newo70

I've recently been infected by a virus/trojan which, every now and again, will open several windows to the site:

After each reboot, file extensions are hidden and hidden files are not shown (more of an inconvinience than anything), and occasionally my documents folder is opened up, with a text box that pops up saying "C:\Windows\System 32: ????????" or similar.

I've also noticed some suspicious looking processes running, named "2951979792.exe" and 2 instances of "gdj0umk.exe", 1 which cannot be closed.

I suspect that this virus came from an infected version of media player classic exe on my D: drive, which i have since removed.

Logs are as follows:
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2119 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Users\newo\AppData\Local\Temp\gdj0umk.exe
C:\Users\newo\AppData\Local\Temp\gdj0umk.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\newo\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe
C:\Users\newo\AppData\Local\Temp\2951979792.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\newo\Desktop\dds.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssvagent.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.asus.com
uDefault_Page_URL = hxxp://www.asus.com
mDefault_Page_URL = hxxp://www.asus.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [<NO NAME>] c:\users\newo\appdata\local\temp\gdj0umk.exe
uRun: [Windows Resurections] c:\users\newo\appdata\local\temp\gdj0umk.exe
uRun: [Diagnostic Manager] c:\users\newo\appdata\local\temp\2951979792.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Zshutdown1] c:\preload\patch\sysprep1.cmd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [Flashget] "c:\program files\flashget\FlashGet.exe" /min
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\newo\appdata\roaming\mozilla\firefox\profiles\fosmohaq.default\
FF - prefs.js: browser.startup.homepage - google.com

============= SERVICES / DRIVERS ===============

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2009-4-23 47616]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\Asushwio.sys [2006-10-10 10288]

=============== Created Last 30 ================

2009-04-25 14:08 <DIR> --d----- c:\users\newo\appdata\roaming\FlashGet
2009-04-25 14:08 <DIR> --d----- c:\program files\FlashGet
2009-04-24 12:44 155,648 a------- c:\windows\system32\ACEngSvr.exe
2009-04-24 12:43 <DIR> --d----- c:\program files\Wireless Console 2
2009-04-24 12:41 <DIR> --d----- c:\program files\Synaptics
2009-04-24 12:40 196,400 a------- c:\windows\system32\drivers\SynTP.sys
2009-04-24 12:40 1,060,424 a------- c:\windows\system32\WdfCoInstaller01000.dll
2009-04-24 12:40 196,608 a------- c:\windows\system32\SynCtrl.dll
2009-04-24 12:40 163,840 a------- c:\windows\system32\SynCOM.dll
2009-04-24 12:40 147,456 a------- c:\windows\system32\SynTPAPI.dll
2009-04-24 12:40 110,592 a------- c:\windows\system32\SynTPCo4.dll
2009-04-24 12:40 <DIR> --d----- c:\program files\Motorola
2009-04-24 12:40 982,272 a------- c:\windows\system32\drivers\smserial.sys
2009-04-24 12:40 196,608 a------- c:\windows\system32\sm56co6a.dll
2009-04-24 12:40 553 -----r-- c:\windows\USetup.iss
2009-04-24 12:22 <DIR> --d----- c:\program files\Realtek
2009-04-24 12:22 <DIR> --d----- c:\program files\ATK Hotkey
2009-04-23 23:10 <DIR> --d----- c:\users\newo\appdata\roaming\LimeWire
2009-04-23 22:19 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-04-23 22:16 <DIR> --d----- c:\programdata\Adobe
2009-04-23 21:21 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-04-23 21:20 1,048,576 a------- C:\F5SLAS.BIN
2009-04-23 21:20 4 a------- c:\windows\system32\drivers\1043_ASUSTEK_V30_VISTA.MRK
2009-04-23 21:20 47,616 a------- c:\windows\system32\drivers\SiSGB6.sys
2009-04-23 21:20 7,680 a------- c:\windows\system32\drivers\ATKACPI.sys
2009-04-23 21:18 <DIR> --d----- c:\windows\FLV Player
2009-04-23 21:15 <DIR> --d----- c:\programdata\Macrovision
2009-04-23 21:15 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-04-23 21:12 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-23 21:11 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-23 21:11 348,160 a------- c:\windows\system32\msvcr71.dll
2009-04-23 21:11 <DIR> --d----- c:\programdata\Real
2009-04-23 21:11 <DIR> --d----- c:\program files\Real Alternative
2009-04-23 21:06 <DIR> --d----- c:\program files\LimeWire
2009-04-23 21:05 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-04-23 21:03 <DIR> --d----- c:\program files\VideoLAN
2009-04-23 20:49 952,320 a------- c:\windows\system32\drivers\athr.sys
2009-04-23 20:49 952,320 a------- c:\windows\system32\athr.sys
2009-04-23 20:49 124,799 a------- c:\windows\system32\netathr.inf
2009-04-23 20:49 39,982 a------- c:\windows\system32\athrext.cat
2009-04-23 20:49 <DIR> --d----- c:\windows\Options
2009-04-23 20:49 524,288 a------- c:\windows\system32\S64CPA.exe
2009-04-23 20:49 393,216 a------- c:\windows\system32\athihvs.dll
2009-04-23 20:49 53,248 a------- c:\windows\system32\athihvui.dll
2009-04-23 20:49 <DIR> --d----- c:\windows\system32\nn-NO
2009-04-23 20:49 <DIR> --d----- c:\program files\Atheros
2009-04-23 20:49 <DIR> --d----- c:\program files\Cisco
2009-04-23 20:49 <DIR> --d----- c:\programdata\Atheros
2009-04-23 20:49 <DIR> --d----- c:\progra~2\Atheros
2009-04-23 20:46 <DIR> --d----- c:\users\newo
2009-04-23 20:40 0 a------- c:\windows\ativpsrm.bin
2009-04-23 20:39 <DIR> --d----- c:\programdata\ATI
2009-04-23 20:38 <DIR> --d----- c:\program files\ASUS
2009-04-23 20:34 <DIR> --d----- c:\program files\ATI Technologies
2009-04-23 20:33 <DIR> --d----- c:\program files\ATI
2009-04-23 20:33 <DIR> --dsh--- c:\windows\Installer
2009-04-23 20:32 12 a------- c:\windows\bthservsdp.dat

