=hex:20,02,00,00,0a,61,6d,1d,7c,36,f1,37,6f,53,6e,2a,96,ab,a0,0c,41,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg429]
"ujdew"=hex:20,02,00,00,ae,60,6d,1d,a8,b6,71,97,2b,bd,b5,f4,e2,6a,ab,72,ad,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43]
"ujdew"=hex:20,02,00,00,8c,0e,66,ad,d2,c2,43,d6,dd,21,12,80,fc,58,19,6c,ef,..
"ljej40"=hex:87,66,11,6b,cd,5f,1c,d7,8d,90,a9,aa,f2,50,f6,b6,f2,af,25,47,71,..
"ljej41"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej42"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej43"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
"ljej44"=hex:16,66,11,6b,b5,5f,1c,d7,8c,90,a8,aa,f3,50,f6,b6,f2,af,25,47,61,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg430]
"ujdew"=hex:20,02,00,00,f2,6f,6d,1d,a4,1e,75,80,37,c0,21,c2,9e,3d,9e,3e,29,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44]
"ujdew"=hex:20,02,00,00,20,0e,66,ad,de,a4,4d,14,69,65,6b,da,18,14,cb,d1,db,..
"ljej40"=hex:2e,f6,f6,b6,b6,1f,22,3a,0c,cb,d8,17,05,23,5c,6e,0b,90,6a,29,1a,..
"ljej41"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej42"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej43"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
"ljej44"=hex:bf,f6,f6,b6,ce,1f,22,3a,0d,cb,d9,17,04,23,5c,6e,0b,90,6a,29,2a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg45]
"ujdew"=hex:20,02,00,00,05,0d,66,ad,5d,ae,21,bc,7c,c3,d3,6d,6f,cc,bf,83,96,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg46]
"ujdew"=hex:20,02,00,00,c5,7e,6d,1d,9d,9c,f8,e4,bc,ea,7e,5f,af,30,10,c0,d6,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg47]
"ujdew"=hex:20,02,00,00,79,7e,6d,1d,39,c4,ff,e5,e8,73,b1,e1,6b,fb,72,a6,22,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg48]
"ujdew"=hex:20,02,00,00,9d,7d,6d,1d,95,0e,a1,51,d4,a1,6d,ec,e7,67,bd,89,8e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg49]
"ujdew"=hex:20,02,00,00,31,7d,6d,1d,91,e0,ab,97,60,e5,c2,06,03,13,6f,6f,fa,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0E93EB77-8A1E-26FB-5BBA-AD76E28B6A28}]
"abpfmgklphkjkalbbkdnllgppeeedjfgaa"=hex:61,62,62,66,68,62,61,64,6e,6e,67,66,65,6a,62,6a,66,69,62,6c,64,..
"bbpfmgklphkjkalbbkenojhdidalbndfgkbb"=hex:61,62,69,65,70,6c,64,67,70,64,67,6f,6e,6e,6e,70,70,66,65,70,62,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1388F7A-C4B0-3DA9-A7E1-79A2C806CF92}]
"iafokneencdbmgdaeg"=hex:69,61,66,64,6a,6a,63,66,68,6d,6f,70,6e,6d,66,64,66,6f,00,00
"haloiodoacfnopdm"=hex:69,61,66,64,6a,6a,63,66,68,6d,6f,70,6e,6d,66,64,66,6f,00,00

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


Finished!












