Trojan Virus Help Please!

Pumpkin Escobar · 11-25-2007, 12:08 PM

Hey there, I seem to be infected with a trojan horse virus (hopefully just one). All of a sudden my computer was running very slow, still is, and every time I log in to windows live messenger, the program shuts down and gives me an error.
I ran avg and it came up with some spyware and a trojan horse. I don't have the log file anymore unfortunately but the file name was d.exe and it was in my C:/ directory. I believe it called it a Trojan SMALL AU or something along those lines. I ran activescan and it came up with another trojan plus other stuff. Can someone please help me cleanse my computer?

Here are the active scan results

Incident Status Location

Spyware:spyware/virtumonde Not disinfected c:\windows\system32\ddaya.dll
Virus:trj/torpig.a Disinfected Operating system
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\auyjbhd2.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\auyjbhd2.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.adserver.easyad.info/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.adtech.de/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.apmebf.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.fastclick.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.statcounter.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.zedo.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.questionmarket.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.burstnet.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.overture.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.xiti.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cookies.txt[.atwola.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@ad.yieldmanager[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@ehg-dig.hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@fastclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@go[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@serving-sys[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\StefanV\Cookies\stefanv@zedo[2].txt
Virus:Trj/Downloader.NUS Disinfected C:\Documents and Settings\StefanV\Local Settings\Temporary Internet Files\Content.IE5\CIH0L1YO\gsttddrr[1].txt
Virus:W32/Mailbot.EK.worm Disinfected C:\WINDOWS\bck1.dat
Hacktool:Rootkit/Spammer.AEL Not disinfected C:\WINDOWS\system32\drivers\runtime2.sys
Hacktool:Rootkit/Spammer.AEL

And here are the results from hijack this

Deckard's System Scanner v20071014.68
Run by StefanV on 2007-11-25 13:47:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
49: 2007-11-25 18:47:41 UTC - RP244 - Deckard's System Scanner Restore Point
48: 2007-11-25 18:39:49 UTC - RP243 - Software Distribution Service 3.0
47: 2007-11-25 18:39:32 UTC - RP242 - Installed AVG 7.5
46: 2007-11-25 18:39:04 UTC - RP241 - Removed AVG 7.5
45: 2007-11-25 00:26:29 UTC - RP240 - Installed AVG 7.5

-- First Restore Point --
1: 2007-11-24 21:35:09 UTC - RP196 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as StefanV.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:33 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\wmccfg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\StefanV\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\StefanV.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 85.17.40.71 oink.me.uk
O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
O1 - Hosts: 85.17.40.70 irc.oink.me.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B} - C:\WINDOWS\system32\gebcdca.dll
O2 - BHO: (no name) - {5B4B75C3-6D5E-42B6-BB4C-AA3B6FB716D3} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\wmccfg.exe" /StartQuiet
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Panda_cleaner] C:\WINDOWS\system32\ACTIVE~1\pavdr.exe C:\WINDOWS\system32\pavdr_actions.sys
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Policies\Explorer\Run: [{F0B38D37-0898-1033-0110-050404160001}] "C:\Program Files\Common Files\{F0B38D37-0898-1033-0110-050404160001}\Update.exe" mc-110-12-0000272
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uwo.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uwo.ca
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebcdca - C:\WINDOWS\SYSTEM32\gebcdca.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe

--
End of file - 5897 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
R1 xpdx (xpdx system driver) - c:\windows\system32\xpdx.sys
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R4 Avg7RsW (AVG7 Wrap Driver) - c:\windows\system32\drivers\avg7rsw.sys (file missing)

S3 AR5416 (D-Link RangeBooster N Service) - c:\windows\system32\drivers\ar5416.sys <Not Verified; Atheros Communications, Inc.; Atheros AR5008 Wireless Network Adapter>
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 HwIOctl - c:\program files\setup files\ms-6702 v3.30\hwioctl.sys (file missing)
S3 Memctl - c:\program files\setup files\ms-6702 v3.30\memctl.sys (file missing)
S3 NTACCESS - f:\ntaccess.sys (file missing)
S3 RT25USBAP (Nintendo Wi-Fi USB Connector Service) - c:\windows\system32\drivers\rt25usbap.sys <Not Verified; Ralink Technology Inc.; Ralink 802.11g Wireless USB Adapters>
S3 SbcpHid - c:\windows\system32\drivers\sbcphid.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Remote Solver for COSMOSFloWorks 2006 - c:\program files\solidworks\cosmos\floworks\bincfw\standaloneslv.exe <Not Verified; ; StandAloneSlv Module>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-11-22 18:51:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-10-25 and 2007-11-25 -----------------------------

2007-11-25 13:40:49 0 d-------- C:\Program Files\SpywareBlaster
2007-11-25 13:39:55 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-25 13:39:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-25 04:35:34 6658 ---hs---- C:\WINDOWS\system32\ayadd.bak2
2007-11-25 03:29:07 436 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-11-25 03:29:07 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2007-11-25 03:29:07 24 --a------ C:\WINDOWS\system32\pavdr_actions.sys
2007-11-25 03:18:16 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-24 18:54:30 0 d-------- C:\WINDOWS\LastGood
2007-11-24 18:52:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-24 18:51:47 0 d-------- C:\Program Files\Windows Live
2007-11-24 18:51:40 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-24 16:35:28 6470 ---hs---- C:\WINDOWS\system32\ayadd.bak1
2007-11-24 16:34:45 320608 --a------ C:\WINDOWS\system32\ddaya.dll
2007-11-24 16:30:05 2 --a------ C:\-256668361
2007-11-24 16:29:56 54262 --a------ C:\WINDOWS\system32\xpdx.sys
2007-11-24 16:29:56 20992 --a------ C:\opnvmwvi.exe
2007-11-24 16:29:54 58368 --a------ C:\pgdxf.exe
2007-11-24 16:29:41 38912 --a------ C:\WINDOWS\system32\gebcdca.dll
2007-11-24 16:29:38 22528 --a------ C:\WINDOWS\system32\winghy32.dll

