Trojan Horse PSW.OnlineGames.IBA

[flame87]

Hi

My computer got infected with Trojan Horse PSW.OnlineGames.IBA

Once in awhile my IE would pop up to an address whcih can't be loaded.
I've scan my system once ine AVG right after i got infected but it can't heal my system completely

Im pretty sure it got infected with another Trojan Horse as well.

Is there anyway i can get rid of them completely?

Here's the log.(I've included the panda one as well)
Thanks!

Incident Status Location

Virus:W32/Autorun.DZ.worm Disinfected C:\autorun.inf
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.zedo.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.atwola.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[server.iad.liveperson.net/hc/35245341]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@888[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@burstnet[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@doubleclick[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\owner@yadro[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\thumbdrive\ComboFix.exe[ComboFixT\nircmd.cfexe]
Virus:Generic Malware Disinfected C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\thumbdrive\Flash_Disinfector.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\windows-OLD\nircmd.exe
Virus:W32/Autorun.DZ.worm Disinfected D:\autorun.inf
Virus:Generic Malware Not disinfected D:\New Folder\StormCodec5.00.-34.exe[CdnAux.dll]
Virus:Generic Malware Not disinfected D:\New Folder\StormCodec5.00.-34.exe[CdnIEHlp.dll]
Virus:Generic Malware Not disinfected D:\New Folder\StormCodec5.00.-34.exe[CdnProt.dll]
Virus:Generic Malware Not disinfected D:\New Folder\StormCodec5.00.-34.exe[CodeLib.dll]
Virus:Generic Malware Not disinfected D:\New Folder\StormCodec5.00.-34.exe[cdn.dll]

[flame87]

bump...

[flame87]

Need help badly :[ can't update ad-aware too

[Ried]

Hello flame87,

While I appreciate the logs you have supplied, you've neglected to post the most imortant report--the main.txt.

Please run a new scan with dss.exe and post the main.txt in your next reply.

Also, please copy/paste the main.txt directly into the reply box--do not attach it, or any other logs, unless specifically requested to do so.

[flame87]

Hi Reid,

Sorry! I've thought that I posted the right one

Thanks for helping!

Here's the main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-01-23 18:51:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-23 18:51:19
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\dss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.co...p/DigWXMSN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{1A8B0DF8-3849-4F73-AE9D-8B775E4EA43A}: NameServer = 165.21.83.88 165.21.100.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


--
End of file - 8323 bytes

-- Files created between 2007-12-23 and 2008-01-23 -----------------------------

2008-01-22 16:38:11 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-22 16:37:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 17:47:48 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-14 17:28:03 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-13 16:45:02 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision
2008-01-13 16:44:20 0 d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-13 16:44:19 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Macromedia
2008-01-12 13:11:06 0 dr-h----- C:\$VAULT$.AVG
2008-01-12 13:10:24 0 d-------- C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\AVG7
2008-01-12 13:10:14 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2008-01-12 13:09:50 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2008-01-12 13:09:50 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-01-12 13:07:22 86144 --a------ C:\WINDOWS\system32\drivers\wmilibb.sys