==================== Find3M ====================

2009-04-25 11:35 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-25 11:35 86,016 a------- c:\windows\inf\infstor.dat
2009-04-25 11:35 51,200 a------- c:\windows\inf\infpub.dat
2009-04-24 12:41 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-04-24 12:22 319,456 a------- c:\windows\DIFxAPI.dll
2009-04-24 12:22 315,392 a------- c:\windows\HideWin.exe
2008-04-22 23:24 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:58:55.70 ===============

Thanks for any help.

Attached Files

Attach.zip (3.6 KB, 4 views)

newo70

Bump, please.

newo70

bump again

Jintan

Welcome to TSF newo70,

Unfortunately on these type forums, where requests are checked oldest-first, a bump brings about the exact opposite of improving the chances of receiving a response, and always leads to more delays.

Those are some unknown and likely malicious items you mention, and set as startups as well. ??? Have to ask though, since it is really most of what is showing in the logs - are you using Daemon Tools as your security software there? What happened to any antiivirus or anti-malware softwares there?


Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to combi.com, then click the renamed combi.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

newo70

Thanks for your reply. Here is the log which was generated:
ComboFix 09-05-11.08 - newo 05/13/2009 0:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.2083 [GMT -7:00]
Running from: d:\downloads\combi.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\acovcnt.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-05-13 04:53 . 2009-05-13 04:53 -------- d-----w C:\audio
2009-05-13 02:38 . 2009-05-13 02:39 -------- d-----w c:\users\newo\AppData\Roaming\Ableton
2009-05-13 02:38 . 2008-03-14 20:22 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-05-13 02:38 . 2008-03-14 20:22 233472 ----a-w c:\windows\system32\REX Shared Library.dll
2009-05-13 02:38 . 2008-03-14 20:22 368640 ----a-w c:\windows\system32\ReWire.dll
2009-05-13 02:38 . 2009-05-13 02:38 -------- d-----w c:\program files\Ableton
2009-05-12 19:40 . 2009-05-12 19:40 -------- d-----w c:\program files\uTorrent
2009-05-12 19:39 . 2009-05-13 07:11 -------- d-----w c:\users\newo\AppData\Roaming\uTorrent
2009-05-06 02:15 . 2009-05-06 02:15 -------- d-----w c:\users\newo\AppData\Roaming\Sibelius Software
2009-05-06 01:57 . 2009-05-06 01:57 -------- d-----w c:\users\newo\AppData\Roaming\Eltima Software
2009-05-06 01:57 . 2009-05-06 01:57 -------- d-----w c:\programdata\TEMP
2009-05-06 01:57 . 2009-05-06 01:57 -------- d-----w c:\users\All Users\TEMP
2009-05-06 01:57 . 2007-12-02 22:14 19968 ----a-w c:\windows\system32\avutil-49.dll
2009-05-06 01:57 . 2007-12-02 22:14 448512 ----a-w c:\windows\system32\avformat-50.dll
2009-05-06 01:57 . 2007-12-02 22:14 3345408 ----a-w c:\windows\system32\avcodec-51.dll
2009-05-06 01:57 . 2009-05-06 01:57 -------- d-----w c:\program files\Common Files\Eltima Shared
2009-05-06 01:57 . 2009-05-06 01:57 -------- d-----w c:\program files\Eltima Software
2009-05-04 20:24 . 2009-05-04 20:25 -------- d-----w c:\users\newo\AppData\Roaming\vlc
2009-05-04 07:24 . 2009-05-04 07:24 -------- d-----w c:\programdata\Apple Computer
2009-05-04 07:24 . 2009-05-04 07:24 -------- d-----w c:\users\All Users\Apple Computer