-- Find3M Report ---------------------------------------------------------------

2007-11-25 13:51:22 0 d-------- C:\Program Files\Trend Micro
2007-11-25 04:03:02 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-25 03:56:38 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-11-25 03:56:37 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-11-25 03:56:35 0 d-------- C:\Program Files\Messenger
2007-11-25 03:54:10 0 d-------- C:\Program Files\iTunes
2007-11-25 03:52:45 0 d-------- C:\Program Files\DAEMON Tools
2007-11-24 18:52:07 0 d-------- C:\Program Files\Common Files
2007-11-24 18:49:56 0 d-------- C:\Program Files\MSN Messenger
2007-11-24 17:57:23 0 d-------- C:\Documents and Settings\StefanV\Application Data\Azureus
2007-11-24 16:20:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-22 20:53:19 0 d-------- C:\Program Files\OpenOffice.org1.1.4
2007-11-05 20:35:50 0 d-------- C:\Program Files\iPod
2007-11-05 20:34:31 0 d-------- C:\Program Files\QuickTime
2007-10-18 22:59:00 0 d-------- C:\Program Files\Winamp
2007-10-04 17:14:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-10-04 17:14:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-10-04 17:14:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 17:14:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-10-04 17:14:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-10-04 17:14:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 17:14:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-10-04 17:14:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-10-04 11:50:10 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}]
11/24/2007 04:29 PM 38912 --a------ C:\WINDOWS\system32\gebcdca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B4B75C3-6D5E-42B6-BB4C-AA3B6FB716D3}]
11/24/2007 04:34 PM 320608 --a------ C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\wmccfg.exe" [10/06/2005 06:12 PM]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [03/07/2005 02:00 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [07/07/2006 06:14 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/07/2006 06:15 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 05:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 05:14 PM C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 05:14 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 05:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/12/2006 05:48 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Panda_cleaner"=C:\WINDOWS\system32\ACTIVE~1\pavdr.exe C:\WINDOWS\system32\pavdr_actions.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F0B38D37-0898-1033-0110-050404160001}"="C:\Program Files\Common Files\{F0B38D37-0898-1033-0110-050404160001}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}"= C:\WINDOWS\system32\gebcdca.dll [11/24/2007 04:29 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdca]
gebcdca.dll 11/24/2007 04:29 PM 38912 C:\WINDOWS\system32\gebcdca.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]
winghy32.dll 11/24/2007 04:29 PM 22528 C:\WINDOWS\system32\winghy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16807163-27f8-11da-8182-0011097f5b6e}]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7164966d-75fc-11db-8719-000d0bc43623}]
AutoRun\command- F:\loader.exe
langenglish\command- F:\setup\i386\msetup.exe lang:english

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9666d59-7820-11db-871e-000d0bc43623}]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89a59f6-7cb0-11d9-8413-0011097f5b6e}]
AutoRun\command- D:\autoplay.exe

*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSW
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - AVGTDI
*Newly Created Service* - USNJSVC
*Newly Created Service* - WLSETUPSVC

-- Hosts -----------------------------------------------------------------------

85.17.40.71 oink.me.uk
85.17.40.69 tracker.oink.me.uk
85.17.40.70 irc.oink.me.uk

-- End of Deckard's System Scanner: finished at 2007-11-25 13:52:19 ------------

Help is much appreciated! Thanks a lot!

Pumpkin Escobar · 11-28-2007, 12:04 PM

Hey I think I should bump this, someone pleaase help.
Here's a new Hijack This

Deckard's System Scanner v20071014.68
Run by StefanV on 2007-11-28 14:03:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as StefanV.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:26 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\wmccfg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\StefanV\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\StefanV.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 85.17.40.71 oink.me.uk
O1 - Hosts: 85.17.40.69 tracker.oink.me.uk
O1 - Hosts: 85.17.40.70 irc.oink.me.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B} - C:\WINDOWS\system32\gebcdca.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E98D45C2-CD52-44FF-9287-BAC4E6572369} - C:\WINDOWS\system32\ddaya.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\wmccfg.exe" /StartQuiet
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Policies\Explorer\Run: [{F0B38D37-0898-1033-0110-050404160001}] "C:\Program Files\Common Files\{F0B38D37-0898-1033-0110-050404160001}\Update.exe" mc-110-12-0000272
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uwo.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uwo.ca
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: gebcdca - C:\WINDOWS\SYSTEM32\gebcdca.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe

--
End of file - 5697 bytes

-- Files created between 2007-10-28 and 2007-11-28 -----------------------------

2007-11-25 13:40:49 0 d-------- C:\Program Files\SpywareBlaster
2007-11-25 13:39:55 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-25 13:39:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-25 04:35:34 6541 ---hs---- C:\WINDOWS\system32\ayadd.bak2
2007-11-25 03:18:16 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-24 18:52:07 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-24 18:51:47 0 d-------- C:\Program Files\Windows Live
2007-11-24 18:51:40 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-24 16:35:28 6568 ---hs---- C:\WINDOWS\system32\ayadd.bak1
2007-11-24 16:34:45 320608 --a------ C:\WINDOWS\system32\ddaya.dll
2007-11-24 16:30:05 2 --a------ C:\-256668361
2007-11-24 16:29:56 54262 --a------ C:\WINDOWS\system32\xpdx.sys
2007-11-24 16:29:56 20992 --a------ C:\opnvmwvi.exe
2007-11-24 16:29:54 58368 --a------ C:\pgdxf.exe
2007-11-24 16:29:41 38912 --a------ C:\WINDOWS\system32\gebcdca.dll
2007-11-24 16:29:38 22528 --a------ C:\WINDOWS\system32\winghy32.dll