-- Find3M Report ---------------------------------------------------------------

2008-01-23 18:48:55 0 d-------- C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Skype
2008-01-23 18:46:07 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00521102}.dat
2008-01-23 18:46:07 24 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00521102}.dat
2008-01-22 16:38:12 0 d-------- C:\Program Files\Lavasoft
2008-01-22 16:37:46 0 d-------- C:\Program Files\Common Files
2008-01-20 02:20:28 0 d-------- C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\LimeWire
2008-01-14 18:40:06 0 d-------- C:\Program Files\PowerISO
2008-01-14 18:39:54 0 d-------- C:\Program Files\MSN Messenger
2008-01-14 18:39:01 0 d-------- C:\Program Files\MagicISO
2008-01-14 18:37:35 0 d-------- C:\Program Files\iTunes
2008-01-14 18:27:22 0 d-------- C:\Program Files\Bonjour
2008-01-13 16:44:59 0 d-------- C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Macromedia
2008-01-13 16:44:03 0 d-------- C:\Program Files\Macromedia
2008-01-13 16:44:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-11 21:56:15 0 d-------- C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\dvdcss
2008-01-11 17:27:33 54272 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-01-04 02:21:49 0 d-------- C:\Program Files\New Folder
2007-12-18 00:20:12 0 d-------- C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\vlc
2007-12-18 00:04:32 0 d-------- C:\Program Files\VideoLAN
2007-11-29 14:20:34 0 d-------- C:\Program Files\LimeWire
2007-11-27 20:56:49 0 d-------- C:\Program Files\BitComet
2007-11-20 21:10:52 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [10/16/2006 02:49 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [06/14/2005 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [06/14/2005 08:00 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [09/12/2003 09:10 PM]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [12/26/2001 02:00 AM]
"WINDVDPatch"="CTHELPER.EXE" [07/02/2002 05:56 PM C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 01:00 AM]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [11/29/2001 01:00 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [04/13/2005 03:48 AM]
"AME_CSA"="amecsa.cpl" [01/30/2003 11:46 AM C:\WINDOWS\system32\AmeCSA.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/07/2007 04:55 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/12/2008 01:09 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [01/19/2007 12:54 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/07/2007 10:32 AM]

C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [5/30/2006 3:24:43 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01ced8a0-958e-11dc-9dbe-00c0a8a3a3b3}]
AutoRun\command- G:\ntde1ect.com
explore\Command- G:\ntde1ect.com
open\Command- G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782eff-6793-11dc-9d5c-00c0a8a3a3b3}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- H:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3448f078-6c0c-11dc-9d6a-00c0a8a3a3b3}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3448f079-6c0c-11dc-9d6a-00c0a8a3a3b3}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3448f07a-6c0c-11dc-9d6a-00c0a8a3a3b3}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ce336be-5ccb-11dc-9d48-00c0a8a3a3b3}]
AutoRun\command- G:\ntde1ect.com
explore\Command- G:\ntde1ect.com
open\Command- G:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{701210b4-7fb5-11dc-9d91-00c0a8a3a3b3}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cee495da-3443-11dc-9d01-00c0a8a3a3b3}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- G:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfc1e8c8-004d-11dc-9c6c-00c0a8a3a3b3}]
AutoRun\command- H:\ntde1ect.com
explore\Command- H:\ntde1ect.com
open\Command- H:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfc1e8c9-004d-11dc-9c6c-00c0a8a3a3b3}]
AutoRun\command- I:\ntde1ect.com
explore\Command- I:\ntde1ect.com
open\Command- I:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb98060c-9d03-11dc-9dcd-00c0a8a3a3b3}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- G:\Recycled\ctfmon.exe




-- End of Deckard's System Scanner: finished at 2008-01-23 18:51:41 ------------

[Ried]

Thank you, now we can get started.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Download Flash_Disinfector.exe and save it to your desktop.

Be sure to insert all flash drives, usb sticks, particularly what are typically your G:\, H:\, and I:\ drives.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

2. Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

3. Open notepad and copy/paste the text in the code box below into it:

Code:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01ced8a0-958e-11dc-9dbe-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782eff-6793-11dc-9d5c-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3448f078-6c0c-11dc-9d6a-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3448f079-6c0c-11dc-9d6a-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3448f07a-6c0c-11dc-9d6a-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ce336be-5ccb-11dc-9d48-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{701210b4-7fb5-11dc-9d91-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cee495da-3443-11dc-9d01-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfc1e8c8-004d-11dc-9c6c-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dfc1e8c9-004d-11dc-9c6c-00c0a8a3a3b3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb98060c-9d03-11dc-9dcd-00c0a8a3a3b3}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

4. Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[flame87]