2009-05-04 07:24 . 2009-05-04 07:24 -------- d-----w c:\program files\QuickTime Alternative
2009-05-03 19:59 . 2009-05-03 19:59 -------- d-----w c:\program files\Sibelius Software
2009-04-30 02:22 . 2009-04-30 02:22 -------- d-----w c:\programdata\Age of Empires 3
2009-04-30 02:22 . 2009-04-30 02:22 -------- d-----w c:\users\All Users\Age of Empires 3
2009-04-30 02:07 . 2009-04-30 02:20 -------- d-----w c:\program files\Common Files\Microsoft Games
2009-04-29 08:08 . 2009-04-29 08:09 -------- d-----w c:\users\newo\AppData\Local\Microsoft Games
2009-04-26 21:46 . 2009-04-26 21:46 -------- d-----w c:\program files\Guitar Pro 5
2009-04-25 21:08 . 2009-04-25 21:08 -------- d-----w c:\users\newo\AppData\Roaming\FlashGet
2009-04-25 21:08 . 2009-04-25 21:08 -------- d-----w c:\program files\FlashGet
2009-04-24 19:45 . 2009-04-29 02:28 -------- d-----w c:\users\newo\AppData\Local\Adobe
2009-04-24 19:44 . 2005-07-06 22:43 155648 ----a-w c:\windows\system32\ACEngSvr.exe
2009-04-24 19:43 . 2009-04-24 19:43 -------- d-----w c:\program files\Wireless Console 2
2009-04-24 19:41 . 2007-08-03 05:32 5631520 ----a-w c:\windows\system\DriveIcon.dll
2009-04-24 19:41 . 2007-11-10 05:30 57856 ----a-w c:\windows\system32\drivers\RTSTOR.sys
2009-04-24 19:41 . 2008-04-11 14:44 2378384 ----a-w c:\windows\snuninst.exe
2009-04-24 19:41 . 2008-04-11 13:41 176128 ----a-w c:\windows\system32\csnp2uvc.dll
2009-04-24 19:41 . 2008-04-11 13:41 28160 ----a-w c:\windows\system32\drivers\sncduvc.sys
2009-04-24 19:41 . 2008-04-11 14:43 1769984 ----a-w c:\windows\system32\drivers\snp2uvc.sys
2009-04-24 19:41 . 2009-04-24 19:41 -------- d-----w c:\program files\Synaptics
2009-04-24 19:40 . 2007-12-06 10:12 196400 ----a-w c:\windows\system32\drivers\SynTP.sys
2009-04-24 19:40 . 2007-12-06 09:20 147456 ----a-w c:\windows\system32\SynTPAPI.dll
2009-04-24 19:40 . 2007-12-06 10:12 110592 ----a-w c:\windows\system32\SynTPCo4.dll
2009-04-24 19:40 . 2007-12-06 09:09 196608 ----a-w c:\windows\system32\SynCtrl.dll
2009-04-24 19:40 . 2006-03-09 01:58 1060424 ----a-w c:\windows\system32\WdfCoInstaller01000.dll
2009-04-24 19:40 . 2007-12-06 09:08 163840 ----a-w c:\windows\system32\SynCOM.dll
2009-04-24 19:40 . 2009-04-24 19:40 -------- d-----w c:\program files\Motorola
2009-04-24 19:40 . 2006-11-22 09:35 982272 ----a-w c:\windows\system32\drivers\smserial.sys
2009-04-24 19:40 . 2006-11-22 09:31 196608 ----a-w c:\windows\system32\sm56co6a.dll
2009-04-24 06:10 . 2009-05-12 19:53 -------- d-----w c:\users\newo\AppData\Roaming\LimeWire
2009-04-24 06:02 . 2009-04-24 06:02 -------- d-----w c:\users\newo\AppData\Roaming\Media Player Classic
2009-04-24 05:19 . 2005-05-26 22:34 2297552 ----a-w c:\windows\system32\d3dx9_26.dll
2009-04-24 05:16 . 2009-05-10 00:12 -------- d-----w c:\users\All Users\Adobe
2009-04-24 04:21 . 2009-04-24 04:21 0 ----a-w c:\windows\nsreg.dat
2009-04-24 04:21 . 2009-04-24 04:21 -------- d-----w c:\users\newo\AppData\Local\Mozilla
2009-04-24 04:21 . 2009-04-24 04:21 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-24 04:20 . 2008-05-06 02:32 1048576 ----a-w C:\F5SLAS.BIN
2009-04-24 04:20 . 2007-06-20 03:12 47616 ----a-w c:\windows\system32\drivers\SiSGB6.sys
2009-04-24 04:20 . 2006-12-15 07:11 7680 ----a-w c:\windows\system32\drivers\ATKACPI.sys
