Tech Support Forum - View Single Post

DLEEUS · 12-09-2008, 06:07 PM

Hi,

I followed your instructions and removed the requested programs. I also copied the script and executed it as shown. However, when running the combofix, it seemed to run through the whole thing but hung up at the last step. It was displaying the creating the log text and something about not executing other programs until finished. It sat like that for about 8 hours, it appeared to be frozen. Also, there were no icons or toolbars being displayed on the desktop. I did a hard shutdown (power off) and rebooted. I then re-ran the combofix with the script again, but it did the same thing. I canceled it and just ran the combofix by itself without the script and it finished fine. Hope that is okay. I then finished the rest as requested. The Kaspersky scan took almost 7 hours to complete. Included is the Kaspersky log as well as the combofix log.

Thanks,

DLEEUS

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 09, 2008 12:41:29
Records in database: 1447097
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
K:\

Scan statistics:
Files scanned: 173564
Threat name: 9
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 06:47:19

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A2C0000.VBN Infected: Backdoor.Win32.TDSS.bkw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A500000.VBN Infected: Trojan.Win32.Agent.duy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A500002.VBN Infected: Trojan.Win32.Agent.duy 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B7C0000.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600000.VBN Infected: Worm.Win32.AutoRun.bmp 1
C:\Documents and Settings\Owner\My Documents\Aptiva Files\Backups\SAP Labs Backups\2001-05-25\Users 05-25-01.zip Infected: Virus.MSWord.Class.b 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Downloader.Win32.Agent.aswm 1
K:\My Backups\Bond Backup\Program Files\Internet Explorer\PLUGINS\nponflow.dll Infected: not-a-virus:AdWare.Win32.OnFlow 1
K:\My Backups\Bond Backup\Program Files\onflow\uninstall onflow.exe Infected: not-a-virus:AdWare.Win32.OnFlow.d 1
K:\My Backups\Lisa's Backups\Operations1.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.

ComboFix 08-12-07.04 - Owner 2008-12-09 8:16:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.491 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\CFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\Google\xtgoj6119471.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 08:16 . 2008-12-09 08:20 <DIR> d-------- C:\CFix
2008-12-09 00:29 . 2008-12-09 00:29 <DIR> d--hs---- C:\RECYCLER
2008-12-08 10:04 . 2008-12-09 00:34 <DIR> d-------- C:\Qoobox
2008-12-05 01:16 . 2008-12-05 01:16 250 --a------ c:\windows\gmer.ini
2008-12-04 00:12 . 2008-12-04 00:12 <DIR> d-------- c:\program files\HandBrake
2008-11-30 13:54 . 2008-11-30 13:54 <DIR> d-------- c:\program files\iTunes
2008-11-30 13:54 . 2008-11-30 13:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 13:51 . 2008-11-30 13:52 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 16:16 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-04 09:01 --------- d-----w c:\documents and settings\Owner\Application Data\Active Disk
2008-12-04 05:41 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-03 06:33 --------- d-----w c:\documents and settings\Owner\Application Data\TeraCopy
2008-11-30 21:54 --------- d-----w c:\program files\iPod
2008-11-30 21:54 --------- d-----w c:\program files\Common Files\Apple
2008-11-07 22:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:20 --------- d-----w c:\program files\Advanced IP Scanner
2008-10-19 20:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-19 20:46 --------- d-----w c:\program files\Panasonic
2008-10-18 02:40 --------- d-----w c:\program files\SiSoftware
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-08-25 06:58 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2007-05-30 05:44 87,608 ----a-w c:\documents and settings\Owner\Application Data\ezpinst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-20 68856]
"NVIEW"="nview.dll" [2003-08-19 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 45056]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-10-12 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 319488]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 53248]
"Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-04-14 155648]
"WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2004-04-14 192512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 557056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 16384]
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2006-03-20 220160]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-30 45056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\Y!Multi Messenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Virtual Rooms\\HPVirtualRooms.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Dorgem\\Dorgem.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 lfsfilt;Lean File Sharing;c:\windows\system32\DRIVERS\lfsfilt.sys [2007-02-04 140160]
R0 lpx;LPX Protocol;c:\windows\system32\DRIVERS\lpx.sys [2006-03-20 44288]
R2 BT848;AVerDVD EZMaker WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2004-08-30 261696]
R2 BTXBAR;AVerDVD EZMaker WDM Crossbar;c:\windows\system32\drivers\BTXBAR.sys [2004-08-30 13312]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\DRIVERS\DLPortIO.sys [2005-05-27 3584]
R2 HPWebJetadmin;HP Web Jetadmin;"c:\program files\HP Web Jetadmin\hpwebjetd.exe" -k runservice [2004-04-15 13312]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192]
R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\DRIVERS\Cap713x.sys [2005-05-26 271104]
R3 ndasbus;NDAS Bus Driver;c:\windows\system32\DRIVERS\ndasbus.sys [2006-03-20 59136]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\Drivers\IcRecUsb.sys [2008-10-19 17432]
S2 mrtRate;mrtRate; []
S2 RadPciNT;RadPciNT;\??\c:\windows\system32\Drivers\RadPciNT.sys [2000-04-24 9417]
S3 CCCP106;D-Link CIF Webcam;c:\windows\system32\DRIVERS\cccp106.sys [2004-12-02 227200]
S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\fide.sys [2004-09-24 14601]
S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\DRIVERS\ndasscsi.sys [2006-03-20 115584]
S3 XIRLINK;VivaPix WebCam;c:\windows\system32\DRIVERS\ucdnt.sys [2004-05-27 1001404]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1389622b-c1c7-11dd-a911-000ea697b4d8}]
\Shell\AutoRun\command - I:\Launch.exe /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2d54da-195a-11dc-a729-000ea697b4d8}]
\Shell\AutoRun\command - i:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e144f714-b543-11dd-a904-000ea697b4d8}]
\Shell\AutoRun\command - j:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2004-09-30 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 13:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: SpSubLSP.dll
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3xs6e7bn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3xs6e7bn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 08:20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2008-12-09 8:22:27
ComboFix-quarantined-files.txt 2008-12-09 16:21:17
ComboFix2.txt 2008-12-08 18:19:42