ComboFix 08-01-23.2 - Owner 2008-01-24 0:42:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1107 [GMT 8:00]
Running from: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\internet.exe
C:\WINDOWS\system32\update.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-24 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 16:37 . 2008-01-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 21:23 . 2008-01-14 21:23 <DIR> d-------- C:\Deckard
2008-01-14 17:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 17:28 . 2008-01-14 18:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 17:28 . 2008-01-14 17:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 17:28 . 2008-01-14 17:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 17:28 . 2008-01-14 17:28 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 16:44 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-12 13:10 . 2008-01-12 13:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-12 13:07 . 2008-01-12 13:07 86,144 --a------ C:\WINDOWS\system32\drivers\wmilibb.sys
2008-01-12 13:07 . 2008-01-24 00:47 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 08:38 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 10:40 --------- d-----w C:\Program Files\PowerISO
2008-01-14 10:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 10:39 --------- d-----w C:\Program Files\MagicISO
2008-01-14 10:37 --------- d-----w C:\Program Files\iTunes
2008-01-14 10:27 --------- d-----w C:\Program Files\Bonjour
2008-01-13 08:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 08:44 --------- d-----w C:\Program Files\Macromedia
2008-01-03 18:21 --------- d-----w C:\Program Files\New Folder
2007-12-17 16:04 --------- d-----w C:\Program Files\VideoLAN
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-29 06:20 --------- d-----w C:\Program Files\LimeWire
2007-11-27 12:56 --------- d-----w C:\Program Files\BitComet
2007-11-20 13:10 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-04-20 16:39 1,568,211 ----a-w C:\Program Files\war3.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-07 10:32 23395368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-10-16 02:49 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"AME_CSA"="amecsa.cpl" [2003-01-30 11:46 757760 C:\WINDOWS\system32\AmeCSA.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 13:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 13:10 219136]

R1 wmilibb;wmilibb;C:\WINDOWS\system32\drivers\wmilibb.sys [2008-01-12 13:07]
R3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-10-28 12:17]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 05:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 00:47:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-24 04:53
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/01/2008
Kaspersky Anti-Virus database records: 528211
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 132447
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:58:54

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\fla72E.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1C0EE078-AB9A-4842-A48A-641C2B0015B0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\wmilibb.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped

Scan process completed.


Hmmmm, after turning off my Anti-Virus software and scanning with combofix an additional Internet Explorer Icon was created on my desktop and the system restore was turned off. both i deleted away the icon and turned off system restore right after that. Random Popups are still a problem here.

Thanks! :)

[Ried]

Is system restore on, or off? We want it on so we have a fallback point--even an infected one is better than none should anything not go as planned. We'll flush those infected restore points when we're through.

---------------------------------------------------------------------

Do this first please, then I'll proceed to remove the remaining infection:

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

[flame87]

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="WINDOWS XP" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


done!

[Ried]

Thanks.

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wmilibb.sys

Driver::
wmilibb

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Post the C:\ComboFix.txt here, along with an update on system behavior.

[flame87]

ComboFix 08-01-23.2 - Owner 2008-01-25 1:10:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1047 [GMT 8:00]
Running from: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wmilibb.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wmilibb.sys
.
---- Previous Run -------
.
C:\WINDOWS\system32\internet.exe
C:\WINDOWS\system32\update.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\LEGACY_WMILIBB
-------\wmilibb


((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-25 00:44 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-25 00:44 . 2007-05-12 06:29 281 --a------ C:\Boot.bak
2008-01-24 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 16:37 . 2008-01-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 21:23 . 2008-01-14 21:23 <DIR> d-------- C:\Deckard
2008-01-14 17:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 17:28 . 2008-01-14 18:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 17:28 . 2008-01-14 17:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 17:28 . 2008-01-14 17:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 17:28 . 2008-01-14 17:28 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 16:44 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-12 13:10 . 2008-01-12 13:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 08:38 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 10:40 --------- d-----w C:\Program Files\PowerISO
2008-01-14 10:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 10:39 --------- d-----w C:\Program Files\MagicISO
2008-01-14 10:37 --------- d-----w C:\Program Files\iTunes
2008-01-14 10:27 --------- d-----w C:\Program Files\Bonjour
2008-01-13 08:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 08:44 --------- d-----w C:\Program Files\Macromedia
2008-01-03 18:21 --------- d-----w C:\Program Files\New Folder
2007-12-17 16:04 --------- d-----w C:\Program Files\VideoLAN
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-29 06:20 --------- d-----w C:\Program Files\LimeWire
2007-11-27 12:56 --------- d-----w C:\Program Files\BitComet
2007-11-20 13:10 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-04-20 16:39 1,568,211 ----a-w C:\Program Files\war3.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-24_ 0.49.52.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 16:42:16 159,744 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 17:10:24 159,744 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 16:42:16 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 17:10:24 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 16:42:16 163,840 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 17:10:24 163,840 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 16:42:16 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 17:10:24 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 16:42:16 6,565,888 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 17:10:24 6,565,888 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 16:42:17 372,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 17:10:24 372,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-07 10:32 23395368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-10-16 02:49 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"AME_CSA"="amecsa.cpl" [2003-01-30 11:46 757760 C:\WINDOWS\system32\AmeCSA.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 13:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 13:10 219136]