2009-04-24 04:18 . 2009-04-24 04:18 -------- d-----w c:\windows\FLV Player
2009-04-24 04:18 . 2009-05-06 01:55 -------- d-----w c:\program files\FLV Player
2009-04-24 04:15 . 2009-04-24 04:15 -------- d-----w c:\programdata\Macrovision
2009-04-24 04:15 . 2009-04-24 04:15 -------- d-----w c:\users\All Users\Macrovision
2009-04-24 04:15 . 2009-04-24 04:15 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-24 04:14 . 2009-04-24 19:44 -------- d-----w c:\program files\Common Files\Adobe
2009-04-24 04:13 . 2009-04-30 02:09 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-24 04:12 . 2007-03-07 23:51 129784 ------w c:\windows\system32\pxafs.dll
2009-04-24 04:12 . 2009-04-24 04:12 -------- d-----w c:\program files\Winamp
2009-04-24 04:12 . 2009-04-25 18:39 -------- d-----w c:\users\newo\AppData\Roaming\Winamp
2009-04-24 04:11 . 2003-03-19 03:14 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-04-24 04:11 . 2004-01-11 22:00 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-04-24 04:11 . 2009-04-24 04:11 -------- d-----w c:\program files\Real Alternative
2009-04-24 04:11 . 2009-04-24 04:11 -------- d-----w c:\users\All Users\Real
2009-04-24 04:11 . 2009-04-24 04:11 -------- d-----w c:\users\newo\AppData\Local\Real
2009-04-24 04:09 . 2009-04-24 04:10 -------- d-----w c:\program files\Java
2009-04-24 04:07 . 2009-04-24 04:07 -------- d-----w c:\program files\Common Files\Java
2009-04-24 04:06 . 2009-04-24 04:06 -------- d-----w c:\program files\LimeWire
2009-04-24 04:05 . 2009-04-24 04:05 -------- d-----w c:\windows\system32\Macromed
2009-04-24 04:05 . 2009-04-24 04:05 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 04:05 . 2009-04-24 04:05 -------- d-----w c:\users\newo\AppData\Roaming\DAEMON Tools
2009-04-24 04:03 . 2009-04-24 04:03 -------- d-----w c:\program files\VideoLAN
2009-04-24 03:47 . 2009-04-24 03:47 -------- d-----w c:\users\newo\AppData\Roaming\ATI
2009-04-24 03:47 . 2009-04-24 03:47 -------- d-----w c:\users\newo\AppData\Local\ATI
2009-04-24 03:47 . 2009-04-24 03:47 -------- d-----r c:\users\newo\Searches
2009-04-24 03:47 . 2009-04-24 03:47 -------- d-----r c:\users\newo\Contacts
2009-04-24 03:47 . 2009-04-25 21:13 -------- d-----w c:\users\newo\AppData\Local\VirtualStore
2009-04-24 03:42 . 2009-04-24 03:42 -------- d-----r c:\windows\system32\config\systemprofile\Contacts
2009-04-24 03:40 . 2009-04-24 03:40 0 ----a-w c:\windows\ativpsrm.bin
2009-04-24 03:39 . 2009-04-24 03:39 -------- d-----w c:\programdata\ATI
2009-04-24 03:39 . 2009-04-24 03:39 -------- d-----w c:\users\All Users\ATI
2009-04-24 03:38 . 2009-04-24 19:44 -------- d-----w c:\program files\ASUS
2009-04-24 03:34 . 2009-04-24 03:35 -------- d-----w c:\program files\ATI Technologies
2009-04-24 03:33 . 2009-04-24 03:33 -------- d-----w c:\program files\ATI
2009-04-24 03:33 . 2009-05-03 19:59 -------- d-sh--w c:\windows\Installer
2009-04-24 03:32 . 2009-05-12 20:39 12 ----a-w c:\windows\bthservsdp.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 01:35 . 2009-04-24 03:46 62720 ----a-w c:\users\newo\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-30 02:21 . 2009-04-24 03:49 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-25 18:35 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-25 18:35 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-25 18:35 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-24 19:41 . 2009-04-24 19:41 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-04-24 19:22 . 2009-04-24 19:22 319456 ----a-w c:\windows\DIFxAPI.dll
