Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page system 32 trojan
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 11-16-2008, 05:43 AM   #1 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


system 32 trojan
When I launch Internet, a new internet tab or Windows Explorer I get a message from AVG (free) alerting me to a trojan horse:
C:\WINDOWS\system32\pm_setup_util.exe
Trojan horse Generic 10.ATQH

Occasionally it reports 2 problems, the other threat is:
C:\WINDOWS\system32\pm_proc1.exe
Trojan Horse Agent.ALOU

I've tried clicking heal, move to vault, and scanned with AVG to find and move them to vault, but the problem still occurs on all users.

Followed a link from a poster to here, ran gmer and dds.
Heres the dds log:


DDS (Version 1.0) - NTFSx86
Run by User at 12:31:10.00 on 16/11/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.511.147 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\winmech\NTSERV~1\srunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\SmartError\SmartErrorUpdater.exe
C:\WINDOWS\VM305_STI.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=4&link=ctg_trs_home_from_bcs_thankyou_sitenav
uSearch Page = hxxp://www.google.co.uk
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Page = hxxp://www.thebreastcancersite.com/clicktogive/home.faces?siteid=2
mStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - c:\program files\video activex object\isadd.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: {D810B78A-D010-44DF-8445-AC58086B600E} - c:\windows\system32\pm_dll.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {84938242-5C5B-4A55-B6B9-A1507543B418} - c:\program files\video activex object\iesplugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: {84938242-5C5B-4A55-B6B9-A1507543B418} - c:\program files\video activex object\iesplugin.dll
TB: {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent] "c:\documents and settings\user\my documents\misc\bittorrent.exe" --force_start_minimized
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CARPService] carpserv.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [SmartError_updater] c:\program files\smarterror\SmartErrorUpdater.exe
mRun: [BigDog305] c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\wincus~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [plsi] c:\windows\system32\pm_proc1.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\worldc~1.lnk - c:\program files\boinc\boincmgr.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?03146f322e1e48df8fb6670ae8ee86ed
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?03146f322e1e48df8fb6670ae8ee86ed
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {BA12EFAE-9F3F-11DA-9387-00A0C9DA30E9} - {BA12EFAF-9F3F-11DA-9387-00A0C9DA30E9} - c:\program files\smarterror\Plug.dll
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\user\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
Notify: WB - c:\progra~1\stardock\object~1\window~1\fastload.dll
AppInit_DLLs: wbsys.dll,avgrsstx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe
R2 winmech;Security Services Internet;c:\windows\winmech\ntserv~1\srunner.exe
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys
S2 r_server;Remote Administrator Service;"c:\windows\svchost.exe" /service
S3 GameConsoleService;GameConsoleService;"c:\program files\hp games\my hp game console\GameConsoleService.exe"
S3 PciCon;PciCon;\??\D:\PciCon.sys
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys
S3 ZSMC0305;VIMICRO USB PC Camera V;c:\windows\system32\drivers\usbVM305.sys

=============== Created Last 30 ================

2008-11-16 11:55 250 a------- c:\windows\gmer.ini
2008-11-16 11:51 707,072 a------- c:\windows\system32\pm_proc1.exe
2008-11-16 11:50 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old32
2008-11-16 11:50 707,072 a------- c:\windows\system32\pm_proc1.exe.old5
2008-11-16 11:49 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old31
2008-11-16 11:43 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old30
2008-11-16 11:04 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old29
2008-11-16 11:04 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old28
2008-11-16 11:04 707,072 a------- c:\windows\system32\pm_proc1.exe.old4
2008-11-16 11:04 707,072 a------- c:\windows\system32\pm_proc1.exe.old3
2008-11-16 11:02 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old27
2008-11-16 11:00 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old26
2008-11-16 10:47 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old25
2008-11-16 10:43 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old24
2008-11-16 10:36 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old23
2008-11-16 10:34 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old22
2008-11-16 10:30 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old21
2008-11-16 10:05 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old20
2008-11-16 09:14 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old19
2008-11-16 09:02 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old18
2008-11-16 08:48 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old17
2008-11-15 19:32 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old16
2008-11-15 19:16 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old15
2008-11-15 15:08 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old14
2008-11-15 14:45 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old13
2008-11-15 14:23 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old12
2008-11-15 13:14 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old11
2008-11-15 12:06 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old10
2008-11-15 11:43 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old9
2008-11-15 11:19 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old8
2008-11-15 11:19 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old7
2008-11-15 10:20 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old5
2008-11-15 10:16 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old4
2008-11-15 10:13 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old3
2008-11-15 10:12 1,112,064 a------- c:\windows\system32\pm_setup_util.exe.old2
2008-11-15 10:12 707,072 a------- c:\windows\system32\pm_proc1.exe.old2
2008-11-12 20:27 244 a---h--- C:\sqmnoopt16.sqm
2008-11-12 20:27 232 a---h--- C:\sqmdata17.sqm
2008-11-06 17:32 244 a---h--- C:\sqmnoopt15.sqm
2008-11-06 17:32 232 a---h--- C:\sqmdata16.sqm
2008-11-05 20:28 118,272 a------- c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 102,400 a------- c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 40 a------- c:\windows\system32\Sx5363.ini
2008-11-05 20:28 <DIR> --d----- c:\program files\Gameforge4D
2008-10-28 20:35 <DIR> --d----- c:\docume~1\user\applic~1\SPORE
2008-10-26 14:50 <DIR> --d----- c:\program files\iTunes
2008-10-26 14:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2008-11-16 12:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kontiki
2008-11-16 11:51 <DIR> --d----- c:\program files\BOINC
2008-11-16 11:51 94,720 a------- c:\windows\system32\pm_proc2.exe
2008-11-12 18:58 <DIR> --d----- c:\docume~1\user\applic~1\Canon
2008-10-26 14:51 <DIR> --d----- c:\program files\iPod
2008-10-24 17:15 <DIR> --d----- c:\program files\Microsoft Games
2008-10-24 11:44 <DIR> --d----- c:\program files\Cossacks - Back To War
2008-10-22 19:59 <DIR> --d----- c:\program files\Microsoft AutoRoute
2008-10-10 19:51 <DIR> --d----- c:\program files\XoftSpySE
2008-10-10 19:26 <DIR> --d----- c:\program files\DreamQuest
2008-10-05 08:26 <DIR> --d----- c:\program files\Coupon Printer
2008-10-01 16:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ahead
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-09 18:25 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-09 12:20 <DIR> --d----- c:\docume~1\user\applic~1\SporeCreatureCreator
2008-09-04 16:42 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-29 10:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 a------- c:\windows\system32\wininet.dll
2008-08-21 11:21 <DIR> --d----- c:\docume~1\user\applic~1\InstallShield Installation Information
2008-08-21 11:19 <DIR> --d----- c:\docume~1\user\applic~1\My Games
2008-07-27 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonUS
2008-07-06 19:12 <DIR> --d----- c:\docume~1\user\applic~1\SPORE Creature Creator
2008-07-02 17:22 <DIR> --d----- c:\docume~1\user\applic~1\WildTangent
2008-07-02 17:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WildTangent
2008-06-11 07:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-06-05 00:00 <DIR> --d----- c:\docume~1\user\applic~1\Firaxis Games
2008-04-15 16:50 <DIR> --d----- c:\docume~1\user\applic~1\My Battle for Middle-earth(tm) II Files
2007-09-28 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2007-09-28 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ScanSoft
2007-09-15 08:52 <DIR> --d----- c:\docume~1\user\applic~1\VideoEgg
2007-09-08 10:15 <DIR> --d----- c:\docume~1\user\applic~1\GetRightToGo
2007-09-08 09:26 <DIR> --d----- c:\docume~1\user\applic~1\InterTrust
2007-08-31 19:47 <DIR> --d----- c:\docume~1\user\applic~1\Turbine
2007-08-29 14:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSScanAppDataDir
2007-07-25 12:58 <DIR> --d----- c:\docume~1\user\applic~1\Atari
2007-07-04 08:22 <DIR> --d----- c:\docume~1\user\applic~1\Alien Skin
2007-06-26 16:40 <DIR> --d----- c:\docume~1\user\applic~1\BitTorrent
2007-06-26 16:39 <DIR> --d----- c:\docume~1\user\applic~1\uTorrent
2007-06-12 09:20 <DIR> --d----- c:\docume~1\user\applic~1\LimeWire
2007-05-30 07:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2007-05-27 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2007-03-24 20:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Microsoft Corporation
2006-10-14 18:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2006-10-14 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZILLAbar
2006-09-26 20:57 <DIR> --d----- c:\docume~1\user\applic~1\IMVU
2006-09-04 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VideoEgg
2006-09-04 10:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Windows Live Toolbar
2006-07-01 16:03 <DIR> --d----- c:\docume~1\user\applic~1\The Labyrinth Plus! Edition
2006-06-21 17:00 <DIR> --d----- c:\docume~1\user\applic~1\ScanSoft
2006-06-21 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanWizard
2008-05-19 09:42 321 ---sh--- c:\windows\system32\2300369754.sys

============= FINISH: 12:32:22.59 ===============



I'll attach the Gmer.txt as well.

Many thanks
Attached Files
File Type: txt Gmer.txt (71.8 KB, 3 views)
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 11-17-2008, 12:46 PM   #2 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Please copy and paste any requested logs into replies rather than add as attachments, this makes it easier for analysis.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please include the following reports for further review, and so we may continue cleansing the system:

Go to Start > Run and copy/paste the following into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

Please include in your next post

> C:\ComboFix.txt
> Add-Remove Programs.txt
> New HijackThis log.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 10:07 AM   #3 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi, thanks for your reply.

