Okay, everything has been done. I submitted the malware from the ComboFix scan as well.
Heres the Combo Scan log:
Quote:
ComboFix 07-08-12 - "me" 2007-08-11 17:37:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.579 [GMT -4:00]
Command switches used :: C:\Documents and Settings\me\Desktop\CFScript.txt
FILE::
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\hmapekaj.ini.ren
C:\WINDOWS\system32\vwxyb.bak2
C:\WINDOWS\system32\ylsdmwij.dll.ren
C:\WINDOWS\system32\jiwmdsly.ini.ren
C:\Program Files\Viewpoint
C:\WINDOWS\system32\vwxyb.ini.ren
C:\WINDOWS\system32\vwxyb.bak2.ren
C:\WINDOWS\system32\vwxyb.bak1.ren
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Viewpoint
C:\Program Files\Common Files\WhenU
C:\Program Files\Common Files\WhenU\EmbedSE.dll.ren
C:\WINDOWS\system32\hmapekaj.ini.ren
C:\WINDOWS\system32\jiwmdsly.ini.ren
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vwxyb.bak1.ren
C:\WINDOWS\system32\vwxyb.bak2
C:\WINDOWS\system32\vwxyb.bak2.ren
C:\WINDOWS\system32\vwxyb.ini.ren
C:\WINDOWS\system32\ylsdmwij.dll.ren
C:\WINDOWS\WFXDEL.BAT
D:\autorun.bat . . . . failed to delete
((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))
2007-08-11 16:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 20:27 <DIR> d-------- C:\Deckard
2007-08-04 17:39 <DIR> d-------- C:\Program Files\Megaman - X Rush to Battle
2007-08-04 00:51 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-25 00:19 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-07-25 00:19 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-07-15 02:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-07-15 02:20 <DIR> d-------- C:\WINDOWS\CSC
2007-07-14 22:58 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-14 22:54 <DIR> d-------- C:\DOCUME~1\me\APPLIC~1\Simply Super Software
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2014-02-15 15:10 --------- d-------- C:\Program Files\Apoint
2014-02-15 15:09 --------- d-------- C:\Program Files\CONEXANT
2014-02-15 14:57 --------- d-------- C:\Program Files\SigmaTel
2014-02-15 14:19 --------- d-------- C:\DOCUME~1\me\APPLIC~1\Symantec
2007-08-11 17:25 --------- d-------- C:\DOCUME~1\me\APPLIC~1\OpenOffice.org2
2007-08-09 20:16 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-05 10:22 --------- d-------- C:\Program Files\Winamp
2007-08-04 18:35 --------- d-------- C:\Program Files\Viewpoint
2007-08-04 18:31 --------- d-------- C:\Program Files\SpeedFan
2007-08-04 16:12 --------- d-------- C:\DOCUME~1\me\APPLIC~1\FrostWire
2007-08-04 00:21 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2007-08-04 00:21 --------- d-------- C:\Program Files\BitComet
2007-07-24 20:20 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-10 21:09 --------- d-------- C:\Program Files\DHShutdown
2007-07-10 20:49 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-07-10 20:07 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-10 20:07 --------- d-------- C:\Program Files\System Shock 2
2007-07-10 20:06 --------- d-------- C:\Program Files\FrostWire
2007-07-07 19:29 --------- d-------- C:\DOCUME~1\me\APPLIC~1\uTorrent
2007-07-07 19:21 --------- d-------- C:\Program Files\LucasArts
2007-07-05 13:08 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-07-01 01:01 --------- d-------- C:\Program Files\Combined Community Codec Pack
2007-06-05 21:55 118784 --a------ C:\WINDOWS\GREUninstall.exe
2007-05-16 11:12 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:32]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-05-25 00:43]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-29 14:30]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-11 00:07]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-02-06 19:16]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-05-06 09:29]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 06:29]
"Steam"="J:\Program Files\Steam\Steam.exe" [2007-06-28 21:27]
C:\Documents and Settings\me\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2007-05-11 03 32]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-11 00:29:22]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 Ext2fs;Ext2fs;C:\WINDOWS\system32\DRIVERS\ext2fs.sys
R1 fanio;FanIO driver;\??\C:\WINDOWS\system32\drivers\fanio.sys
R1 IfsDrives;IfsDrives;C:\WINDOWS\system32\DRIVERS\IfsDrives.sys
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver ;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S0 gdxwdm;GDXWDM;C:\WINDOWS\system32\DRIVERS\GDXWDM.sys
S3 efipsk;efipsk;\??\C:\DOCUME~1\me\LOCALS~1\Temp\efipsk.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 SIWIO;SIWIO;\??\C:\WINDOWS\TEMP\SiwIo.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e6379e0-942c-11db-a45e-000cf149f678}]
AutoRun\command- F:\wd_windows_tools\setup.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 17:42:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-11 17:46:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 17:45
C:\ComboFix2.txt ... 2007-08-11 16:38
--- E O F ---
|
Here is the Kaspersky log:
Quote:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, August 11, 2007 9:13:40 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/08/2007
Kaspersky Anti-Virus database records: 378842
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
J:\
Y:\
Z:\
Scan Statistics:
Total number of scanned objects: 165095
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 2
Duration of the scan process: 01:33:22
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\cert8.db Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\flashgot.log Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\history.dat Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\key3.db Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\parent.lock Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\search.sqlite Object is locked skipped
C:\Documents and Settings\me\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\me\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\me\Local Settings\Application Data\Mozilla\Firefox\Profiles\i5r4k6sx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\me\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\me\Local Settings\Temp\~DF7E19.tmp Object is locked skipped
C:\Documents and Settings\me\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\me\My Documents\OpenOffice\christiine_essay.odt Object is locked skipped
C:\Documents and Settings\me\ntuser.dat Object is locked skipped
C:\Documents and Settings\me\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20070811-174037.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WhenU\EmbedSE.dll.ren.vir Infected: not-a-virus:AdWare.Win32.SaveNow.bb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efccbaa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\QooBox\Quarantine\catchme2007-08-11_163415.00.zip/efccbaa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\QooBox\Quarantine\catchme2007-08-11_163415.00.zip/efccbaa.dll.1 Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\QooBox\Quarantine\catchme2007-08-11_163415.00.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
J:\Program Files\Steam\Steam.log Object is locked skipped
J:\Program Files\Steam\steamapps\winui.gcf Object is locked skipped
J:\Program Files\Steam\SteamLogs\SteamStats.log Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Y:\usr\bin\mawk Object is locked skipped
Y:\usr\src\linux-headers-2.6.20-15\debian\config Object is locked skipped
Y:\usr\src\linux-headers-2.6.20-15-generic\include\config\w1\con.h Object is locked skipped
Y:\usr\src\linux-headers-2.6.20-16-generic\include\config\w1\con.h Object is locked skipped
Scan process completed.
|
And a fresh HJT log:
Quote:
Logfile of HijackThis v1.99.1
Scan saved at 12:20:38 AM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
J:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\me\My Documents\_Jake\Downloads & Apps\Programs\Spyware Tools\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Steam] "J:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
|
As for behavior, I've had IE set to offline mode to keep it from connecting to any weird IP addresses. Overnight yesterday I ran Spybot S&D, AVG Free Anti-Virus, AVG Anti-Spyware, and VundoFix in safe mode and after that and with your help, there seems to be much less influence from the trojan. According to the Kaspersky scan though, there is still much to do. Thanks again for your help, it's greatly appreciated.