2009-04-24 19:22 . 2009-04-24 19:22 -------- d-----w c:\program files\Realtek
2009-04-24 19:22 . 2009-04-24 19:22 315392 ----a-w c:\windows\HideWin.exe
2009-04-24 19:22 . 2009-04-24 19:22 -------- d-----w c:\program files\ATK Hotkey
2009-04-24 03:49 . 2009-04-24 03:49 -------- d-----w c:\program files\Atheros
2009-04-24 03:49 . 2009-04-24 03:49 -------- d-----w c:\program files\Cisco
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-03-10 16:30 . 2009-03-10 16:30 5817072 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-09-03 630784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-07 4853760]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-20 1826816]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-4-23 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{57CC389B-12CF-4505-87DC-7F1B0A6DA1ED}"= UDP:d:\games\Battlefield 2142\BF2142.exe:Battlefield 2
"{1F851141-4382-4827-B48C-9B1798EFE980}"= TCP:d:\games\Battlefield 2142\BF2142.exe:Battlefield 2
"TCP Query User{CEA3070C-861B-447B-B0F4-AB3D333DB55B}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{14F8102D-44E8-4F87-812F-FE27798AB6A2}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{EEA0A481-5F71-4105-A30E-3A9DEA835E84}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{5AA8E14D-EE09-4A9C-8AB2-8C7FD6CECD1C}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"{9BD81277-1848-4988-822F-3FA972F94051}"= UDP:d:\games\Age of Empires III\age3.exe:Age of Empires III
"{9A50FDC9-6754-4192-AA6D-6CDC00F0CDAE}"= TCP:d:\games\Age of Empires III\age3.exe:Age of Empires III
"{CF926679-0569-4CC5-A09B-973211B8CA15}"= UDP:d:\games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{4B56EB36-00B6-404D-85A6-C1B22CA1B767}"= TCP:d:\games\Age of Empires III\age3x.exe:Age of Empires III - The WarChiefs
"{A50EDBC1-B92C-4D59-947A-0D46CD0E9B29}"= UDP:d:\games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"{65521CF8-A4B6-4F4F-844E-CA9A989B01E0}"= TCP:d:\games\Age of Empires III\age3y.exe:Age of Empires III - The Asian Dynasties
"TCP Query User{A26A8DF5-0513-4A68-B4AD-20B334300974}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{256769D6-B557-4796-B2CE-1A67B193B532}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{6937CD54-270A-4CB0-9807-8700006F6594}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{854A8395-3D2F-471D-BCB2-CEEB7C5E8D37}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"{8E9F249A-DFBF-45CB-A067-5D20314ECC01}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{94F04AF7-B7B0-4E25-945E-191CA72F130D}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{8AB0B465-9DCF-49F8-BC2B-0E14DC85B98C}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{83665116-AF4C-4A7C-9DDB-D8EE919DEBE8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [4/23/2009 9:20 PM 47616]
S3 Asushwio;Asushwio;c:\windows\System32\drivers\Asushwio.sys [10/10/2006 8:33 PM 10288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e8cfa31-307f-11de-8aa6-806e6f6e6963}]
\shell\AutoRun\command - E:\autorun.exe
\shell\setup\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Zshutdown1 - c:\preload\patch\sysprep1.cmd