I will follow the steps you've outlined, except I'm afraid I don't know what the hijackthis log is, is it the dds or gmer file?

thanks
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 10:13 AM   #4 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi massey91

Dont worry about the hijackthis log, just post the C:\ComboFix.txt and Add-Remove Programs.txt

Thanks
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 11:22 AM   #5 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi,
Heres the Add/Remove programs txt:
100% Free Chess 7.18
7-Zip 4.42
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 7.0
AGEIA PhysX v7.07.09
AirRivals 1.0.0.13
AOL Desktop Icon
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Athlon 64 Processor Driver
AVG Free 8.0
BBC iPlayer Download Manager
Boardworks GCSE Additional Science
Bonjour
BootSkin
BZFlag 2.0.10 (remove only)
Canon MP Navigator 2.0
Canon MP170
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
Compatibility Pack for the 2007 Office system
Cossacks - Back To War
Coupon Printer
CTU Display (Widescreen)
Dangerous Waters
Design Tools - 2D Design V2 Demo
DesktopX Professional
EA Download Manager
Easy-WebPrint
Eurofighter Typhoon
F-22 Lightning 3
Free Allegiance
Google Earth
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
IconDeveloper Professional
IconPackager
IconX
Internet Security Add-On
iPod for Windows 2005-09-23
iPod for Windows 2006-06-28
iTunes
J2SE Runtime Environment 5.0 Update 3
Jigsaw 2005
Lame ACM MP3 Codec
LG GSM PC Components
LG USB Modem Driver
LK Screensaver
LogonStudio
Marine Sharpshooter II: Jungle Warfare
Medal of Honor Airborne
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AutoRoute 2005
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Encarta Encyclopedia Standard 2005
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Photo Premium 10
Microsoft Picture It! Library 10
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft WorldWide Telescope
MobileMe Control Panel
MSN
MSN Music Mediabar
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MTX MotoTrax
My HP Games
Nero Suite
NetWaiting
NoteWorthy Composer
NVIDIA Drivers
OmniPage SE 2.0
Photo Story 3 for Windows
Platform
Public Messenger ver 2.03
QuickTime
QuickTime for Windows (32-bit)
RealPlayer
Realtek AC'97 Audio
Rhapsody Player Engine
S3GSetup
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sid Meier's Civilization 4 - Beyond the Sword
SkinStudio
Skype™ 3.8
Smart Link 56K Voice Modem
Smart Menus (Windows Live Toolbar)
SmartError 1.12
SPORE™
System Requirements Lab
Tabbed Browsing (Windows Live Toolbar)
TeamSpeak 2 RC2
The Battle for Middle-earth (tm) II
Theme Hospital
Tony Hawk's American Wasteland
Tony Hawks Pro Skater 4
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
V92 PCI Voice Faxmodem
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
VideoEgg Publisher
WebFldrs XP
WindowBlinds
WindowFX
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World Community Grid - BOINC Agent
XoftSpySE
XviD MPEG-4 Video Codec
ZoneAlarm
ZoneAlarm Spy Blocker




And heres the Combofix log:




ComboFix 08-11-17.06 - User 2008-11-18 17:21:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rob\Application Data\Dxcknwrd.dll
c:\documents and settings\Rob\Application Data\Dxcuknwrd.dll
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner11329.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner11429.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner11632.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner11747.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner12116.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner12316.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner1750.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner3361.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner4082.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner7334.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner7559.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner7599.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner7755.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner7871.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner8500.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner8712.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\banner9114.html
c:\documents and settings\Rob\Local Settings\Temporary Internet Files\Dxc.log
c:\documents and settings\User\Application Data\Dxcdmns.dll
c:\program files\Common Files\{391CD~1
c:\program files\Common Files\{391CD~1\Uninst.exe
c:\program files\Common Files\{891CD~1
c:\program files\inetget2
c:\windows\IE4 Error Log.txt
c:\windows\system32\guard.tmp
c:\windows\system32\pzreg1.exe.bak1
c:\windows\system32\Show Pink Zone.ico
c:\windows\system32\spzax.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_R_SERVER
-------\Service_r_server


((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-18 17:02 . 2008-11-18 17:02 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old70
2008-11-17 20:46 . 2008-11-17 20:46 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old69
2008-11-17 20:25 . 2008-11-17 20:25 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old68
2008-11-17 20:18 . 2008-11-17 20:18 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old67
2008-11-17 20:00 . 2008-11-17 20:00 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old66
2008-11-17 19:15 . 2008-11-17 19:15 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old65
2008-11-17 19:07 . 2008-11-17 19:07 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old64
2008-11-17 18:30 . 2008-11-17 18:30 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old63
2008-11-17 18:24 . 2008-11-17 18:24 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old62
2008-11-17 16:58 . 2008-11-17 16:58 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old61
2008-11-16 20:45 . 2008-11-16 20:45 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old60
2008-11-16 20:22 . 2008-11-16 20:22 707,072 --a------ c:\windows\system32\pm_proc1.exe.old17
2008-11-16 20:14 . 2008-11-16 20:22 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old59
2008-11-16 20:14 . 2008-11-16 20:14 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old58
2008-11-16 19:06 . 2008-11-16 19:06 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old57
2008-11-16 18:27 . 2008-11-16 18:27 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old56
2008-11-16 18:26 . 2008-11-16 18:26 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old55
2008-11-16 18:26 . 2008-11-16 18:27 707,072 --a------ c:\windows\system32\pm_proc1.exe.old16
2008-11-16 18:26 . 2008-11-16 18:26 707,072 --a------ c:\windows\system32\pm_proc1.exe.old15
2008-11-16 18:25 . 2008-11-16 18:25 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old54
2008-11-16 18:25 . 2008-11-16 18:25 707,072 --a------ c:\windows\system32\pm_proc1.exe.old14
2008-11-16 18:25 . 2008-11-16 18:25 707,072 --a------ c:\windows\system32\pm_proc1.exe.old13
2008-11-16 17:10 . 2008-11-16 18:25 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old53
2008-11-16 17:10 . 2008-11-16 17:10 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old52
2008-11-16 16:51 . 2008-11-16 16:51 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old51
2008-11-16 16:31 . 2008-11-16 16:31 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old50
2008-11-16 16:31 . 2008-11-16 16:31 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old49
2008-11-16 16:31 . 2008-11-16 16:31 707,072 --a------ c:\windows\system32\pm_proc1.exe.old12
2008-11-16 16:31 . 2008-11-16 16:31 707,072 --a------ c:\windows\system32\pm_proc1.exe.old11
2008-11-16 16:25 . 2008-11-16 16:25 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old48
2008-11-16 16:02 . 2008-11-16 16:02 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old47
2008-11-16 14:35 . 2008-11-16 14:35 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old46
2008-11-16 14:28 . 2008-11-16 14:28 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old45
2008-11-16 14:21 . 2008-11-16 14:21 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old44
2008-11-16 14:13 . 2008-11-16 14:14 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old43
2008-11-16 14:13 . 2008-11-16 14:13 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old42
2008-11-16 14:13 . 2008-11-16 14:14 707,072 --a------ c:\windows\system32\pm_proc1.exe.old10
2008-11-16 13:08 . 2008-11-16 14:04 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old41
2008-11-16 13:08 . 2008-11-16 13:11 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old40
2008-11-16 13:08 . 2008-11-16 13:08 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old39
2008-11-16 13:08 . 2008-11-16 13:10 707,072 --a------ c:\windows\system32\pm_proc1.exe.old9
2008-11-16 13:08 . 2008-11-16 13:08 707,072 --a------ c:\windows\system32\pm_proc1.exe.old8
2008-11-16 13:07 . 2008-11-16 13:07 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old38
2008-11-16 12:42 . 2008-11-16 12:42 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old37
2008-11-16 12:40 . 2008-11-16 12:40 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old36
2008-11-16 12:34 . 2008-11-16 12:35 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old35
2008-11-16 12:34 . 2008-11-16 12:34 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old34
2008-11-16 12:34 . 2008-11-16 12:34 707,072 --a------ c:\windows\system32\pm_proc1.exe.old7
2008-11-16 12:33 . 2008-11-16 12:33 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old33
2008-11-16 11:55 . 2008-11-16 11:56 250 --a------ c:\windows\gmer.ini
2008-11-16 11:51 . 2008-11-16 11:51 707,072 --a------ c:\windows\system32\pm_proc1.exe.old6
2008-11-16 11:50 . 2008-11-16 11:50 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old32
2008-11-16 11:50 . 2008-11-16 11:50 707,072 --a------ c:\windows\system32\pm_proc1.exe.old5
2008-11-16 11:49 . 2008-11-16 11:49 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old31
2008-11-16 11:43 . 2008-11-16 11:43 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old30
2008-11-16 11:04 . 2008-11-16 11:05 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old29
2008-11-16 11:04 . 2008-11-16 11:04 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old28
2008-11-16 11:04 . 2008-11-16 11:05 707,072 --a------ c:\windows\system32\pm_proc1.exe.old4
2008-11-16 11:04 . 2008-11-16 11:04 707,072 --a------ c:\windows\system32\pm_proc1.exe.old3
2008-11-16 11:02 . 2008-11-16 11:02 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old27
2008-11-16 11:00 . 2008-11-16 11:00 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old26
2008-11-16 10:47 . 2008-11-16 10:47 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old25
2008-11-16 10:43 . 2008-11-16 10:43 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old24
2008-11-16 10:36 . 2008-11-16 10:36 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old23
2008-11-16 10:34 . 2008-11-16 10:34 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old22
2008-11-16 10:30 . 2008-11-16 10:30 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old21
2008-11-16 10:05 . 2008-11-16 10:05 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old20
2008-11-16 09:14 . 2008-11-16 09:14 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old19
2008-11-16 09:02 . 2008-11-16 09:02 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old18
2008-11-16 08:48 . 2008-11-16 08:48 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old17
2008-11-15 19:32 . 2008-11-15 19:32 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old16
2008-11-15 19:16 . 2008-11-15 19:16 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old15
2008-11-15 15:08 . 2008-11-15 15:08 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old14
2008-11-15 14:45 . 2008-11-15 14:45 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old13
2008-11-15 14:23 . 2008-11-15 14:23 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old12
2008-11-15 13:14 . 2008-11-15 13:14 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old11
2008-11-15 12:06 . 2008-11-15 12:06 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old10
2008-11-15 11:43 . 2008-11-15 11:43 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old9
2008-11-15 11:19 . 2008-11-15 11:24 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old8
2008-11-15 11:19 . 2008-11-15 11:19 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old7
2008-11-15 10:20 . 2008-11-15 10:20 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old5
2008-11-15 10:16 . 2008-11-15 10:16 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old4
2008-11-15 10:13 . 2008-11-15 10:13 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old3
2008-11-15 10:12 . 2008-11-15 10:12 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old2
2008-11-15 10:12 . 2008-11-15 10:12 707,072 --a------ c:\windows\system32\pm_proc1.exe.old2
2008-11-12 20:27 . 2008-11-12 20:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-12 20:27 . 2008-11-12 20:27 232 --ah----- C:\sqmdata17.sqm
2008-11-06 17:32 . 2008-11-06 17:32 244 --ah----- C:\sqmnoopt15.sqm
2008-11-06 17:32 . 2008-11-06 17:32 232 --ah----- C:\sqmdata16.sqm
2008-11-05 20:28 . 2008-11-05 20:28 <DIR> d-------- c:\program files\Gameforge4D
2008-11-05 20:28 . 2004-05-10 13:14 118,272 --a------ c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 . 2004-05-10 13:14 102,400 --a------ c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 . 2004-05-10 13:15 40 --a------ c:\windows\system32\Sx5363.ini
2008-10-28 20:35 . 2008-11-01 12:40 <DIR> d-------- c:\documents and settings\User\Application Data\SPORE
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\program files\iTunes
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 . 2008-10-26 14:48 <DIR> d-------- c:\program files\Bonjour
2008-10-26 14:46 . 2008-10-26 14:47 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 17:46 38,156,320 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-18 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-18 17:45 --------- d-----w c:\program files\BOINC
2008-11-18 17:36 447,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-18 17:03 94,720 ----a-w c:\windows\system32\pm_proc2.exe
2008-11-12 18:58 --------- d-----w c:\documents and settings\User\Application Data\Canon
2008-10-26 14:51 --------- d-----w c:\program files\iPod
2008-10-26 14:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 22:22 4,203,520 ----a-w c:\windows\Internet Logs\xDB26.tmp
2008-10-24 22:21 771,072 ----a-w c:\windows\Internet Logs\xDB25.tmp
2008-10-24 17:15 --------- d-----w c:\program files\Microsoft Games
2008-10-24 11:44 --------- d-----w c:\program files\Cossacks - Back To War
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:59 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-14 19:14 4,172,288 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-10-10 19:51 --------- d-----w c:\program files\XoftSpySE
2008-10-10 19:26 --------- d-----w c:\program files\DreamQuest
2008-10-05 08:26 --------- d-----w c:\program files\Coupon Printer
2008-10-01 16:55 --------- d-----w c:\program files\Ahead
2008-10-01 16:50 --------- d-----w c:\program files\Common Files\Nero
2008-10-01 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 06:38 17,413,341 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-09 18:25 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-20 13:13 649,216 ----a-w c:\windows\Internet Logs\xDB22.tmp
2008-08-20 13:13 4,016,128 ----a-w c:\windows\Internet Logs\xDB23.tmp
2006-07-12 16:31 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2008-05-19 09:42 321 --sh--w c:\windows\system32\2300369754.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-15 13570048]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SmartError_updater"="c:\program files\SmartError\SmartErrorUpdater.exe" [2006-03-08 77824]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 185896]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"VTTimer"="VTTimer.exe" [2005-03-09 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 c:\windows\system32\VTTrayp.exe]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-08-15 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
World Community Grid - BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-03-17 3874816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orange\\Livebox\\RGWREPAIR.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%systemroot%\\winmech\\services.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-11 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R2 winmech;Security Services Internet;c:\windows\winmech\NTSERV~1\srunner.exe [2007-07-13 63488]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys []
S3 GameConsoleService;GameConsoleService;"c:\program files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-05-05 165416]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys [2001-11-29 1432836]
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys []
S3 ZSMC0305;VIMICRO USB PC Camera V;c:\windows\system32\Drivers\usbVM305.sys [2006-08-18 392316]
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2006-09-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []

2008-11-18 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]

2008-09-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8FD66659-A7AF-4641-9999-C56607D3A0AB} - (no file)
HKCU-Run-BitTorrent - c:\documents and settings\User\My Documents\Misc\bittorrent.exe
HKLM-Run-plsi - c:\windows\system32\pm_proc1.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=4&link=ctg_trs_home_from_bcs_thankyou_sitenav
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?03146f322e1e48df8fb6670ae8ee86ed
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?03146f322e1e48df8fb6670ae8ee86ed
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk -

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\csauie1.ocx - O16 -: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16}
hxxp://www.couponreport.net/ftp/v3123/csauie1.cab
c:\windows\Downloaded Program Files\csauie1.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 17:42:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
c:\windows\system32\slmdmsr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\COMMON~1\Stardock\sdmcp.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\BOINC\boinc.exe
c:\program files\BOINC\projects\http://www.worldcommunitygrid.org\wc...ndows_intelx86
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-18 17:58:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 17:58:18

Pre-Run: 4,650,995,712 bytes free
Post-Run: 5,927,636,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

342 --- E O F --- 2008-11-13 08:28:35



Also I've noticed that the threat alert no longer appears! Plus the resident shield from AVG free is not active, can I fix that by reinstalling AVG?

Many thanks
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-18-2008, 02:02 PM   #6 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there

Theres still a few items to take of...

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:
File::
c:\windows\system32\pm_setup_util.exe.old70
c:\windows\system32\pm_setup_util.exe.old69
c:\windows\system32\pm_setup_util.exe.old68
c:\windows\system32\pm_setup_util.exe.old67
c:\windows\system32\pm_setup_util.exe.old66
c:\windows\system32\pm_setup_util.exe.old65
c:\windows\system32\pm_setup_util.exe.old64
c:\windows\system32\pm_setup_util.exe.old63
c:\windows\system32\pm_setup_util.exe.old62
c:\windows\system32\pm_setup_util.exe.old61
c:\windows\system32\pm_setup_util.exe.old60
c:\windows\system32\pm_proc1.exe.old17
c:\windows\system32\pm_setup_util.exe.old59
c:\windows\system32\pm_setup_util.exe.old58
c:\windows\system32\pm_setup_util.exe.old57
c:\windows\system32\pm_setup_util.exe.old56
c:\windows\system32\pm_setup_util.exe.old55
c:\windows\system32\pm_proc1.exe.old16
c:\windows\system32\pm_proc1.exe.old15
c:\windows\system32\pm_setup_util.exe.old54
c:\windows\system32\pm_proc1.exe.old14
c:\windows\system32\pm_proc1.exe.old13
c:\windows\system32\pm_setup_util.exe.old53
c:\windows\system32\pm_setup_util.exe.old52
c:\windows\system32\pm_setup_util.exe.old51
c:\windows\system32\pm_setup_util.exe.old50
c:\windows\system32\pm_setup_util.exe.old49
c:\windows\system32\pm_proc1.exe.old12
c:\windows\system32\pm_proc1.exe.old11
c:\windows\system32\pm_setup_util.exe.old48
c:\windows\system32\pm_setup_util.exe.old47
c:\windows\system32\pm_setup_util.exe.old46
c:\windows\system32\pm_setup_util.exe.old45
c:\windows\system32\pm_setup_util.exe.old44
c:\windows\system32\pm_setup_util.exe.old43
c:\windows\system32\pm_setup_util.exe.old42
c:\windows\system32\pm_proc1.exe.old10
c:\windows\system32\pm_setup_util.exe.old41
c:\windows\system32\pm_setup_util.exe.old40
c:\windows\system32\pm_setup_util.exe.old39
c:\windows\system32\pm_proc1.exe.old9
c:\windows\system32\pm_proc1.exe.old8
c:\windows\system32\pm_setup_util.exe.old38
c:\windows\system32\pm_setup_util.exe.old37
c:\windows\system32\pm_setup_util.exe.old36
c:\windows\system32\pm_setup_util.exe.old35
c:\windows\system32\pm_setup_util.exe.old34
c:\windows\system32\pm_proc1.exe.old7
c:\windows\system32\pm_setup_util.exe.old33
c:\windows\system32\pm_proc1.exe.old6
c:\windows\system32\pm_setup_util.exe.old32
c:\windows\system32\pm_proc1.exe.old5
c:\windows\system32\pm_setup_util.exe.old31
c:\windows\system32\pm_setup_util.exe.old30
c:\windows\system32\pm_setup_util.exe.old29
c:\windows\system32\pm_setup_util.exe.old28
c:\windows\system32\pm_proc1.exe.old4
c:\windows\system32\pm_proc1.exe.old3
c:\windows\system32\pm_setup_util.exe.old27
c:\windows\system32\pm_setup_util.exe.old26
c:\windows\system32\pm_setup_util.exe.old25
c:\windows\system32\pm_setup_util.exe.old24
c:\windows\system32\pm_setup_util.exe.old23
c:\windows\system32\pm_setup_util.exe.old22
c:\windows\system32\pm_setup_util.exe.old21
c:\windows\system32\pm_setup_util.exe.old20
c:\windows\system32\pm_setup_util.exe.old19
c:\windows\system32\pm_setup_util.exe.old18
c:\windows\system32\pm_setup_util.exe.old17
c:\windows\system32\pm_setup_util.exe.old16
c:\windows\system32\pm_setup_util.exe.old15
c:\windows\system32\pm_setup_util.exe.old14
c:\windows\system32\pm_setup_util.exe.old13
c:\windows\system32\pm_setup_util.exe.old12
c:\windows\system32\pm_setup_util.exe.old11
c:\windows\system32\pm_setup_util.exe.old10
c:\windows\system32\pm_setup_util.exe.old9
c:\windows\system32\pm_setup_util.exe.old8
c:\windows\system32\pm_setup_util.exe.old7
c:\windows\system32\pm_setup_util.exe.old5
c:\windows\system32\pm_setup_util.exe.old4
c:\windows\system32\pm_setup_util.exe.old3
c:\windows\system32\pm_setup_util.exe.old2
c:\windows\system32\pm_proc1.exe.old2
c:\windows\system32\pm_setup_util.exe
c:\windows\system32\pm_proc1.exe
c:\windows\system32\pm_proc2.exe
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log

Next I want you to run an online scan at kaspersky, first lets clear out any unwanted files

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with:
>> Combofix log
>> Kaspersky log

As a sidenote, - yes you can re-install AVG to fix the problem (if it is still an issue) but please do this last so it does not intefere with combofix
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-19-2008, 03:09 PM   #7 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Heres the new combo fix log:


ComboFix 08-11-18.02 - User 2008-11-18 21:56:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.165 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt..txt