-- Find3M Report ---------------------------------------------------------------

2007-11-26 15:11:19 0 d-------- C:\Documents and Settings\StefanV\Application Data\Azureus
2007-11-25 13:51:22 0 d-------- C:\Program Files\Trend Micro
2007-11-25 04:03:02 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-25 03:56:38 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-11-25 03:56:37 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-11-25 03:56:35 0 d-------- C:\Program Files\Messenger
2007-11-25 03:54:10 0 d-------- C:\Program Files\iTunes
2007-11-25 03:52:45 0 d-------- C:\Program Files\DAEMON Tools
2007-11-24 18:52:07 0 d-------- C:\Program Files\Common Files
2007-11-24 18:49:56 0 d-------- C:\Program Files\MSN Messenger
2007-11-24 16:20:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-22 20:53:19 0 d-------- C:\Program Files\OpenOffice.org1.1.4
2007-11-05 20:35:50 0 d-------- C:\Program Files\iPod
2007-11-05 20:34:31 0 d-------- C:\Program Files\QuickTime
2007-10-18 22:59:00 0 d-------- C:\Program Files\Winamp
2007-10-04 17:14:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-10-04 17:14:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-10-04 17:14:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 17:14:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-10-04 17:14:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-10-04 17:14:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 17:14:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-10-04 17:14:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-10-04 11:50:10 0 d-------- C:\Program Files\Java

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}]
11/24/2007 04:29 PM 38912 --a------ C:\WINDOWS\system32\gebcdca.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E98D45C2-CD52-44FF-9287-BAC4E6572369}]
11/24/2007 04:34 PM 320608 --a------ C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 12:11 AM]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\wmccfg.exe" [10/06/2005 06:12 PM]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [03/07/2005 02:00 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [07/07/2006 06:14 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [07/07/2006 06:15 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 05:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 05:14 PM C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [10/19/2007 08:16 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/02/2007 06:36 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 05:14 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 05:14 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/12/2006 05:48 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F0B38D37-0898-1033-0110-050404160001}"="C:\Program Files\Common Files\{F0B38D37-0898-1033-0110-050404160001}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}"= C:\WINDOWS\system32\gebcdca.dll [11/24/2007 04:29 PM 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcdca]
gebcdca.dll 11/24/2007 04:29 PM 38912 C:\WINDOWS\system32\gebcdca.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]
winghy32.dll 11/24/2007 04:29 PM 22528 C:\WINDOWS\system32\winghy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16807163-27f8-11da-8182-0011097f5b6e}]
AutoRun\command- F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7164966d-75fc-11db-8719-000d0bc43623}]
AutoRun\command- F:\loader.exe
langenglish\command- F:\setup\i386\msetup.exe lang:english

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9666d59-7820-11db-871e-000d0bc43623}]
AutoRun\command- H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89a59f6-7cb0-11d9-8413-0011097f5b6e}]
AutoRun\command- D:\autoplay.exe

-- End of Deckard's System Scanner: finished at 2007-11-28 14:03:48 ------------

tetonbob · 11-29-2007, 12:35 PM

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop
Disconnect from the internet....pull the plug!
Go to -> Run -> paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall
Follow the prompts. Type "1" and press Enter to begin the scan.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Pumpkin Escobar · 11-29-2007, 06:45 PM

Thanks for helping, it's much appreciated.
Combo Fix
ComboFix 07-11-30.3 - StefanV 2007-11-29 20:29:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -5:00]
Running from: C:\Documents and Settings\StefanV\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\ayadd.bak1
C:\WINDOWS\system32\ayadd.bak2
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\gebcdca.dll
C:\WINDOWS\system32\winghy32.dll
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\nm
-------\NtmlSvc
-------\runtime
-------\xpdx

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-25 17:12 . 2007-11-25 17:18 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-25 13:40 . 2007-11-25 13:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-25 03:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-25 03:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-25 03:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-24 18:52 . 2007-11-24 18:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-24 18:51 . 2007-11-24 18:54 <DIR> d-------- C:\Program Files\Windows Live
2007-11-24 18:51 . 2007-11-24 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-21 18:26 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-11-21 18:26 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-11-21 18:26 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-21 18:26 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-11-05 20:31 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-10 04:28 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 20:11 --------- d-----w C:\Documents and Settings\StefanV\Application Data\Azureus
2007-11-25 18:51 --------- d-----w C:\Program Files\Trend Micro
2007-11-25 09:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-25 08:54 --------- d-----w C:\Program Files\iTunes
2007-11-25 08:52 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-24 23:49 --------- d-----w C:\Program Files\MSN Messenger
2007-11-24 21:29 58,368 ----a-w C:\pgdxf.exe
2007-11-24 21:29 20,992 ----a-w C:\opnvmwvi.exe
2007-11-24 21:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 01:53 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2007-11-06 01:35 --------- d-----w C:\Program Files\iPod
2007-11-06 01:34 --------- d-----w C:\Program Files\QuickTime
2007-10-19 03:59 --------- d-----w C:\Program Files\Winamp
2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 16:50 --------- d-----w C:\Program Files\Java
2006-12-05 00:58 1,107,054 --sha-w C:\WINDOWS\system32\ppqss.bak1
2006-12-09 22:38 714,853 --sha-w C:\WINDOWS\system32\ppqss.bak2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\wmccfg.exe" [2005-10-06 18:12]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 14:00]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 18:15]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
S3 AR5416;D-Link RangeBooster N Service;C:\WINDOWS\system32\DRIVERS\ar5416.sys
S3 HwIOctl;HwIOctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\HwIOctl.sys
S3 Memctl;Memctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\Memctl.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16807163-27f8-11da-8182-0011097f5b6e}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7164966d-75fc-11db-8719-000d0bc43623}]
\Shell\AutoRun\command - F:\loader.exe
\Shell\langenglish\command - F:\setup\i386\msetup.exe lang:english