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
FF - ProfilePath - c:\users\newo\AppData\Roaming\Mozilla\Firefox\Profiles\fosmohaq.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 00:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

[0] 0x08000000

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-13 0:15
ComboFix-quarantined-files.txt 2009-05-13 07:15

Pre-Run: 89,760,251,904 bytes free
Post-Run: 90,136,625,152 bytes free

211

Jintan

Looks like you effected quite a few of your own repairs in the meantime there, so none of the original malware package showing right now. My previous jesting aside, where is your security software? With all the torrent activity showing in these logs this system would seemed to be high risk anyway, but with no antivirus/anti-malware software is truly a sitting duck.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.



Download Malwarebytes' Anti-Malware from Here or Here.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

newo70

Did the scan, nothing was found during it; here's the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2118
Windows 6.0.6001 Service Pack 1

5/13/2009 12:31:19 PM
mbam-log-2009-05-13 (12-31-19).txt

Scan type: Quick Scan
Objects scanned: 64464
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The reason I don't have any anti virus software installed as yet is because this same malware was on my machine a few weeks ago, but was much more severe so I decided to format - some .exes on my D: drive must have been and thus carried over from the format. Antivrus software is now installed

Jintan

Files catching a ride on a different drive suggests you still add one other scan there now, just to be sure. Make sure all drives, including any flash/thumb/usb drives recently used, are installed/attached before doing this scan.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Then Go here and run the Kaspersky online scan, and post back the log it creates.

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.

When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.

Then locate that log and copy/paste those contents back here please.

The scan requires a good bit of database downloading and can take quite a while to complete. Slow, but a solid check you likely need there.

newo70

Sorry about the late reply; I haven't been at home for a while.

I ran the scan, but for some reason there was no way i could output the results as either a .html or .txt file, so the only I could think of showing you the results is via a screenshot (see attached) - and seeing the results, I"m not really suprised that something wouldn't work.

There were a couple of more files on the D: drive with the same Win32.virut.ce virus. This would explain why the infections stayed after a a format.

It seems like all my D: drive is pretty screwed - is there a fix at all for this or should I just cut my losses and format?

Attached Images

results.jpg (174.2 KB, 4 views)

Jintan

Virut means no salvaging anything, and just format over all data. Truly the inly method to both eradicate the malware and be sure that you have no altered files remaining. If you potentially have virut infection on something like a flash/usb/thumb drive, and given that the prices of these have dropped fairly low, a quick whack with a hammer would be the guaranteed solution.