2.
ComboFix 08-05-15.3 - GAMEMACHINE 2008-05-21 23:07:02.10 - NTFSx86

Running from: C:\Documents and Settings\GAMEMACHINE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\GAMEMACHINE\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\i
C:\WINDOWS\system32\wmsoft04785.exe
C:\WINDOWS\system32\wmsoft06056.exe
C:\WINDOWS\system32\wmsoft30304.exe
C:\WINDOWS\system32\wmsoft32555.exe
C:\WINDOWS\system32\wmsoft40150.exe
C:\WINDOWS\system32\wmsoft41178.exe
C:\WINDOWS\system32\wmsoft55873.exe
C:\WINDOWS\system32\wmsoft56863.exe
C:\WINDOWS\system32\wmsoft76064.exe
C:\WINDOWS\system32\wmsoft77608.exe
C:\WINDOWS\system32\wmsoft82712.exe
C:\WINDOWS\system32\wmsoft84477.exe
C:\WINDOWS\system32\wmsoft88683.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\i
C:\WINDOWS\system32\wmsoft04785.exe
C:\WINDOWS\system32\wmsoft06056.exe
C:\WINDOWS\system32\wmsoft30304.exe
C:\WINDOWS\system32\wmsoft32555.exe
C:\WINDOWS\system32\wmsoft40150.exe
C:\WINDOWS\system32\wmsoft41178.exe
C:\WINDOWS\system32\wmsoft55873.exe
C:\WINDOWS\system32\wmsoft56863.exe
C:\WINDOWS\system32\wmsoft76064.exe
C:\WINDOWS\system32\wmsoft77608.exe
C:\WINDOWS\system32\wmsoft82712.exe
C:\WINDOWS\system32\wmsoft84477.exe
C:\WINDOWS\system32\wmsoft88683.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 23:03 . 2008-05-21 23:03 68 --a------ C:\WINDOWS\system32\o
2008-05-21 01:19 . 2008-05-21 01:19 0 --a------ C:\WINDOWS\system32\servupdate.exe
2008-05-20 06:06 . 2008-05-20 06:06 <DIR> d-------- C:\SAV32CLI
2008-05-19 21:33 . 2008-05-19 21:33 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\DoctorWeb
2008-05-19 21:19 . 2008-05-20 07:59 <DIR> d-------- C:\SDFix
2008-05-19 09:11 . 2008-05-19 09:11 <DIR> d-------- C:\Deckard
2008-05-18 04:22 . 2008-05-20 06:16 <DIR> d-------- C:\Program Files\AutoPowerOn
2008-05-17 23:14 . 2008-05-17 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AutoPowerOn
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-17 10:36 . 2008-05-17 10:49 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\SUPERAntiSpyware.com
2008-05-17 10:36 . 2008-05-17 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-17 07:33 . 2008-05-17 07:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 07:33 . 2008-05-17 10:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 07:33 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 07:28 . 2008-05-17 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 07:28 . 2008-05-17 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-17 02:15 . 2008-05-17 02:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-17 02:00 . 2008-05-17 02:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-17 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-17 01:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-17 01:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 11:33 . 2008-05-16 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-16 08:47 . 2008-05-16 08:47 <DIR> d-------- C:\Program Files\Avira
2008-05-16 08:02 . 2008-05-16 08:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 05:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-16 05:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-16 05:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-16 05:08 . 2008-05-16 05:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 05:07 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-05-16 05:04 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-05-16 05:03 . 2008-05-16 05:41 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-16 05:02 . 2008-05-16 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-16 03:56 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-16 03:56 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-16 03:56 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-15 12:13 . 2008-05-15 12:13 <DIR> d-------- C:\Program Files\Vodei
2008-05-15 11:42 . 2008-05-15 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-15 11:38 . 2008-05-18 16:48 <DIR> d-------- C:\Temp
2008-05-15 10:39 . 2008-05-15 10:39 <DIR> d-------- C:\Documents and Settings\GAMEMACHINE\Application Data\Locktime
2008-05-15 10:29 . 2008-05-15 11:04 4,212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-15 10:27 . 2008-05-15 12:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-05-15 10:26 . 2008-05-15 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-05-15 03:31 . 2008-05-15 03:31 <DIR> d-------- C:\Videos
2008-05-15 03:30 . 2008-05-19 03:50 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-05-14 21:45 . 2008-05-14 21:45 176 --a------ C:\WINDOWS\wininit.ini
2008-05-14 03:55 . 2008-05-19 05:56 109,807 --a------ C:\WINDOWS\BM1b334175.xml
2008-05-11 12:02 . 2008-05-11 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Premium
2008-05-11 11:58 . 2008-05-11 11:58 2 --a------ C:\WINDOWS\system32\LOGFILES
2008-05-11 10:42 . 2008-05-11 10:42 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-05-08 17:35 . 2001-08-17 22:36 99,328 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-08 17:35 . 2002-08-29 03:40 78,336 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-08 17:35 . 2001-08-17 13:51 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2008-05-08 17:35 . 2001-08-17 22:37 48,128 --a------ C:\WINDOWS\system32\irprops.cpl