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9666d59-7820-11db-871e-000d0bc43623}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89a59f6-7cb0-11d9-8413-0011097f5b6e}]
\Shell\AutoRun\command - D:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 23:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 20:36:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 20:37:59 - machine was rebooted
.
--- E O F ---

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:33 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\wmccfg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\wmccfg.exe" /StartQuiet
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Policies\Explorer\Run: [{F0B38D37-0898-1033-0110-050404160001}] "C:\Program Files\Common Files\{F0B38D37-0898-1033-0110-050404160001}\Update.exe" mc-110-12-0000272
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uwo.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uwo.ca
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe

--
End of file - 5150 bytes

tetonbob · 11-29-2007, 08:23 PM

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
C:\WINDOWS\system32\mcrh.tmp

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F0B38D37-0898-1033-0110-050404160001}"=-

FileLook::
C:\pgdxf.exe
C:\opnvmwvi.exe

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

I see no evidence of an AntiVirus program on your system. This must be resolved. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Install this excellent, FREE AntiVirus program, update it, and run a full system scan.

Avira PersonalEdition Classic

Here is a tutorial on it's setup and use:

http://www.techsupportforum.com/cont...ticles/64.html

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Once you've done that....

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here along with the log from ComboFix.

---------------------------------------------------------------------------------------------

Pumpkin Escobar · 11-30-2007, 01:19 AM

ComboFix

ComboFix 07-11-30.3 - StefanV 2007-11-30 2:11:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -5:00]
Running from: C:\Documents and Settings\StefanV\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\StefanV\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak2

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-29 20:36 . 2007-11-29 20:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-29 20:36 . 2007-11-29 20:36 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 13:40 . 2007-11-25 13:40 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-25 03:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-25 03:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-25 03:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-24 18:52 . 2007-11-24 18:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-24 18:51 . 2007-11-24 18:54 <DIR> d-------- C:\Program Files\Windows Live
2007-11-24 18:51 . 2007-11-24 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-24 16:30 . 2007-11-24 16:30 2 --a------ C:\-256668361
2007-11-24 16:29 . 2007-11-24 16:29 58,368 --a------ C:\pgdxf.exe
2007-11-24 16:29 . 2007-11-24 16:29 20,992 --a------ C:\opnvmwvi.exe
2007-11-21 18:26 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-11-21 18:26 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-11-21 18:26 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-21 18:26 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-11-05 20:31 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-10 04:28 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 20:11 --------- d-----w C:\Documents and Settings\StefanV\Application Data\Azureus
2007-11-25 18:51 --------- d-----w C:\Program Files\Trend Micro
2007-11-25 09:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-25 08:54 --------- d-----w C:\Program Files\iTunes
2007-11-25 08:52 --------- d-----w C:\Program Files\DAEMON Tools
2007-11-24 23:49 --------- d-----w C:\Program Files\MSN Messenger
2007-11-24 21:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 01:53 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2007-11-21 23:28 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-06 01:35 --------- d-----w C:\Program Files\iPod
2007-11-06 01:34 --------- d-----w C:\Program Files\QuickTime
2007-10-19 03:59 --------- d-----w C:\Program Files\Winamp
2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-04 23:16 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-10-04 23:16 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 22:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 22:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-10-04 22:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 22:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 22:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 22:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 22:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 22:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 22:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 22:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 22:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 22:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 22:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 22:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 22:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 22:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 22:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 22:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 22:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 22:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 22:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 22:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 22:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 22:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 22:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-10-04 16:50 --------- d-----w C:\Program Files\Java
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\wmccfg.exe" [2005-10-06 18:12]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 14:00]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 18:15]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
S3 AR5416;D-Link RangeBooster N Service;C:\WINDOWS\system32\DRIVERS\ar5416.sys
S3 HwIOctl;HwIOctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\HwIOctl.sys
S3 Memctl;Memctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\Memctl.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16807163-27f8-11da-8182-0011097f5b6e}]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7164966d-75fc-11db-8719-000d0bc43623}]
\Shell\AutoRun\command - F:\loader.exe
\Shell\langenglish\command - F:\setup\i386\msetup.exe lang:english

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9666d59-7820-11db-871e-000d0bc43623}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89a59f6-7cb0-11d9-8413-0011097f5b6e}]
\Shell\AutoRun\command - D:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-29 23:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 02:13:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 2:13:51
C:\ComboFix2.txt ... 2007-11-29 20:38
.
--- E O F ---

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:34 AM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Media Connect 2\wmccfg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\wmccfg.exe" /StartQuiet
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uwo.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uwo.ca
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe

--
End of file - 5518 bytes

tetonbob · 11-30-2007, 08:49 AM

That looks better, but I did not get some results I was hoping to.