FILE ::
c:\windows\system32\pm_proc1.exe
c:\windows\system32\pm_proc1.exe.old10
c:\windows\system32\pm_proc1.exe.old11
c:\windows\system32\pm_proc1.exe.old12
c:\windows\system32\pm_proc1.exe.old13
c:\windows\system32\pm_proc1.exe.old14
c:\windows\system32\pm_proc1.exe.old15
c:\windows\system32\pm_proc1.exe.old16
c:\windows\system32\pm_proc1.exe.old17
c:\windows\system32\pm_proc1.exe.old2
c:\windows\system32\pm_proc1.exe.old3
c:\windows\system32\pm_proc1.exe.old4
c:\windows\system32\pm_proc1.exe.old5
c:\windows\system32\pm_proc1.exe.old6
c:\windows\system32\pm_proc1.exe.old7
c:\windows\system32\pm_proc1.exe.old8
c:\windows\system32\pm_proc1.exe.old9
c:\windows\system32\pm_proc2.exe
c:\windows\system32\pm_setup_util.exe
c:\windows\system32\pm_setup_util.exe.old10
c:\windows\system32\pm_setup_util.exe.old11
c:\windows\system32\pm_setup_util.exe.old12
c:\windows\system32\pm_setup_util.exe.old13
c:\windows\system32\pm_setup_util.exe.old14
c:\windows\system32\pm_setup_util.exe.old15
c:\windows\system32\pm_setup_util.exe.old16
c:\windows\system32\pm_setup_util.exe.old17
c:\windows\system32\pm_setup_util.exe.old18
c:\windows\system32\pm_setup_util.exe.old19
c:\windows\system32\pm_setup_util.exe.old2
c:\windows\system32\pm_setup_util.exe.old20
c:\windows\system32\pm_setup_util.exe.old21
c:\windows\system32\pm_setup_util.exe.old22
c:\windows\system32\pm_setup_util.exe.old23
c:\windows\system32\pm_setup_util.exe.old24
c:\windows\system32\pm_setup_util.exe.old25
c:\windows\system32\pm_setup_util.exe.old26
c:\windows\system32\pm_setup_util.exe.old27
c:\windows\system32\pm_setup_util.exe.old28
c:\windows\system32\pm_setup_util.exe.old29
c:\windows\system32\pm_setup_util.exe.old3
c:\windows\system32\pm_setup_util.exe.old30
c:\windows\system32\pm_setup_util.exe.old31
c:\windows\system32\pm_setup_util.exe.old32
c:\windows\system32\pm_setup_util.exe.old33
c:\windows\system32\pm_setup_util.exe.old34
c:\windows\system32\pm_setup_util.exe.old35
c:\windows\system32\pm_setup_util.exe.old36
c:\windows\system32\pm_setup_util.exe.old37
c:\windows\system32\pm_setup_util.exe.old38
c:\windows\system32\pm_setup_util.exe.old39
c:\windows\system32\pm_setup_util.exe.old4
c:\windows\system32\pm_setup_util.exe.old40
c:\windows\system32\pm_setup_util.exe.old41
c:\windows\system32\pm_setup_util.exe.old42
c:\windows\system32\pm_setup_util.exe.old43
c:\windows\system32\pm_setup_util.exe.old44
c:\windows\system32\pm_setup_util.exe.old45
c:\windows\system32\pm_setup_util.exe.old46
c:\windows\system32\pm_setup_util.exe.old47
c:\windows\system32\pm_setup_util.exe.old48
c:\windows\system32\pm_setup_util.exe.old49
c:\windows\system32\pm_setup_util.exe.old5
c:\windows\system32\pm_setup_util.exe.old50
c:\windows\system32\pm_setup_util.exe.old51
c:\windows\system32\pm_setup_util.exe.old52
c:\windows\system32\pm_setup_util.exe.old53
c:\windows\system32\pm_setup_util.exe.old54
c:\windows\system32\pm_setup_util.exe.old55
c:\windows\system32\pm_setup_util.exe.old56
c:\windows\system32\pm_setup_util.exe.old57
c:\windows\system32\pm_setup_util.exe.old58
c:\windows\system32\pm_setup_util.exe.old59
c:\windows\system32\pm_setup_util.exe.old60
c:\windows\system32\pm_setup_util.exe.old61
c:\windows\system32\pm_setup_util.exe.old62
c:\windows\system32\pm_setup_util.exe.old63
c:\windows\system32\pm_setup_util.exe.old64
c:\windows\system32\pm_setup_util.exe.old65
c:\windows\system32\pm_setup_util.exe.old66
c:\windows\system32\pm_setup_util.exe.old67
c:\windows\system32\pm_setup_util.exe.old68
c:\windows\system32\pm_setup_util.exe.old69
c:\windows\system32\pm_setup_util.exe.old7
c:\windows\system32\pm_setup_util.exe.old70
c:\windows\system32\pm_setup_util.exe.old8
c:\windows\system32\pm_setup_util.exe.old9
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pm_proc1.exe.old10
c:\windows\system32\pm_proc1.exe.old11
c:\windows\system32\pm_proc1.exe.old12
c:\windows\system32\pm_proc1.exe.old13
c:\windows\system32\pm_proc1.exe.old14
c:\windows\system32\pm_proc1.exe.old15
c:\windows\system32\pm_proc1.exe.old16
c:\windows\system32\pm_proc1.exe.old17
c:\windows\system32\pm_proc1.exe.old2
c:\windows\system32\pm_proc1.exe.old3
c:\windows\system32\pm_proc1.exe.old4
c:\windows\system32\pm_proc1.exe.old5
c:\windows\system32\pm_proc1.exe.old6
c:\windows\system32\pm_proc1.exe.old7
c:\windows\system32\pm_proc1.exe.old8
c:\windows\system32\pm_proc1.exe.old9
c:\windows\system32\pm_proc2.exe
c:\windows\system32\pm_setup_util.exe.old10
c:\windows\system32\pm_setup_util.exe.old11
c:\windows\system32\pm_setup_util.exe.old12
c:\windows\system32\pm_setup_util.exe.old13
c:\windows\system32\pm_setup_util.exe.old14
c:\windows\system32\pm_setup_util.exe.old15
c:\windows\system32\pm_setup_util.exe.old16
c:\windows\system32\pm_setup_util.exe.old17
c:\windows\system32\pm_setup_util.exe.old18
c:\windows\system32\pm_setup_util.exe.old19
c:\windows\system32\pm_setup_util.exe.old2
c:\windows\system32\pm_setup_util.exe.old20
c:\windows\system32\pm_setup_util.exe.old21
c:\windows\system32\pm_setup_util.exe.old22
c:\windows\system32\pm_setup_util.exe.old23
c:\windows\system32\pm_setup_util.exe.old24
c:\windows\system32\pm_setup_util.exe.old25
c:\windows\system32\pm_setup_util.exe.old26
c:\windows\system32\pm_setup_util.exe.old27
c:\windows\system32\pm_setup_util.exe.old28
c:\windows\system32\pm_setup_util.exe.old29
c:\windows\system32\pm_setup_util.exe.old3
c:\windows\system32\pm_setup_util.exe.old30
c:\windows\system32\pm_setup_util.exe.old31
c:\windows\system32\pm_setup_util.exe.old32
c:\windows\system32\pm_setup_util.exe.old33
c:\windows\system32\pm_setup_util.exe.old34
c:\windows\system32\pm_setup_util.exe.old35
c:\windows\system32\pm_setup_util.exe.old36
c:\windows\system32\pm_setup_util.exe.old37
c:\windows\system32\pm_setup_util.exe.old38
c:\windows\system32\pm_setup_util.exe.old39
c:\windows\system32\pm_setup_util.exe.old4
c:\windows\system32\pm_setup_util.exe.old40
c:\windows\system32\pm_setup_util.exe.old41
c:\windows\system32\pm_setup_util.exe.old42
c:\windows\system32\pm_setup_util.exe.old43
c:\windows\system32\pm_setup_util.exe.old44
c:\windows\system32\pm_setup_util.exe.old45
c:\windows\system32\pm_setup_util.exe.old46
c:\windows\system32\pm_setup_util.exe.old47
c:\windows\system32\pm_setup_util.exe.old48
c:\windows\system32\pm_setup_util.exe.old49
c:\windows\system32\pm_setup_util.exe.old5
c:\windows\system32\pm_setup_util.exe.old50
c:\windows\system32\pm_setup_util.exe.old51
c:\windows\system32\pm_setup_util.exe.old52
c:\windows\system32\pm_setup_util.exe.old53
c:\windows\system32\pm_setup_util.exe.old54
c:\windows\system32\pm_setup_util.exe.old55
c:\windows\system32\pm_setup_util.exe.old56
c:\windows\system32\pm_setup_util.exe.old57
c:\windows\system32\pm_setup_util.exe.old58
c:\windows\system32\pm_setup_util.exe.old59
c:\windows\system32\pm_setup_util.exe.old60
c:\windows\system32\pm_setup_util.exe.old61
c:\windows\system32\pm_setup_util.exe.old62
c:\windows\system32\pm_setup_util.exe.old63
c:\windows\system32\pm_setup_util.exe.old64
c:\windows\system32\pm_setup_util.exe.old65
c:\windows\system32\pm_setup_util.exe.old66
c:\windows\system32\pm_setup_util.exe.old67
c:\windows\system32\pm_setup_util.exe.old68
c:\windows\system32\pm_setup_util.exe.old69
c:\windows\system32\pm_setup_util.exe.old7
c:\windows\system32\pm_setup_util.exe.old70
c:\windows\system32\pm_setup_util.exe.old8
c:\windows\system32\pm_setup_util.exe.old9

.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-16 11:55 . 2008-11-16 11:56 250 --a------ c:\windows\gmer.ini
2008-11-15 10:04 . 2008-11-15 10:05 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old1
2008-11-12 20:27 . 2008-11-12 20:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-12 20:27 . 2008-11-12 20:27 232 --ah----- C:\sqmdata17.sqm
2008-11-06 17:32 . 2008-11-06 17:32 244 --ah----- C:\sqmnoopt15.sqm
2008-11-06 17:32 . 2008-11-06 17:32 232 --ah----- C:\sqmdata16.sqm
2008-11-05 20:28 . 2008-11-05 20:28 <DIR> d-------- c:\program files\Gameforge4D
2008-11-05 20:28 . 2004-05-10 13:14 118,272 --a------ c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 . 2004-05-10 13:14 102,400 --a------ c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 . 2004-05-10 13:15 40 --a------ c:\windows\system32\Sx5363.ini
2008-10-28 20:35 . 2008-11-18 21:07 <DIR> d-------- c:\documents and settings\User\Application Data\SPORE
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\program files\iTunes
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 . 2008-10-26 14:48 <DIR> d-------- c:\program files\Bonjour
2008-10-26 14:46 . 2008-10-26 14:47 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 22:06 38,484,000 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-18 22:06 --------- d-----w c:\program files\BOINC
2008-11-18 22:06 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-18 17:36 447,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-12 18:58 --------- d-----w c:\documents and settings\User\Application Data\Canon
2008-10-26 14:51 --------- d-----w c:\program files\iPod
2008-10-26 14:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 22:22 4,203,520 ----a-w c:\windows\Internet Logs\xDB26.tmp
2008-10-24 22:21 771,072 ----a-w c:\windows\Internet Logs\xDB25.tmp
2008-10-24 17:15 --------- d-----w c:\program files\Microsoft Games
2008-10-24 11:44 --------- d-----w c:\program files\Cossacks - Back To War
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:59 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-14 19:14 4,172,288 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-10-10 19:51 --------- d-----w c:\program files\XoftSpySE
2008-10-10 19:26 --------- d-----w c:\program files\DreamQuest
2008-10-05 08:26 --------- d-----w c:\program files\Coupon Printer
2008-10-01 16:55 --------- d-----w c:\program files\Ahead
2008-10-01 16:50 --------- d-----w c:\program files\Common Files\Nero
2008-10-01 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 06:38 17,413,341 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-09 18:25 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-20 13:13 649,216 ----a-w c:\windows\Internet Logs\xDB22.tmp
2008-08-20 13:13 4,016,128 ----a-w c:\windows\Internet Logs\xDB23.tmp
2006-07-12 16:31 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2008-05-19 09:42 321 --sh--w c:\windows\system32\2300369754.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-15 13570048]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SmartError_updater"="c:\program files\SmartError\SmartErrorUpdater.exe" [2006-03-08 77824]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 185896]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"VTTimer"="VTTimer.exe" [2005-03-09 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 c:\windows\system32\VTTrayp.exe]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-08-15 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
World Community Grid - BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-03-17 3874816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orange\\Livebox\\RGWREPAIR.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%systemroot%\\winmech\\services.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-11 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R2 winmech;Security Services Internet;c:\windows\winmech\NTSERV~1\srunner.exe [2007-07-13 63488]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys []
S3 GameConsoleService;GameConsoleService;"c:\program files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-05-05 165416]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys [2001-11-29 1432836]
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys []
S3 ZSMC0305;VIMICRO USB PC Camera V;c:\windows\system32\Drivers\usbVM305.sys [2006-08-18 392316]
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2006-09-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []

2008-11-18 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]