R3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-10-28 12:17]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 05:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 01:14:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.


The pop-ups are gone! but i'm not sure if i'm free of the trojans. :(

[Ried]

After that last script with ComboFix, as far as I can see, the trojan/worms are gone.

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[flame87]

THANKS!!!!

So far so good!

Can you recommend me any spyware clearing software incase i get infected? I'm using the lavasoft ad-aware 2007

Thanks for the softwares as well, I've just installed them all

Once again, THANKS!!!

[Ried]

You're welcome.

AdAware is a very good program to use, just be sure to update it's database and scan your system with it regularly.

There currently is no program, Anti Virus or Anti Malware, that would have cleaned or prevented this last infection you had, but please read the link I gave you earlier for some ideas of other protective programs you can use. PC Safety and Security--What Do I Need?

[flame87]

hmmmm I've tried to scan using kaspersky again and there was still an infection but there was no sign of an infection my PC is behaving normally

I've scanned with ad-aware and AVG too it did not detect any trojan horses or the "viruses" kaspersky detected are just spyware with low harm

If everything is normal, I guess you can shift this thread to the resolved thread.

Help would be greatly appreciated :)


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-01-26 6:28:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/01/2008
Kaspersky Anti-Virus database records: 533104
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 126159
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 02:14:00

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\FLEXnet\adobe_00080000_tsf.data Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Messenger\answer_three@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Messenger\answer_three@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Messenger\answer_three@hotmail.com\SharingMetadata\Working\database_B4DC_3D71_DC3D_2ECC\dfsr.db Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Messenger\answer_three@hotmail.com\SharingMetadata\Working\database_B4DC_3D71_DC3D_2ECC\fsr.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Messenger\answer_three@hotmail.com\SharingMetadata\Working\database_B4DC_3D71_DC3D_2ECC\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Messenger\answer_three@hotmail.com\SharingMetadata\Working\database_B4DC_3D71_DC3D_2ECC\tmp.edb Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows Live Contacts\answer_three@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Microsoft\Windows Live Contacts\answer_three@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\8B24EC56d01 Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Application Data\Mozilla\Firefox\Profiles\eud9xbpb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\History\History.IE5\MSHist012008012620080127\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\alm.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\amt.log Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\fla93A.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\Photoshop Temp711342836 Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\~DF2D95.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\~DF32B.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\~DF33D.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\~DFB423.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\~DFF19A.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temp\~DFF1B5.tmp Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.ADMIN-CDB184AE0\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Ocean's Eleven.avi.bc! Object is locked skipped
C:\Program Files\Common Files\Adobe\Adobe PCD\cache\cache.db Object is locked skipped
C:\Program Files\Common Files\Adobe\Adobe PCD\pcd.db Object is locked skipped
C:\Program Files\Common Files\Adobe\caps\caps.db Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

[Ried]

Hi flame87,

The remaining find by Kaspersky is only the reporting of the presence of this program on your system. As long as you installed it yourself, no worries.

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped

[flame87]

Thanks, Reid! I guess everything is fine!

I'm grateful for your help! :)

[Ried]

You're welcome, flame87. Take care.