Do you recognize these files:

C:\pgdxf.exe
C:\opnvmwvi.exe

Also....

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following in BOLD:

C:\pgdxf.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- C:\opnvmwvi.exe

Pumpkin Escobar · 11-30-2007, 11:14 AM

I downloaded the Avira Antivirus program, and I did a system scan, and it came up with some files that it quarantined. Those two files were among them. This was after I ran Combo Fix, but before I ran Hijack This. Those two files are no longer in my C drive.

tetonbob · 11-30-2007, 11:52 AM

Ok, that's great. I had suspicions of those files, but hadn't seen much to confirm.

Please run this online scan to help look for remnants. One vendor's definitions may find what another's has not.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

How is your system behaving, please?

Pumpkin Escobar · 11-30-2007, 09:33 PM

Ok here is the Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 30, 2007 11:31:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/12/2007
Kaspersky Anti-Virus database records: 469622
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 105928
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 05:40:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00e8850d2962c1cba8c758497dd7eaf0_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0334ba75a8ea672985dbd14c510bf2da_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04db7a20a1aaddaa45073c5a1fc08c44_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06402839ebc9da85bc5684a6a6c94e1a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\07b30114152b93e23d70f03db179f606_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c7babed5dc5562483e943c517f3aa2e_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c7dba7705e1057ef7a7987e8dfb7dc2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ff72faea7398b1ebd483eb25a95f90a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2038663a7274106f6cb641b0183985b9_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\21e52b04d77af198776f4b8b71528b16_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2372102d2e2f3414f623a12bad82cda3_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2602cec93554b3a6b9834bb540df11e1_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2838f1c494b37a398706f7d5b9a7920b_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\285b3a8412fe52892e2ab6fb01d12c35_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ac598facfec862c7d9ced77b27de114_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\31a54648f7a4eb2374955f5f7664c6d9_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35a744d4211c89cd73f01541224da689_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a0569ec724c6117904563ca6db2f2b4_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3fa46dc44cebe1e1670dfc2afd85b7a1_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\447a66bbff888ac5f3e57f42c85af122_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48958d4b10b7305498e367f0d92eb9e1_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4c4d556b4fbc2e49b8aa3fb487c8869a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\529ae52103c9c96efcca2a0f2b8e7509_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59d1eeb50d927dc542b9b69f1581879d_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5eb2703646848bd86e75ffc0743455e3_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6420467938878118a3f0a5e814b0e05f_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6607305bb5851f7b4a6e9fc029f8795a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\677cb1b16457bda5bc60c51799624600_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\67a10e8748d4ccacbe0f94add8fec8b2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f7a4d23860af24cda372b14c115c140_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\780915584bba9aba72864c1734697c67_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\79c68aa6ad3c183a57e5ad81d7c85f28_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\82fe5e8362d5714b074b721ca002e34d_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8530832c6f92c3ce1838f85f44b38e0a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\860ea30d5f411aa2c60e70f20222e49d_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\88aac6258d0f01779910a7826f74186c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8ad6e1f48e44d1a793a42cc242ff1884_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c924cd3e9273f29083e1b2f60938dea_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\96497f617490d397951c34cf54ef44ab_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9a0e3a61031a6bc3e587a89909d5472c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a28701051ecaf081cb5a7073dec561a0_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a2e2715810d0b466f5bc7ff3e9c77498_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a9fd3c59cd8c376c0abb51435140dcd2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b196e75931d7c051f215c55269db2105_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b1ca1ae17394322700a61c32d204d164_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b6229019916899e0e35bbd874f77c5a4_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c15a62b61ccfe6ce29b95b8b13f72cc6_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c359ba3de29dd67c201e1695158eddb2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c69ae859e8c36720ebf9e499fdd66b54_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ccd60a706fcb6a9c87bfa37a53eb5e49_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf80e2573d290673c09e319c48c0674c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2c3389adb94fa35ba38d6f75ae524bd_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e43472ab34d53c50a3bef48fb90ded63_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e687c6ea23cc74eaf797749bfd8ba324_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ef7c4404114543bf3c25609962a713ed_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f65a3c832783bbc09314e1c5b6282f1a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f748d824b2fb0c02a251f94a2d7130cf_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f994736a3884ee2c4b04332c6ff7687c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa6ef15c060d7a1a4d99ad6cf72420b7_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa7628f5720800a6aa930cd290342fab_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cert8.db Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\formhistory.dat Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\history.dat Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\key3.db Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\parent.lock Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\search.sqlite Object is locked skipped
C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\StefanV\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\History\History.IE5\MSHist012007113020071201\index.dat Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Temp\hsperfdata_StefanV\3544 Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\StefanV\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\StefanV\ntuser.dat Object is locked skipped
C:\Documents and Settings\StefanV\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E1B86625-0FCF-497A-B134-184D40A757F2}\RP250\A0073033.dll Object is locked skipped
C:\System Volume Information\_restore{E1B86625-0FCF-497A-B134-184D40A757F2}\RP250\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{E1B86625-0FCF-497A-B134-184D40A757F2}\RP250\change.log Object is locked skipped

Scan process completed.

My computer is running well now, no problems that I can see. Thanks a lot!

tetonbob · 11-30-2007, 09:36 PM

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
FIREWALL
If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Pumpkin Escobar · 11-30-2007, 10:34 PM

Hey thanks a bunch for helping me out!

tetonbob · 11-30-2007, 10:36 PM

You're quite welcome for the help.