Pre-Run: 30,418,456,576 bytes free
Post-Run: 30,402,449,408 bytes free

223 --- E O F --- 2008-11-13 08:30:29

12-09-2008, 06:07 PM	#5 (permalink)
DLEEUS Registered User Join Date: Dec 2008 Posts: 5 OS: Windows XP	Re: Need help removing Sinowal.Trojan Hi, I followed your instructions and removed the requested programs. I also copied the script and executed it as shown. However, when running the combofix, it seemed to run through the whole thing but hung up at the last step. It was displaying the creating the log text and something about not executing other programs until finished. It sat like that for about 8 hours, it appeared to be frozen. Also, there were no icons or toolbars being displayed on the desktop. I did a hard shutdown (power off) and rebooted. I then re-ran the combofix with the script again, but it did the same thing. I canceled it and just ran the combofix by itself without the script and it finished fine. Hope that is okay. I then finished the rest as requested. The Kaspersky scan took almost 7 hours to complete. Included is the Kaspersky log as well as the combofix log. Thanks, DLEEUS -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, December 9, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, December 09, 2008 12:41:29 Records in database: 1447097 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ K:\ Scan statistics: Files scanned: 173564 Threat name: 9 Infected objects: 13 Suspicious objects: 0 Duration of the scan: 06:47:19 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A2C0000.VBN Infected: Backdoor.Win32.TDSS.bkw 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A500000.VBN Infected: Trojan.Win32.Agent.duy 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A500002.VBN Infected: Trojan.Win32.Agent.duy 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B7C0000.VBN Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C600000.VBN Infected: Worm.Win32.AutoRun.bmp 1 C:\Documents and Settings\Owner\My Documents\Aptiva Files\Backups\SAP Labs Backups\2001-05-25\Users 05-25-01.zip Infected: Virus.MSWord.Class.b 3 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Downloader.Win32.Agent.aswm 1 K:\My Backups\Bond Backup\Program Files\Internet Explorer\PLUGINS\nponflow.dll Infected: not-a-virus:AdWare.Win32.OnFlow 1 K:\My Backups\Bond Backup\Program Files\onflow\uninstall onflow.exe Infected: not-a-virus:AdWare.Win32.OnFlow.d 1 K:\My Backups\Lisa's Backups\Operations1.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 The selected area was scanned. ComboFix 08-12-07.04 - Owner 2008-12-09 8:16:40.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.491 [GMT -8:00] Running from: c:\documents and settings\Owner\Desktop\CFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\Owner\Application Data\Google\xtgoj6119471.exe . ((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))) . 2008-12-09 08:16 . 2008-12-09 08:20 <DIR> d-------- C:\CFix 2008-12-09 00:29 . 2008-12-09 00:29 <DIR> d--hs---- C:\RECYCLER 2008-12-08 10:04 . 2008-12-09 00:34 <DIR> d-------- C:\Qoobox 2008-12-05 01:16 . 2008-12-05 01:16 250 --a------ c:\windows\gmer.ini 2008-12-04 00:12 . 2008-12-04 00:12 <DIR> d-------- c:\program files\HandBrake 2008-11-30 13:54 . 2008-11-30 13:54 <DIR> d-------- c:\program files\iTunes 2008-11-30 13:54 . 2008-11-30 13:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-30 13:51 . 2008-11-30 13:52 <DIR> d-------- c:\program files\QuickTime . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 16:16 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-04 09:01 --------- d-----w c:\documents and settings\Owner\Application Data\Active Disk 2008-12-04 05:41 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink 2008-12-03 06:33 --------- d-----w c:\documents and settings\Owner\Application Data\TeraCopy 2008-11-30 21:54 --------- d-----w c:\program files\iPod 2008-11-30 21:54 --------- d-----w c:\program files\Common Files\Apple 2008-11-07 22:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 06:20 --------- d-----w c:\program files\Advanced IP Scanner 2008-10-19 20:46 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-19 20:46 --------- d-----w c:\program files\Panasonic 2008-10-18 02:40 --------- d-----w c:\program files\SiSoftware 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2008-08-25 06:58 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys 2007-05-30 05:44 87,608 ----a-w c:\documents and settings\Owner\Application Data\ezpinst.