2008-09-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 22:05:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-18 22:15:43
ComboFix-quarantined-files.txt 2008-11-18 22:15:34

Pre-Run: 5,549,625,344 bytes free
Post-Run: 5,653,753,856 bytes free

341 --- E O F --- 2008-11-13 08:28:35




And the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 19, 2008 17:18:29
Records in database: 1394709
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 153329
Threat name: 6
Infected objects: 162
Suspicious objects: 0
Duration of the scan: 02:56:04


File name / Threat name / Threats count
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.h 1
C:\Program Files\Orange\setup\Orange_icons.EXE Infected: not-a-virus:AdWare.Win32.BHO.ahy 1
C:\Program Files\orange3\orange3.dll_0_ Infected: not-a-virus:AdWare.Win32.BHO.ahy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old10.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old11.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old12.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old13.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old14.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old15.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old16.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old17.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old2.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old3.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old4.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old5.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old6.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old7.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old8.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc1.exe.old9.vir Infected: Trojan.Win32.Agent.aewg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pm_proc2.exe.vir Infected: Trojan.Win32.Agent.aghn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pzreg1.exe.bak1.vir Infected: Trojan.Win32.Agent.afi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spzax.ocx.vir Infected: Trojan.Win32.Agent.zzh 1
C:\WINDOWS\system32\pm_proc1.exe.old0 Infected: Trojan.Win32.Agent.aewg 1
C:\WINDOWS\system32\pm_proc1.exe.old1 Infected: Trojan.Win32.Agent.aewg 1
C:\WINDOWS\system32\pm_proc2.exe.old0 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old1 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old10 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old100 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old101 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old102 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old103 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old104 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old105 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old106 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old107 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old108 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old109 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old11 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old110 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old111 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old112 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old113 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old114 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old115 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old116 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old117 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old118 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old119 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old12 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old120 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old121 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old122 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old123 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old124 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old125 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old126 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old127 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old128 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old129 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old13 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old130 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old131 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old132 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old133 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old134 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old135 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old136 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old14 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old15 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old16 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old17 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old18 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old19 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old2 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old20 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old21 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old22 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old23 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old24 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old25 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old26 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old27 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old28 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old29 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old3 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old30 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old31 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old32 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old33 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old34 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old35 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old36 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old37 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old38 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old39 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old4 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old40 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old41 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old42 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old43 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old44 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old45 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old46 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old47 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old48 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old49 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old5 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old50 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old51 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old52 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old53 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old54 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old55 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old56 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old57 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old58 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old59 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old6 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old60 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old61 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old62 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old63 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old64 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old65 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old66 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old67 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old68 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old69 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old7 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old70 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old71 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old72 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old73 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old74 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old75 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old76 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old77 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old78 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old79 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old8 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old80 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old81 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old82 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old83 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old84 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old85 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old86 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old87 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old88 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old89 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old9 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old90 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old91 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old92 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old93 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old94 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old95 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old96 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old97 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old98 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pm_proc2.exe.old99 Infected: Trojan.Win32.Agent.aghn 1
C:\WINDOWS\system32\pzreg1.exe.bak0 Infected: Trojan.Win32.Agent.afi 1

The selected area was scanned.





Thanks
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-20-2008, 11:12 AM   #8 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there

From the logs you posted it appears that some of the deleted files may have replicated.

First...

Please download Malwarebytes Anti-Malware (MBAM) and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Once done please generate and post a fresh combofix log

Post back with both logs
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
Last edited by sjb007; 11-20-2008 at 11:16 AM.
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-21-2008, 12:03 PM   #9 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi,
The MalwareBytes log is too long to fit in a post, so I will post it as an attachment (if you'd prefer I can post it in consecutive posts?).
Here is the combofix log:


ComboFix 08-11-21.02 - User 2008-11-21 18:32:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.141 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 )))))))))))))))))))))))))))))))
.

2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 19:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 22:35 . 2008-11-18 22:35 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-18 22:35 . 2008-11-18 22:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-16 11:55 . 2008-11-16 11:56 250 --a------ c:\windows\gmer.ini
2008-11-15 10:04 . 2008-11-15 10:05 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old1
2008-11-12 20:27 . 2008-11-12 20:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-12 20:27 . 2008-11-12 20:27 232 --ah----- C:\sqmdata17.sqm
2008-11-06 17:32 . 2008-11-06 17:32 244 --ah----- C:\sqmnoopt15.sqm
2008-11-06 17:32 . 2008-11-06 17:32 232 --ah----- C:\sqmdata16.sqm
2008-11-05 20:28 . 2008-11-05 20:28 <DIR> d-------- c:\program files\Gameforge4D
2008-11-05 20:28 . 2004-05-10 13:14 118,272 --a------ c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 . 2004-05-10 13:14 102,400 --a------ c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 . 2004-05-10 13:15 40 --a------ c:\windows\system32\Sx5363.ini
2008-10-28 20:35 . 2008-11-18 21:07 <DIR> d-------- c:\documents and settings\User\Application Data\SPORE
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\program files\iTunes
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 . 2008-10-26 14:48 <DIR> d-------- c:\program files\Bonjour
2008-10-26 14:46 . 2008-10-26 14:47 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-21 18:45 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-21 17:52 --------- d-----w c:\program files\BOINC
2008-11-21 08:11 447,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-21 08:11 38,510,624 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-18 22:35 --------- d-----w c:\program files\Java
2008-11-18 22:18 19,102,169 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-12 18:58 --------- d-----w c:\documents and settings\User\Application Data\Canon
2008-10-26 14:51 --------- d-----w c:\program files\iPod
2008-10-26 14:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 22:22 4,203,520 ----a-w c:\windows\Internet Logs\xDB26.tmp
2008-10-24 22:21 771,072 ----a-w c:\windows\Internet Logs\xDB25.tmp
2008-10-24 17:15 --------- d-----w c:\program files\Microsoft Games
2008-10-24 11:44 --------- d-----w c:\program files\Cossacks - Back To War
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:59 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-14 19:14 4,172,288 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-10-10 19:51 --------- d-----w c:\program files\XoftSpySE
2008-10-10 19:26 --------- d-----w c:\program files\DreamQuest
2008-10-05 08:26 --------- d-----w c:\program files\Coupon Printer
2008-10-01 16:55 --------- d-----w c:\program files\Ahead
2008-10-01 16:50 --------- d-----w c:\program files\Common Files\Nero
2008-10-01 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2006-07-12 16:31 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2008-05-19 09:42 321 --sh--w c:\windows\system32\2300369754.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_17.56.48.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-13 01:19:56 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\java.exe
- 2005-04-13 01:20:04 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-04-13 02:48:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-18 22:35:15 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-21 16:26:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_17c.dat
+ 2008-11-21 16:26:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_694.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-15 13570048]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SmartError_updater"="c:\program files\SmartError\SmartErrorUpdater.exe" [2006-03-08 77824]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 185896]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"VTTimer"="VTTimer.exe" [2005-03-09 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 c:\windows\system32\VTTrayp.exe]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-08-15 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
World Community Grid - BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-03-17 3874816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orange\\Livebox\\RGWREPAIR.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%systemroot%\\winmech\\services.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-11 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R2 winmech;Security Services Internet;c:\windows\winmech\NTSERV~1\srunner.exe [2007-07-13 63488]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys []
S3 GameConsoleService;GameConsoleService;"c:\program files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-05-05 165416]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys [2001-11-29 1432836]
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys []
S3 ZSMC0305;VIMICRO USB PC Camera V;c:\windows\system32\Drivers\usbVM305.sys [2006-08-18 392316]
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2006-09-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []

2008-11-21 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]

2008-09-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=4&link=ctg_trs_home_from_bcs_thankyou_sitenav
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.thebreastcancersite.com/clickToGive/home.faces?siteId=2
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?03146f322e1e48df8fb6670ae8ee86ed
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?03146f322e1e48df8fb6670ae8ee86ed
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk -

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 18:44:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-21 18:49:19
ComboFix-quarantined-files.txt 2008-11-21 18:48:01
ComboFix2.txt 2008-11-18 22:15:47

Pre-Run: 4,940,161,024 bytes free
Post-Run: 5,104,398,336 bytes free

198 --- E O F --- 2008-11-13 08:28:35




Many thanks
Attached Files
File Type: txt mbam-log-2008-11-21 (18-28-45).txt (230.1 KB, 2 views)
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-21-2008, 01:53 PM   #10 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi massey91

Good work in getting the logs to me

We will need to unhide hidden files:
Open up your computer
From the tools menu select folder options
Click on the view tab
Scrol down to where it says hidden files and folder
Place a check in the box entitled show hidden files and folders
remove the check mark next to hide protected operating system files (recommended)
Click on apply
Click on ok

=======================================

Please go to: VirusTotal
  • In the middle of the page you'll find a "Browse" button.



    Click the "Browse" button and browse to this file in RED:

    c:\windows\system32\2300369754.sys

  • Click "Open".
  • Then click the "Send File" button at the bottom of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

Please do the same for this file:

c:\windows\system32\XDva008.sys

=======================================

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:
C:\WINDOWS\system32\pm_proc1.exe.old0
C:\WINDOWS\system32\pm_proc1.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old0
C:\WINDOWS\system32\pm_proc2.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old10
C:\WINDOWS\system32\pm_proc2.exe.old100
C:\WINDOWS\system32\pm_proc2.exe.old101
C:\WINDOWS\system32\pm_proc2.exe.old102
C:\WINDOWS\system32\pm_proc2.exe.old103
C:\WINDOWS\system32\pm_proc2.exe.old104
C:\WINDOWS\system32\pm_proc2.exe.old105
C:\WINDOWS\system32\pm_proc2.exe.old106
C:\WINDOWS\system32\pm_proc2.exe.old107
C:\WINDOWS\system32\pm_proc2.exe.old108
C:\WINDOWS\system32\pm_proc2.exe.old109
C:\WINDOWS\system32\pm_proc2.exe.old11
C:\WINDOWS\system32\pm_proc2.exe.old110
C:\WINDOWS\system32\pm_proc2.exe.old111
C:\WINDOWS\system32\pm_proc2.exe.old112
C:\WINDOWS\system32\pm_proc2.exe.old113
C:\WINDOWS\system32\pm_proc2.exe.old114
C:\WINDOWS\system32\pm_proc2.exe.old115
C:\WINDOWS\system32\pm_proc2.exe.old116
C:\WINDOWS\system32\pm_proc2.exe.old117
C:\WINDOWS\system32\pm_proc2.exe.old118
C:\WINDOWS\system32\pm_proc2.exe.old119
C:\WINDOWS\system32\pm_proc2.exe.old12
C:\WINDOWS\system32\pm_proc2.exe.old120
C:\WINDOWS\system32\pm_proc2.exe.old121
C:\WINDOWS\system32\pm_proc2.exe.old122
C:\WINDOWS\system32\pm_proc2.exe.old123
C:\WINDOWS\system32\pm_proc2.exe.old124
C:\WINDOWS\system32\pm_proc2.exe.old125
C:\WINDOWS\system32\pm_proc2.exe.old126
C:\WINDOWS\system32\pm_proc2.exe.old127
C:\WINDOWS\system32\pm_proc2.exe.old128
C:\WINDOWS\system32\pm_proc2.exe.old129
C:\WINDOWS\system32\pm_proc2.exe.old13
C:\WINDOWS\system32\pm_proc2.exe.old130
C:\WINDOWS\system32\pm_proc2.exe.old131
C:\WINDOWS\system32\pm_proc2.exe.old132
C:\WINDOWS\system32\pm_proc2.exe.old133
C:\WINDOWS\system32\pm_proc2.exe.old134
C:\WINDOWS\system32\pm_proc2.exe.old135
C:\WINDOWS\system32\pm_proc2.exe.old136
C:\WINDOWS\system32\pm_proc2.exe.old14
C:\WINDOWS\system32\pm_proc2.exe.old15
C:\WINDOWS\system32\pm_proc2.exe.old16
C:\WINDOWS\system32\pm_proc2.exe.old17
C:\WINDOWS\system32\pm_proc2.exe.old18
C:\WINDOWS\system32\pm_proc2.exe.old19
C:\WINDOWS\system32\pm_proc2.exe.old2
C:\WINDOWS\system32\pm_proc2.exe.old20
C:\WINDOWS\system32\pm_proc2.exe.old21
C:\WINDOWS\system32\pm_proc2.exe.old22
C:\WINDOWS\system32\pm_proc2.exe.old23
C:\WINDOWS\system32\pm_proc2.exe.old24
C:\WINDOWS\system32\pm_proc2.exe.old25
C:\WINDOWS\system32\pm_proc2.exe.old26
C:\WINDOWS\system32\pm_proc2.exe.old27
C:\WINDOWS\system32\pm_proc2.exe.old28
C:\WINDOWS\system32\pm_proc2.exe.old29
C:\WINDOWS\system32\pm_proc2.exe.old3
C:\WINDOWS\system32\pm_proc2.exe.old30
C:\WINDOWS\system32\pm_proc2.exe.old31
C:\WINDOWS\system32\pm_proc2.exe.old32
C:\WINDOWS\system32\pm_proc2.exe.old33
C:\WINDOWS\system32\pm_proc2.exe.old34
C:\WINDOWS\system32\pm_proc2.exe.old35
C:\WINDOWS\system32\pm_proc2.exe.old36
C:\WINDOWS\system32\pm_proc2.exe.old37
C:\WINDOWS\system32\pm_proc2.exe.old38
C:\WINDOWS\system32\pm_proc2.exe.old39
C:\WINDOWS\system32\pm_proc2.exe.old4
C:\WINDOWS\system32\pm_proc2.exe.old40
C:\WINDOWS\system32\pm_proc2.exe.old41
C:\WINDOWS\system32\pm_proc2.exe.old42
C:\WINDOWS\system32\pm_proc2.exe.old43
C:\WINDOWS\system32\pm_proc2.exe.old44
C:\WINDOWS\system32\pm_proc2.exe.old45
C:\WINDOWS\system32\pm_proc2.exe.old46
C:\WINDOWS\system32\pm_proc2.exe.old47
C:\WINDOWS\system32\pm_proc2.exe.old48
C:\WINDOWS\system32\pm_proc2.exe.old49
C:\WINDOWS\system32\pm_proc2.exe.old5
C:\WINDOWS\system32\pm_proc2.exe.old50
C:\WINDOWS\system32\pm_proc2.exe.old51
C:\WINDOWS\system32\pm_proc2.exe.old52
C:\WINDOWS\system32\pm_proc2.exe.old53
C:\WINDOWS\system32\pm_proc2.exe.old54
C:\WINDOWS\system32\pm_proc2.exe.old55
C:\WINDOWS\system32\pm_proc2.exe.old56
C:\WINDOWS\system32\pm_proc2.exe.old57
C:\WINDOWS\system32\pm_proc2.exe.old58
C:\WINDOWS\system32\pm_proc2.exe.old59
C:\WINDOWS\system32\pm_proc2.exe.old6
C:\WINDOWS\system32\pm_proc2.exe.old60
C:\WINDOWS\system32\pm_proc2.exe.old61
C:\WINDOWS\system32\pm_proc2.exe.old62
C:\WINDOWS\system32\pm_proc2.exe.old63
C:\WINDOWS\system32\pm_proc2.exe.old64
C:\WINDOWS\system32\pm_proc2.exe.old65
C:\WINDOWS\system32\pm_proc2.exe.old66
C:\WINDOWS\system32\pm_proc2.exe.old67
C:\WINDOWS\system32\pm_proc2.exe.old68
C:\WINDOWS\system32\pm_proc2.exe.old69
C:\WINDOWS\system32\pm_proc2.exe.old7
C:\WINDOWS\system32\pm_proc2.exe.old70
C:\WINDOWS\system32\pm_proc2.exe.old71
C:\WINDOWS\system32\pm_proc2.exe.old72
C:\WINDOWS\system32\pm_proc2.exe.old73
C:\WINDOWS\system32\pm_proc2.exe.old74
C:\WINDOWS\system32\pm_proc2.exe.old75
C:\WINDOWS\system32\pm_proc2.exe.old76
C:\WINDOWS\system32\pm_proc2.exe.old77
C:\WINDOWS\system32\pm_proc2.exe.old78
C:\WINDOWS\system32\pm_proc2.exe.old79
C:\WINDOWS\system32\pm_proc2.exe.old8
C:\WINDOWS\system32\pm_proc2.exe.old80
C:\WINDOWS\system32\pm_proc2.exe.old81
C:\WINDOWS\system32\pm_proc2.exe.old82
C:\WINDOWS\system32\pm_proc2.exe.old83
C:\WINDOWS\system32\pm_proc2.exe.old84
C:\WINDOWS\system32\pm_proc2.exe.old85
C:\WINDOWS\system32\pm_proc2.exe.old86
C:\WINDOWS\system32\pm_proc2.exe.old87
C:\WINDOWS\system32\pm_proc2.exe.old88
C:\WINDOWS\system32\pm_proc2.exe.old89
C:\WINDOWS\system32\pm_proc2.exe.old9
C:\WINDOWS\system32\pm_proc2.exe.old90
C:\WINDOWS\system32\pm_proc2.exe.old91
C:\WINDOWS\system32\pm_proc2.exe.old92
C:\WINDOWS\system32\pm_proc2.exe.old93
C:\WINDOWS\system32\pm_proc2.exe.old94
C:\WINDOWS\system32\pm_proc2.exe.old95
C:\WINDOWS\system32\pm_proc2.exe.old96
C:\WINDOWS\system32\pm_proc2.exe.old97
C:\WINDOWS\system32\pm_proc2.exe.old98
C:\WINDOWS\system32\pm_proc2.exe.old99
C:\WINDOWS\system32\pm_proc2.exe
c:\windows\system32\pm_setup_util.exe.old1
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pzreg1.exe.bak0
C:\WINDOWS\system32\pzreg1.exe
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
Post this back in your next reply along with the virus total results
Update me on how things are
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-22-2008, 02:28 AM   #11 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi,
Heres the results from this file - c:\windows\system32\2300369754.sys

File 2300369754.sys received on 11.22.2008 09:55:22 (CET)
Current status: finished

Result: 0/37 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.11.21.0 2008.11.21 -
AntiVir 7.9.0.35 2008.11.21 -
Authentium 5.1.0.4 2008.11.22 -
Avast 4.8.1281.0 2008.11.21 -
AVG 8.0.0.199 2008.11.21 -
BitDefender 7.2 2008.11.22 -
CAT-QuickHeal 10.00 2008.11.21 -
ClamAV 0.94.1 2008.11.22 -
DrWeb 4.44.0.09170 2008.11.22 -
eSafe 7.0.17.0 2008.11.19 -
eTrust-Vet 31.6.6221 2008.11.21 -
Ewido 4.0 2008.11.21 -
F-Prot 4.4.4.56 2008.11.21 -
F-Secure 8.0.14332.0 2008.11.22 -
Fortinet 3.117.0.0 2008.11.21 -
GData 19 2008.11.22 -
Ikarus T3.1.1.45.0 2008.11.22 -
K7AntiVirus 7.10.530 2008.11.21 -
Kaspersky 7.0.0.125 2008.11.22 -
McAfee 5441 2008.11.21 -
McAfee+Artemis 5441 2008.11.21 -
Microsoft 1.4104 2008.11.22 -
NOD32 3632 2008.11.21 -
Norman 5.80.02 2008.11.21 -
Panda 9.0.0.4 2008.11.22 -
PCTools 4.4.2.0 2008.11.21 -
Prevx1 V2 2008.11.22 -
Rising 21.04.51.00 2008.11.22 -
SecureWeb-Gateway 6.7.6 2008.11.22 -
Sophos 4.35.0 2008.11.22 -
Sunbelt 3.1.1823.2 2008.11.22 -
Symantec 10 2008.11.22 -
TheHacker 6.3.1.1.159 2008.11.19 -
TrendMicro 8.700.0.1004 2008.11.22 -
VBA32 3.12.8.9 2008.11.21 -
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.21 -
Additional information
File size: 321 bytes
MD5...: 0895088f54c43166c8384bf7d1416c91
SHA1..: 49065a98a48e47e36f5d11832427e250c6d070f8
SHA256: 10b17ba51b6a188cfac87dc619aed3e4c5fb1eba36235f683ae99067b4554fc6
SHA512: 8d1e01ecc54e59cd4c17a66b2a7ac61ad2e0010b19514b88fffe267c519556e7
b156cbc66e64408f41b4555354a953cae5cc90833f2ec6f9372ffb4fdc88a81d
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -


It can't find the other file, it says its invalid when I type it in and I can't find it with windows explorer.