Surf Safely out there.

11-29-2007, 12:35 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: Trojan Virus Help Please! Hello, and Welcome to TSF. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop Disconnect from the internet....pull the plug! Go to -> Run -> paste in the following single line command & click OK "%userprofile%\desktop\combofix.exe" /killall Follow the prompts. Type "1" and press Enter to begin the scan. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Re-establish an internet connection. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-29-2007, 06:45 PM	#4 (permalink)
Pumpkin Escobar Registered User Join Date: Nov 2007 Posts: 12 OS: xp	Re: Trojan Virus Help Please! Thanks for helping, it's much appreciated. Combo Fix ComboFix 07-11-30.3 - StefanV 2007-11-29 20:29:57.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT -5:00] Running from: C:\Documents and Settings\StefanV\desktop\combofix.exe Command switches used :: /killall * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\0_exception.nls C:\WINDOWS\system32\ayadd.bak1 C:\WINDOWS\system32\ayadd.bak2 C:\WINDOWS\system32\ayadd.ini C:\WINDOWS\system32\ddaya.dll C:\WINDOWS\system32\drivers\ip6fw.sys C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\gebcdca.dll C:\WINDOWS\system32\winghy32.dll C:\WINDOWS\system32\xpdx.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NTMLSVC -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\nm -------\NtmlSvc -------\runtime -------\xpdx ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 ))))))))))))))))))))))))))))))) . 2007-11-25 17:12 . 2007-11-25 17:18 0 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-11-25 13:40 . 2007-11-25 13:40 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-11-25 03:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-11-25 03:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2007-11-25 03:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2007-11-24 18:52 . 2007-11-24 18:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2007-11-24 18:51 . 2007-11-24 18:54 <DIR> d-------- C:\Program Files\Windows Live 2007-11-24 18:51 . 2007-11-24 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-11-21 18:26 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll 2007-11-21 18:26 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-11-21 18:26 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll 2007-11-21 18:26 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll 2007-11-05 20:31 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys 2007-10-10 04:28 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-26 20:11 --------- d-----w C:\Documents and Settings\StefanV\Application Data\Azureus 2007-11-25 18:51 --------- d-----w C:\Program Files\Trend Micro 2007-11-25 09:03 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliType Pro 2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliPoint 2007-11-25 08:54 --------- d-----w C:\Program Files\iTunes 2007-11-25 08:52 --------- d-----w C:\Program Files\DAEMON Tools 2007-11-24 23:49 --------- d-----w C:\Program Files\MSN Messenger 2007-11-24 21:29 58,368 ----a-w C:\pgdxf.exe 2007-11-24 21:29 20,992 ----a-w C:\opnvmwvi.exe 2007-11-24 21:20 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-23 01:53 --------- d-----w C:\Program Files\OpenOffice.org1.1.4 2007-11-06 01:35 --------- d-----w C:\Program Files\iPod 2007-11-06 01:34 --------- d-----w C:\Program Files\QuickTime 2007-10-19 03:59 --------- d-----w C:\Program Files\Winamp 2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2007-10-04 16:50 --------- d-----w C:\Program Files\Java 2006-12-05 00:58 1,107,054 --sha-w C:\WINDOWS\system32\ppqss.bak1 2006-12-09 22:38 714,853 --sha-w C:\WINDOWS\system32\ppqss.bak2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\wmccfg.exe" [2005-10-06 18:12] "EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 14:00] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 18:15] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe] "nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36] "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaya.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys S3 AR5416;D-Link RangeBooster N Service;C:\WINDOWS\system32\DRIVERS\ar5416.sys S3 HwIOctl;HwIOctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\HwIOctl.sys S3 Memctl;Memctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\Memctl.sys S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16807163-27f8-11da-8182-0011097f5b6e}] \Shell\AutoRun\command - F:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7164966d-75fc-11db-8719-000d0bc43623}] \Shell\AutoRun\command - F:\loader.exe \Shell\langenglish\command - F:\setup\i386\msetup.exe lang:english [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9666d59-7820-11db-871e-000d0bc43623}] \Shell\AutoRun\command - H:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89a59f6-7cb0-11d9-8413-0011097f5b6e}] \Shell\AutoRun\command - D:\autoplay.exe . Contents of the 'Scheduled Tasks' folder "2007-11-29 23:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-29 20:36:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-11-29 20:37:59 - machine was rebooted . --- E O F --- Hijack This Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:42:33 PM, on 11/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Windows Media Connect 2\wmccfg.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\wmccfg.exe" /StartQuiet O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Policies\Explorer\Run: [{F0B38D37-0898-1033-0110-050404160001}] "C:\Program Files\Common Files\{F0B38D37-0898-1033-0110-050404160001}\Update.exe" mc-110-12-0000272 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uwo.ca O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uwo.ca O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe -- End of file - 5150 bytes