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN] @="{30351346-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN] @="{30351347-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN] @="{30351348-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN] @="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN] @="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN] @="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN] @="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}] 2007-12-21 21:53 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-20 68856] "NVIEW"="nview.dll" [2003-08-19 c:\windows\system32\nview.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688] "CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-11-03 45056] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016] "Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768] "DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920] "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-10-12 868352] "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-23 319488] "NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-23 53248] "Home Theater SchSvr"="c:\program files\Common Files\InterVideo\SchSvr\SchSvr.exe" [2004-04-14 155648] "WINCINEMAMGR"="c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe" [2004-04-14 192512] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-06-28 32768] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "VTTimer"="VTTimer.exe" [2004-10-22 c:\windows\system32\VTTimer.exe] "LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe] c:\documents and settings\Owner\Start Menu\Programs\Startup\ spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 557056] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-10-11 16384] NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2006-03-20 220160] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-30 45056] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "SpecifyDefaultButtons"= 0 (0x0) "Btn_Search"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\Y!Multi Messenger.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Virtual Rooms\\HPVirtualRooms.exe"= "c:\\Program Files\\FlashFXP\\FlashFXP.exe"= "c:\\Program Files\\Dorgem\\Dorgem.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 lfsfilt;Lean File Sharing;c:\windows\system32\DRIVERS\lfsfilt.sys [2007-02-04 140160] R0 lpx;LPX Protocol;c:\windows\system32\DRIVERS\lpx.sys [2006-03-20 44288] R2 BT848;AVerDVD EZMaker WDM Video Capture;c:\windows\system32\drivers\BT848.sys [2004-08-30 261696] R2 BTXBAR;AVerDVD EZMaker WDM Crossbar;c:\windows\system32\drivers\BTXBAR.sys [2004-08-30 13312] R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\DRIVERS\DLPortIO.sys [2005-05-27 3584] R2 HPWebJetadmin;HP Web Jetadmin;"c:\program files\HP Web Jetadmin\hpwebjetd.exe" -k runservice [2004-04-15 13312] R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2004-03-12 169192] R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\DRIVERS\Cap713x.sys [2005-05-26 271104] R3 ndasbus;NDAS Bus Driver;c:\windows\system32\DRIVERS\ndasbus.sys [2006-03-20 59136] S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\Drivers\IcRecUsb.sys [2008-10-19 17432] S2 mrtRate;mrtRate; [] S2 RadPciNT;RadPciNT;\??\c:\windows\system32\Drivers\RadPciNT.sys [2000-04-24 9417] S3 CCCP106;D-Link CIF Webcam;c:\windows\system32\DRIVERS\cccp106.sys [2004-12-02 227200] S3 MTK;Media Technology Kernel Driver;c:\windows\system32\Drivers\fide.sys [2004-09-24 14601] S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\DRIVERS\ndasscsi.sys [2006-03-20 115584] S3 XIRLINK;VivaPix WebCam;c:\windows\system32\DRIVERS\ucdnt.sys [2004-05-27 1001404] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1389622b-c1c7-11dd-a911-000ea697b4d8}] \Shell\AutoRun\command - I:\Launch.exe /run [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2d54da-195a-11dc-a729-000ea697b4d8}] \Shell\AutoRun\command - i:\wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e144f714-b543-11dd-a904-000ea697b4d8}] \Shell\AutoRun\command - j:\jdsecure\Windows\JDSecure31.exe . Contents of the 'Scheduled Tasks' folder 2008-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2004-09-30 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-01-02 13:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/ mSearch Bar = hxxp://srch-qus10.hpwis.com/ uInternet Settings,ProxyOverride = localhost;.local IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm LSP: SpSubLSP.dll FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3xs6e7bn.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3xs6e7bn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll FF -: plugin - c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-09 08:20:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(996) c:\windows\system32\SpSubLSP.dll . Completion time: 2008-12-09 8:22:27 ComboFix-quarantined-files.txt 2008-12-09 16:21:17 ComboFix2.txt 2008-12-08 18:19:42 Pre-Run: 30,418,456,576 bytes free Post-Run: 30,402,449,408 bytes free 223 --- E O F --- 2008-11-13 08:30:29