2008-05-08 17:35 . 2001-08-17 13:51 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2008-05-08 17:35 . 2001-08-17 13:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-05-08 17:35 . 2001-08-17 22:36 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-08 03:10 . 2008-05-08 03:10 <DIR> d-------- C:\Program Files\efs
2008-05-08 00:32 . 2008-05-08 00:32 168,230 --a------ C:\tst10.rar
2008-05-08 00:00 . 2008-05-08 01:40 <DIR> d-------- C:\tst10
2008-05-07 22:47 . 2008-05-17 23:00 18 --a------ C:\WINDOWS\power-on-task.ini
2008-05-07 16:32 . 2008-05-07 16:32 <DIR> d-------- C:\WINDOWS\vbSkinner
2008-05-07 02:40 . 2008-05-17 11:40 <DIR> d-------- C:\clusters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 07:12 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\uTorrent
2008-05-21 06:35 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\SolidDocuments
2008-05-20 00:50 --------- d-----w C:\Program Files\Replay AV 8
2008-05-20 00:48 --------- d-----w C:\Program Files\flashplayerpro
2008-05-16 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-16 00:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-16 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-15 09:54 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-05-15 07:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 06:17 --------- d-----w C:\Program Files\Personal Chess Trainer
2008-05-15 06:17 --------- d-----w C:\Program Files\Okoker Sudoku
2008-05-15 06:17 --------- d-----w C:\Program Files\Hindi Songs Lyrics Directory
2008-05-15 06:17 --------- d-----w C:\Program Files\Google
2008-05-15 06:16 --------- d-----w C:\Program Files\Picture Merge Genius
2008-05-15 06:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-15 06:15 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-05-15 06:14 --------- d-----w C:\Program Files\YouTube Video Downloader
2008-05-14 11:19 --------- d-----w C:\Documents and Settings\GAMEMACHINE\Application Data\BSplayer Pro
2008-05-12 22:57 --------- d-----w C:\Program Files\BITSAT_2008_PCM_Sample
2008-05-11 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-09 16:54 --------- d-----w C:\Program Files\Britannica 7.0
2008-05-08 18:37 --------- d-----w C:\Program Files\Oxford
2008-05-05 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\NFS Underground
2008-03-22 06:24 --------- d-----w C:\Program Files\Winamp
2007-05-29 10:57 87,608 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\inst.exe
2007-05-29 10:57 47,360 ----a-w C:\Documents and Settings\GAMEMACHINE\Application Data\pcouffin.sys
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-18_22.54.10.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 17:20:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 17:31:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-20 14:32:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-05-18 11:10:15 5,021,696 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-19 17:44:27 5,001,216 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-18 11:10:15 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-19 17:44:27 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-05-14 22:20:59 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-21 00:13:36 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-14 22:20:59 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-21 00:13:36 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BDB97B1-D509-4053-866F-CC347CD80BBA}]
C:\WINDOWS\System32\ljJdAQhh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"DriveDiscoveryMemoryResident"="C:\Program Files\NotsoSoftware\DriveDiscovery\NSSMR.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AutoPowerOn"="C:\Program Files\AutoPowerOn\AutoPowerOn.exe" [2008-04-25 12:20 3021312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 21:49 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 21:37 114688]
"NeroFilterCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 10:50 155648]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 22:49 15872]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 18:37 69216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55 54832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-18 14:05 98304]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-03 15:05:12 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton AntiVirus\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001


.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 23:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-05-15 23:34:28 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-05-18 17:43:00 C:\WINDOWS\Tasks\reboot.job"
- C:\tst10\reboot.bat
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 23:08:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-21 23:10:35
ComboFix-quarantined-files.txt 2008-05-21 17:39:33
ComboFix2.txt 2008-05-20 19:30:09
ComboFix3.txt 2008-05-20 03:17:52
ComboFix4.txt 2008-05-20 01:56:17
ComboFix5.txt 2008-05-19 17:40:43

Pre-Run: 1,404,207,104 bytes free
Post-Run: 1,391,837,184 bytes free

225

Edited by dashing25, 21 May 2008 - 02:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users