11-30-2007, 01:19 AM	#6 (permalink)
Pumpkin Escobar Registered User Join Date: Nov 2007 Posts: 12 OS: xp	Re: Trojan Virus Help Please! ComboFix ComboFix 07-11-30.3 - StefanV 2007-11-30 2:11:23.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -5:00] Running from: C:\Documents and Settings\StefanV\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\StefanV\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ppqss.bak1 C:\WINDOWS\system32\ppqss.bak2 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\ppqss.bak1 C:\WINDOWS\system32\ppqss.bak2 . ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 ))))))))))))))))))))))))))))))) . 2007-11-29 20:36 . 2007-11-29 20:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-11-29 20:36 . 2007-11-29 20:36 1,409 --a------ C:\WINDOWS\QTFont.for 2007-11-25 13:40 . 2007-11-25 13:40 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-11-25 13:39 . 2007-11-25 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2007-11-25 03:47 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-11-25 03:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2007-11-25 03:47 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2007-11-24 18:52 . 2007-11-24 18:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2007-11-24 18:51 . 2007-11-24 18:54 <DIR> d-------- C:\Program Files\Windows Live 2007-11-24 18:51 . 2007-11-24 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-11-24 16:30 . 2007-11-24 16:30 2 --a------ C:\-256668361 2007-11-24 16:29 . 2007-11-24 16:29 58,368 --a------ C:\pgdxf.exe 2007-11-24 16:29 . 2007-11-24 16:29 20,992 --a------ C:\opnvmwvi.exe 2007-11-21 18:26 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll 2007-11-21 18:26 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll 2007-11-21 18:26 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll 2007-11-21 18:26 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll 2007-11-05 20:31 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys 2007-10-10 04:28 . 2007-07-09 08:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-26 20:11 --------- d-----w C:\Documents and Settings\StefanV\Application Data\Azureus 2007-11-25 18:51 --------- d-----w C:\Program Files\Trend Micro 2007-11-25 09:03 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliType Pro 2007-11-25 08:56 --------- d-----w C:\Program Files\Microsoft IntelliPoint 2007-11-25 08:54 --------- d-----w C:\Program Files\iTunes 2007-11-25 08:52 --------- d-----w C:\Program Files\DAEMON Tools 2007-11-24 23:49 --------- d-----w C:\Program Files\MSN Messenger 2007-11-24 21:20 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-23 01:53 --------- d-----w C:\Program Files\OpenOffice.org1.1.4 2007-11-21 23:28 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-11-06 01:35 --------- d-----w C:\Program Files\iPod 2007-11-06 01:34 --------- d-----w C:\Program Files\QuickTime 2007-10-19 03:59 --------- d-----w C:\Program Files\Winamp 2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll 2007-10-04 23:16 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE 2007-10-04 23:16 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe 2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll 2007-10-04 22:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll 2007-10-04 22:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll 2007-10-04 22:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2007-10-04 22:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll 2007-10-04 22:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll 2007-10-04 22:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll 2007-10-04 22:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-10-04 22:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-10-04 22:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-10-04 22:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-10-04 22:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll 2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll 2007-10-04 22:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll 2007-10-04 22:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-10-04 22:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll 2007-10-04 22:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll 2007-10-04 22:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll 2007-10-04 22:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll 2007-10-04 22:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll 2007-10-04 22:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll 2007-10-04 22:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe 2007-10-04 22:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe 2007-10-04 22:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll 2007-10-04 22:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe 2007-10-04 22:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll 2007-10-04 22:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe 2007-10-04 22:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll 2007-10-04 22:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll 2007-10-04 16:50 --------- d-----w C:\Program Files\Java 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 05:48] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\wmccfg.exe" [2005-10-06 18:12] "EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.exe" [2005-03-07 14:00] "itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 18:14] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 18:15] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe] "nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36] "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 02:56 C:\WINDOWS\system32\rundll32.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys S3 AR5416;D-Link RangeBooster N Service;C:\WINDOWS\system32\DRIVERS\ar5416.sys S3 HwIOctl;HwIOctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\HwIOctl.sys S3 Memctl;Memctl;\??\C:\Program Files\Setup Files\MS-6702 v3.30\Memctl.sys S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16807163-27f8-11da-8182-0011097f5b6e}] \Shell\AutoRun\command - F:\autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7164966d-75fc-11db-8719-000d0bc43623}] \Shell\AutoRun\command - F:\loader.exe \Shell\langenglish\command - F:\setup\i386\msetup.exe lang:english [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9666d59-7820-11db-871e-000d0bc43623}] \Shell\AutoRun\command - H:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f89a59f6-7cb0-11d9-8413-0011097f5b6e}] \Shell\AutoRun\command - D:\autoplay.exe . Contents of the 'Scheduled Tasks' folder "2007-11-29 23:51:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-30 02:13:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-11-30 2:13:51 C:\ComboFix2.txt ... 2007-11-29 20:38 . --- E O F --- Hijack This Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:18:34 AM, on 11/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Windows Media Connect 2\wmccfg.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\wmccfg.exe" /StartQuiet O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uwo.ca O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uwo.ca O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Solver for COSMOSFloWorks 2006 - Unknown owner - C:\Program Files\SolidWorks\COSMOS\FloWorks\binCFW\StandAloneSlv.exe -- End of file - 5518 bytes

11-30-2007, 08:49 AM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: Trojan Virus Help Please! That looks better, but I did not get some results I was hoping to. Do you recognize these files: C:\pgdxf.exe C:\opnvmwvi.exe Also.... Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following in BOLD: C:\pgdxf.exe Then click the "Send File " button just below. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. Please repeat for the following files: C:\opnvmwvi.exe __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-30-2007, 11:14 AM	#8 (permalink)
Pumpkin Escobar Registered User Join Date: Nov 2007 Posts: 12 OS: xp	Re: Trojan Virus Help Please! I downloaded the Avira Antivirus program, and I did a system scan, and it came up with some files that it quarantined. Those two files were among them. This was after I ran Combo Fix, but before I ran Hijack This. Those two files are no longer in my C drive.

11-30-2007, 11:52 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: Trojan Virus Help Please! Ok, that's great. I had suspicions of those files, but hadn't seen much to confirm. Please run this online scan to help look for remnants. One vendor's definitions may find what another's has not. First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one. Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- How is your system behaving, please? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-30-2007, 09:33 PM	#10 (permalink)
Pumpkin Escobar Registered User Join Date: Nov 2007 Posts: 12 OS: xp	Re: Trojan Virus Help Please! Ok here is the Kaspersky report ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, November 30, 2007 11:31:12 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 1/12/2007 Kaspersky Anti-Virus database records: 469622 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 105928 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 05:40:29 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00e8850d2962c1cba8c758497dd7eaf0_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0334ba75a8ea672985dbd14c510bf2da_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04db7a20a1aaddaa45073c5a1fc08c44_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\06402839ebc9da85bc5684a6a6c94e1a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\07b30114152b93e23d70f03db179f606_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c7babed5dc5562483e943c517f3aa2e_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c7dba7705e1057ef7a7987e8dfb7dc2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ff72faea7398b1ebd483eb25a95f90a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2038663a7274106f6cb641b0183985b9_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\21e52b04d77af198776f4b8b71528b16_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2372102d2e2f3414f623a12bad82cda3_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2602cec93554b3a6b9834bb540df11e1_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2838f1c494b37a398706f7d5b9a7920b_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\285b3a8412fe52892e2ab6fb01d12c35_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ac598facfec862c7d9ced77b27de114_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\31a54648f7a4eb2374955f5f7664c6d9_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35a744d4211c89cd73f01541224da689_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a0569ec724c6117904563ca6db2f2b4_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3fa46dc44cebe1e1670dfc2afd85b7a1_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\447a66bbff888ac5f3e57f42c85af122_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48958d4b10b7305498e367f0d92eb9e1_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4c4d556b4fbc2e49b8aa3fb487c8869a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\529ae52103c9c96efcca2a0f2b8e7509_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59d1eeb50d927dc542b9b69f1581879d_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5eb2703646848bd86e75ffc0743455e3_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6420467938878118a3f0a5e814b0e05f_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6607305bb5851f7b4a6e9fc029f8795a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\677cb1b16457bda5bc60c51799624600_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\67a10e8748d4ccacbe0f94add8fec8b2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f7a4d23860af24cda372b14c115c140_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\780915584bba9aba72864c1734697c67_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\79c68aa6ad3c183a57e5ad81d7c85f28_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\82fe5e8362d5714b074b721ca002e34d_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8530832c6f92c3ce1838f85f44b38e0a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\860ea30d5f411aa2c60e70f20222e49d_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\88aac6258d0f01779910a7826f74186c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8ad6e1f48e44d1a793a42cc242ff1884_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c924cd3e9273f29083e1b2f60938dea_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\96497f617490d397951c34cf54ef44ab_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9a0e3a61031a6bc3e587a89909d5472c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a28701051ecaf081cb5a7073dec561a0_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a2e2715810d0b466f5bc7ff3e9c77498_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a9fd3c59cd8c376c0abb51435140dcd2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b196e75931d7c051f215c55269db2105_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b1ca1ae17394322700a61c32d204d164_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b6229019916899e0e35bbd874f77c5a4_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c15a62b61ccfe6ce29b95b8b13f72cc6_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c359ba3de29dd67c201e1695158eddb2_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c69ae859e8c36720ebf9e499fdd66b54_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ccd60a706fcb6a9c87bfa37a53eb5e49_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf80e2573d290673c09e319c48c0674c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2c3389adb94fa35ba38d6f75ae524bd_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e43472ab34d53c50a3bef48fb90ded63_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e687c6ea23cc74eaf797749bfd8ba324_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ef7c4404114543bf3c25609962a713ed_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f65a3c832783bbc09314e1c5b6282f1a_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f748d824b2fb0c02a251f94a2d7130cf_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f994736a3884ee2c4b04332c6ff7687c_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa6ef15c060d7a1a4d99ad6cf72420b7_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa7628f5720800a6aa930cd290342fab_40523f49-45af-4310-928c-7d41477845f5 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\cert8.db Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\formhistory.dat Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\history.dat Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\key3.db Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\parent.lock Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\search.sqlite Object is locked skipped C:\Documents and Settings\StefanV\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\StefanV\Cookies\index.dat Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Application Data\Mozilla\Firefox\Profiles\b13s8b7h.Stefan\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\History\History.IE5\MSHist012007113020071201\index.dat Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Temp\hsperfdata_StefanV\3544 Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\StefanV\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\StefanV\ntuser.dat Object is locked skipped C:\Documents and Settings\StefanV\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{E1B86625-0FCF-497A-B134-184D40A757F2}\RP250\A0073033.dll Object is locked skipped C:\System Volume Information\_restore{E1B86625-0FCF-497A-B134-184D40A757F2}\RP250\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped E:\System Volume Information\_restore{E1B86625-0FCF-497A-B134-184D40A757F2}\RP250\change.log Object is locked skipped Scan process completed. My computer is running well now, no problems that I can see. Thanks a lot!

11-30-2007, 09:36 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: Trojan Virus Help Please! Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. FIREWALL If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here Do not install more than one firewall program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-30-2007, 10:34 PM	#12 (permalink)
Pumpkin Escobar Registered User Join Date: Nov 2007 Posts: 12 OS: xp	Re: Trojan Virus Help Please! Hey thanks a bunch for helping me out!

11-30-2007, 10:36 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,682 OS: 2000 Pro; XP Pro; XP Home	Re: Trojan Virus Help Please! You're quite welcome for the help. Surf Safely out there. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009