Heres the new combofix log:

ComboFix 08-11-21.04 - User 2008-11-22 9:08:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 19:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 22:35 . 2008-11-18 22:35 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-18 22:35 . 2008-11-18 22:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-16 11:55 . 2008-11-16 11:56 250 --a------ c:\windows\gmer.ini
2008-11-15 10:04 . 2008-11-15 10:05 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old1
2008-11-12 20:27 . 2008-11-12 20:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-12 20:27 . 2008-11-12 20:27 232 --ah----- C:\sqmdata17.sqm
2008-11-06 17:32 . 2008-11-06 17:32 244 --ah----- C:\sqmnoopt15.sqm
2008-11-06 17:32 . 2008-11-06 17:32 232 --ah----- C:\sqmdata16.sqm
2008-11-05 20:28 . 2008-11-05 20:28 <DIR> d-------- c:\program files\Gameforge4D
2008-11-05 20:28 . 2004-05-10 13:14 118,272 --a------ c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 . 2004-05-10 13:14 102,400 --a------ c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 . 2004-05-10 13:15 40 --a------ c:\windows\system32\Sx5363.ini
2008-10-28 20:35 . 2008-11-18 21:07 <DIR> d-------- c:\documents and settings\User\Application Data\SPORE
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\program files\iTunes
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 . 2008-10-26 14:48 <DIR> d-------- c:\program files\Bonjour
2008-10-26 14:46 . 2008-10-26 14:47 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 09:17 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-22 09:10 --------- d-----w c:\program files\BOINC
2008-11-22 08:45 19,736,795 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-21 21:04 447,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-21 21:04 38,510,624 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-18 22:35 --------- d-----w c:\program files\Java
2008-11-12 18:58 --------- d-----w c:\documents and settings\User\Application Data\Canon
2008-10-26 14:51 --------- d-----w c:\program files\iPod
2008-10-26 14:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 22:22 4,203,520 ----a-w c:\windows\Internet Logs\xDB26.tmp
2008-10-24 22:21 771,072 ----a-w c:\windows\Internet Logs\xDB25.tmp
2008-10-24 17:15 --------- d-----w c:\program files\Microsoft Games
2008-10-24 11:44 --------- d-----w c:\program files\Cossacks - Back To War
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:59 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-14 19:14 4,172,288 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-10-10 19:51 --------- d-----w c:\program files\XoftSpySE
2008-10-10 19:26 --------- d-----w c:\program files\DreamQuest
2008-10-05 08:26 --------- d-----w c:\program files\Coupon Printer
2008-10-01 16:55 --------- d-----w c:\program files\Ahead
2008-10-01 16:50 --------- d-----w c:\program files\Common Files\Nero
2008-10-01 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2006-07-12 16:31 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2008-05-19 09:42 321 --sh--w c:\windows\system32\2300369754.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_17.56.48.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-13 01:19:56 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\java.exe
- 2005-04-13 01:20:04 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-04-13 02:48:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-18 22:35:15 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-22 08:46:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_498.dat
+ 2008-11-22 08:46:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-15 13570048]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SmartError_updater"="c:\program files\SmartError\SmartErrorUpdater.exe" [2006-03-08 77824]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 185896]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"VTTimer"="VTTimer.exe" [2005-03-09 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 c:\windows\system32\VTTrayp.exe]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-08-15 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
World Community Grid - BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-03-17 3874816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orange\\Livebox\\RGWREPAIR.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%systemroot%\\winmech\\services.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-11 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R2 winmech;Security Services Internet;c:\windows\winmech\NTSERV~1\srunner.exe [2007-07-13 63488]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys []
S3 GameConsoleService;GameConsoleService;"c:\program files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-05-05 165416]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys [2001-11-29 1432836]
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys []
S3 ZSMC0305;VIMICRO USB PC Camera V;c:\windows\system32\Drivers\usbVM305.sys [2006-08-18 392316]
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2006-09-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []

2008-11-21 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]

2008-09-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-22 09:17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-22 9:22:49
ComboFix-quarantined-files.txt 2008-11-22 09:21:20
ComboFix2.txt 2008-11-21 18:49:27
ComboFix3.txt 2008-11-18 22:15:47

Pre-Run: 4,990,124,032 bytes free
Post-Run: 4,967,088,128 bytes free

178 --- E O F --- 2008-11-13 08:28:35





The computer is running ok, AVG fixed itself, but every now and then it slows down and groans before speeding up again. I'm not getting any more error alerts though.

Many thanks
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-22-2008, 07:18 AM   #12 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there

Part of the fix appears not to have worked as it should. Combofix has not deleted the files I requested. Can you re-run part of the fix as follows by dragging and dropping the scipt over the combofix icon

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:
C:\WINDOWS\system32\pm_proc1.exe.old0
C:\WINDOWS\system32\pm_proc1.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old0
C:\WINDOWS\system32\pm_proc2.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old10
C:\WINDOWS\system32\pm_proc2.exe.old100
C:\WINDOWS\system32\pm_proc2.exe.old101
C:\WINDOWS\system32\pm_proc2.exe.old102
C:\WINDOWS\system32\pm_proc2.exe.old103
C:\WINDOWS\system32\pm_proc2.exe.old104
C:\WINDOWS\system32\pm_proc2.exe.old105
C:\WINDOWS\system32\pm_proc2.exe.old106
C:\WINDOWS\system32\pm_proc2.exe.old107
C:\WINDOWS\system32\pm_proc2.exe.old108
C:\WINDOWS\system32\pm_proc2.exe.old109
C:\WINDOWS\system32\pm_proc2.exe.old11
C:\WINDOWS\system32\pm_proc2.exe.old110
C:\WINDOWS\system32\pm_proc2.exe.old111
C:\WINDOWS\system32\pm_proc2.exe.old112
C:\WINDOWS\system32\pm_proc2.exe.old113
C:\WINDOWS\system32\pm_proc2.exe.old114
C:\WINDOWS\system32\pm_proc2.exe.old115
C:\WINDOWS\system32\pm_proc2.exe.old116
C:\WINDOWS\system32\pm_proc2.exe.old117
C:\WINDOWS\system32\pm_proc2.exe.old118
C:\WINDOWS\system32\pm_proc2.exe.old119
C:\WINDOWS\system32\pm_proc2.exe.old12
C:\WINDOWS\system32\pm_proc2.exe.old120
C:\WINDOWS\system32\pm_proc2.exe.old121
C:\WINDOWS\system32\pm_proc2.exe.old122
C:\WINDOWS\system32\pm_proc2.exe.old123
C:\WINDOWS\system32\pm_proc2.exe.old124
C:\WINDOWS\system32\pm_proc2.exe.old125
C:\WINDOWS\system32\pm_proc2.exe.old126
C:\WINDOWS\system32\pm_proc2.exe.old127
C:\WINDOWS\system32\pm_proc2.exe.old128
C:\WINDOWS\system32\pm_proc2.exe.old129
C:\WINDOWS\system32\pm_proc2.exe.old13
C:\WINDOWS\system32\pm_proc2.exe.old130
C:\WINDOWS\system32\pm_proc2.exe.old131
C:\WINDOWS\system32\pm_proc2.exe.old132
C:\WINDOWS\system32\pm_proc2.exe.old133
C:\WINDOWS\system32\pm_proc2.exe.old134
C:\WINDOWS\system32\pm_proc2.exe.old135
C:\WINDOWS\system32\pm_proc2.exe.old136
C:\WINDOWS\system32\pm_proc2.exe.old14
C:\WINDOWS\system32\pm_proc2.exe.old15
C:\WINDOWS\system32\pm_proc2.exe.old16
C:\WINDOWS\system32\pm_proc2.exe.old17
C:\WINDOWS\system32\pm_proc2.exe.old18
C:\WINDOWS\system32\pm_proc2.exe.old19
C:\WINDOWS\system32\pm_proc2.exe.old2
C:\WINDOWS\system32\pm_proc2.exe.old20
C:\WINDOWS\system32\pm_proc2.exe.old21
C:\WINDOWS\system32\pm_proc2.exe.old22
C:\WINDOWS\system32\pm_proc2.exe.old23
C:\WINDOWS\system32\pm_proc2.exe.old24
C:\WINDOWS\system32\pm_proc2.exe.old25
C:\WINDOWS\system32\pm_proc2.exe.old26
C:\WINDOWS\system32\pm_proc2.exe.old27
C:\WINDOWS\system32\pm_proc2.exe.old28
C:\WINDOWS\system32\pm_proc2.exe.old29
C:\WINDOWS\system32\pm_proc2.exe.old3
C:\WINDOWS\system32\pm_proc2.exe.old30
C:\WINDOWS\system32\pm_proc2.exe.old31
C:\WINDOWS\system32\pm_proc2.exe.old32
C:\WINDOWS\system32\pm_proc2.exe.old33
C:\WINDOWS\system32\pm_proc2.exe.old34
C:\WINDOWS\system32\pm_proc2.exe.old35
C:\WINDOWS\system32\pm_proc2.exe.old36
C:\WINDOWS\system32\pm_proc2.exe.old37
C:\WINDOWS\system32\pm_proc2.exe.old38
C:\WINDOWS\system32\pm_proc2.exe.old39
C:\WINDOWS\system32\pm_proc2.exe.old4
C:\WINDOWS\system32\pm_proc2.exe.old40
C:\WINDOWS\system32\pm_proc2.exe.old41
C:\WINDOWS\system32\pm_proc2.exe.old42
C:\WINDOWS\system32\pm_proc2.exe.old43
C:\WINDOWS\system32\pm_proc2.exe.old44
C:\WINDOWS\system32\pm_proc2.exe.old45
C:\WINDOWS\system32\pm_proc2.exe.old46
C:\WINDOWS\system32\pm_proc2.exe.old47
C:\WINDOWS\system32\pm_proc2.exe.old48
C:\WINDOWS\system32\pm_proc2.exe.old49
C:\WINDOWS\system32\pm_proc2.exe.old5
C:\WINDOWS\system32\pm_proc2.exe.old50
C:\WINDOWS\system32\pm_proc2.exe.old51
C:\WINDOWS\system32\pm_proc2.exe.old52
C:\WINDOWS\system32\pm_proc2.exe.old53
C:\WINDOWS\system32\pm_proc2.exe.old54
C:\WINDOWS\system32\pm_proc2.exe.old55
C:\WINDOWS\system32\pm_proc2.exe.old56
C:\WINDOWS\system32\pm_proc2.exe.old57
C:\WINDOWS\system32\pm_proc2.exe.old58
C:\WINDOWS\system32\pm_proc2.exe.old59
C:\WINDOWS\system32\pm_proc2.exe.old6
C:\WINDOWS\system32\pm_proc2.exe.old60
C:\WINDOWS\system32\pm_proc2.exe.old61
C:\WINDOWS\system32\pm_proc2.exe.old62
C:\WINDOWS\system32\pm_proc2.exe.old63
C:\WINDOWS\system32\pm_proc2.exe.old64
C:\WINDOWS\system32\pm_proc2.exe.old65
C:\WINDOWS\system32\pm_proc2.exe.old66
C:\WINDOWS\system32\pm_proc2.exe.old67
C:\WINDOWS\system32\pm_proc2.exe.old68
C:\WINDOWS\system32\pm_proc2.exe.old69
C:\WINDOWS\system32\pm_proc2.exe.old7
C:\WINDOWS\system32\pm_proc2.exe.old70
C:\WINDOWS\system32\pm_proc2.exe.old71
C:\WINDOWS\system32\pm_proc2.exe.old72
C:\WINDOWS\system32\pm_proc2.exe.old73
C:\WINDOWS\system32\pm_proc2.exe.old74
C:\WINDOWS\system32\pm_proc2.exe.old75
C:\WINDOWS\system32\pm_proc2.exe.old76
C:\WINDOWS\system32\pm_proc2.exe.old77
C:\WINDOWS\system32\pm_proc2.exe.old78
C:\WINDOWS\system32\pm_proc2.exe.old79
C:\WINDOWS\system32\pm_proc2.exe.old8
C:\WINDOWS\system32\pm_proc2.exe.old80
C:\WINDOWS\system32\pm_proc2.exe.old81
C:\WINDOWS\system32\pm_proc2.exe.old82
C:\WINDOWS\system32\pm_proc2.exe.old83
C:\WINDOWS\system32\pm_proc2.exe.old84
C:\WINDOWS\system32\pm_proc2.exe.old85
C:\WINDOWS\system32\pm_proc2.exe.old86
C:\WINDOWS\system32\pm_proc2.exe.old87
C:\WINDOWS\system32\pm_proc2.exe.old88
C:\WINDOWS\system32\pm_proc2.exe.old89
C:\WINDOWS\system32\pm_proc2.exe.old9
C:\WINDOWS\system32\pm_proc2.exe.old90
C:\WINDOWS\system32\pm_proc2.exe.old91
C:\WINDOWS\system32\pm_proc2.exe.old92
C:\WINDOWS\system32\pm_proc2.exe.old93
C:\WINDOWS\system32\pm_proc2.exe.old94
C:\WINDOWS\system32\pm_proc2.exe.old95
C:\WINDOWS\system32\pm_proc2.exe.old96
C:\WINDOWS\system32\pm_proc2.exe.old97
C:\WINDOWS\system32\pm_proc2.exe.old98
C:\WINDOWS\system32\pm_proc2.exe.old99
C:\WINDOWS\system32\pm_proc2.exe
c:\windows\system32\pm_setup_util.exe.old1
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pzreg1.exe.bak0
C:\WINDOWS\system32\pzreg1.exe
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
Post this back to me in your next reply
Let me know if you have any problems running the script
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-22-2008, 01:19 PM   #13 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi,
Heres the new log:

ComboFix 08-11-21.04 - User 2008-11-22 19:58:10.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.130 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 19:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 22:35 . 2008-11-18 22:35 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-18 22:35 . 2008-11-18 22:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-16 11:55 . 2008-11-16 11:56 250 --a------ c:\windows\gmer.ini
2008-11-15 10:04 . 2008-11-15 10:05 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old1
2008-11-12 20:27 . 2008-11-12 20:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-12 20:27 . 2008-11-12 20:27 232 --ah----- C:\sqmdata17.sqm
2008-11-06 17:32 . 2008-11-06 17:32 244 --ah----- C:\sqmnoopt15.sqm
2008-11-06 17:32 . 2008-11-06 17:32 232 --ah----- C:\sqmdata16.sqm
2008-11-05 20:28 . 2008-11-05 20:28 <DIR> d-------- c:\program files\Gameforge4D
2008-11-05 20:28 . 2004-05-10 13:14 118,272 --a------ c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 . 2004-05-10 13:14 102,400 --a------ c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 . 2004-05-10 13:15 40 --a------ c:\windows\system32\Sx5363.ini
2008-10-28 20:35 . 2008-11-18 21:07 <DIR> d-------- c:\documents and settings\User\Application Data\SPORE
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\program files\iTunes
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 . 2008-10-26 14:48 <DIR> d-------- c:\program files\Bonjour
2008-10-26 14:46 . 2008-10-26 14:47 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 20:09 --------- d-----w c:\program files\BOINC
2008-11-22 20:09 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-22 15:44 447,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-22 15:44 38,510,624 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-22 15:00 20,312,090 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-18 22:35 --------- d-----w c:\program files\Java
2008-11-12 18:58 --------- d-----w c:\documents and settings\User\Application Data\Canon
2008-10-26 14:51 --------- d-----w c:\program files\iPod
2008-10-26 14:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 22:22 4,203,520 ----a-w c:\windows\Internet Logs\xDB26.tmp
2008-10-24 22:21 771,072 ----a-w c:\windows\Internet Logs\xDB25.tmp
2008-10-24 17:15 --------- d-----w c:\program files\Microsoft Games
2008-10-24 11:44 --------- d-----w c:\program files\Cossacks - Back To War
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:59 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-14 19:14 4,172,288 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-10-10 19:51 --------- d-----w c:\program files\XoftSpySE
2008-10-10 19:26 --------- d-----w c:\program files\DreamQuest
2008-10-05 08:26 --------- d-----w c:\program files\Coupon Printer
2008-10-01 16:55 --------- d-----w c:\program files\Ahead
2008-10-01 16:50 --------- d-----w c:\program files\Common Files\Nero
2008-10-01 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2006-07-12 16:31 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2008-05-19 09:42 321 --sh--w c:\windows\system32\2300369754.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_17.56.48.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-13 01:19:56 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\java.exe
- 2005-04-13 01:20:04 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-04-13 02:48:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-18 22:35:15 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-22 17:03:22 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1a4.dat
+ 2008-11-22 17:03:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4



Only thing I can see as a possible problem was it saying it was adjusting clock settings and that this would be resolved automatically. Other than that it was normal.

Thanks again
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-22-2008, 03:10 PM   #14 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there massey91

Lets try things this way....

Please download OTMoveIt3 by OldTimer.

Save it to your desktop.
Double-click on OTMoveIt3.exe

Using notepad copy the lines in the codebox below:

Quote:
:Files
c:\windows\system32\pm_setup_util.exe.old1
C:\WINDOWS\system32\pm_proc1.exe.old0
C:\WINDOWS\system32\pm_proc1.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old0
C:\WINDOWS\system32\pm_proc2.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old10
C:\WINDOWS\system32\pm_proc2.exe.old100
C:\WINDOWS\system32\pm_proc2.exe.old101
C:\WINDOWS\system32\pm_proc2.exe.old102
C:\WINDOWS\system32\pm_proc2.exe.old103
C:\WINDOWS\system32\pm_proc2.exe.old104
C:\WINDOWS\system32\pm_proc2.exe.old105
C:\WINDOWS\system32\pm_proc2.exe.old106
C:\WINDOWS\system32\pm_proc2.exe.old107
C:\WINDOWS\system32\pm_proc2.exe.old108
C:\WINDOWS\system32\pm_proc2.exe.old109
C:\WINDOWS\system32\pm_proc2.exe.old11
C:\WINDOWS\system32\pm_proc2.exe.old110
C:\WINDOWS\system32\pm_proc2.exe.old111
C:\WINDOWS\system32\pm_proc2.exe.old112
C:\WINDOWS\system32\pm_proc2.exe.old113
C:\WINDOWS\system32\pm_proc2.exe.old114
C:\WINDOWS\system32\pm_proc2.exe.old115
C:\WINDOWS\system32\pm_proc2.exe.old116
C:\WINDOWS\system32\pm_proc2.exe.old117
C:\WINDOWS\system32\pm_proc2.exe.old118
C:\WINDOWS\system32\pm_proc2.exe.old119
C:\WINDOWS\system32\pm_proc2.exe.old12
C:\WINDOWS\system32\pm_proc2.exe.old120
C:\WINDOWS\system32\pm_proc2.exe.old121
C:\WINDOWS\system32\pm_proc2.exe.old122
C:\WINDOWS\system32\pm_proc2.exe.old123
C:\WINDOWS\system32\pm_proc2.exe.old124
C:\WINDOWS\system32\pm_proc2.exe.old125
C:\WINDOWS\system32\pm_proc2.exe.old126
C:\WINDOWS\system32\pm_proc2.exe.old127
C:\WINDOWS\system32\pm_proc2.exe.old128
C:\WINDOWS\system32\pm_proc2.exe.old129
C:\WINDOWS\system32\pm_proc2.exe.old13
C:\WINDOWS\system32\pm_proc2.exe.old130
C:\WINDOWS\system32\pm_proc2.exe.old131
C:\WINDOWS\system32\pm_proc2.exe.old132
C:\WINDOWS\system32\pm_proc2.exe.old133
C:\WINDOWS\system32\pm_proc2.exe.old134
C:\WINDOWS\system32\pm_proc2.exe.old135
C:\WINDOWS\system32\pm_proc2.exe.old136
C:\WINDOWS\system32\pm_proc2.exe.old14
C:\WINDOWS\system32\pm_proc2.exe.old15
C:\WINDOWS\system32\pm_proc2.exe.old16
C:\WINDOWS\system32\pm_proc2.exe.old17
C:\WINDOWS\system32\pm_proc2.exe.old18
C:\WINDOWS\system32\pm_proc2.exe.old19
C:\WINDOWS\system32\pm_proc2.exe.old2
C:\WINDOWS\system32\pm_proc2.exe.old20
C:\WINDOWS\system32\pm_proc2.exe.old21
C:\WINDOWS\system32\pm_proc2.exe.old22
C:\WINDOWS\system32\pm_proc2.exe.old23
C:\WINDOWS\system32\pm_proc2.exe.old24
C:\WINDOWS\system32\pm_proc2.exe.old25
C:\WINDOWS\system32\pm_proc2.exe.old26
C:\WINDOWS\system32\pm_proc2.exe.old27
C:\WINDOWS\system32\pm_proc2.exe.old28
C:\WINDOWS\system32\pm_proc2.exe.old29
C:\WINDOWS\system32\pm_proc2.exe.old3
C:\WINDOWS\system32\pm_proc2.exe.old30
C:\WINDOWS\system32\pm_proc2.exe.old31
C:\WINDOWS\system32\pm_proc2.exe.old32
C:\WINDOWS\system32\pm_proc2.exe.old33
C:\WINDOWS\system32\pm_proc2.exe.old34
C:\WINDOWS\system32\pm_proc2.exe.old35
C:\WINDOWS\system32\pm_proc2.exe.old36
C:\WINDOWS\system32\pm_proc2.exe.old37
C:\WINDOWS\system32\pm_proc2.exe.old38
C:\WINDOWS\system32\pm_proc2.exe.old39
C:\WINDOWS\system32\pm_proc2.exe.old4
C:\WINDOWS\system32\pm_proc2.exe.old40
C:\WINDOWS\system32\pm_proc2.exe.old41
C:\WINDOWS\system32\pm_proc2.exe.old42
C:\WINDOWS\system32\pm_proc2.exe.old43
C:\WINDOWS\system32\pm_proc2.exe.old44
C:\WINDOWS\system32\pm_proc2.exe.old45
C:\WINDOWS\system32\pm_proc2.exe.old46
C:\WINDOWS\system32\pm_proc2.exe.old47
C:\WINDOWS\system32\pm_proc2.exe.old48
C:\WINDOWS\system32\pm_proc2.exe.old49
C:\WINDOWS\system32\pm_proc2.exe.old5
C:\WINDOWS\system32\pm_proc2.exe.old50
C:\WINDOWS\system32\pm_proc2.exe.old51
C:\WINDOWS\system32\pm_proc2.exe.old52
C:\WINDOWS\system32\pm_proc2.exe.old53
C:\WINDOWS\system32\pm_proc2.exe.old54
C:\WINDOWS\system32\pm_proc2.exe.old55
C:\WINDOWS\system32\pm_proc2.exe.old56
C:\WINDOWS\system32\pm_proc2.exe.old57
C:\WINDOWS\system32\pm_proc2.exe.old58
C:\WINDOWS\system32\pm_proc2.exe.old59
C:\WINDOWS\system32\pm_proc2.exe.old6
C:\WINDOWS\system32\pm_proc2.exe.old60
C:\WINDOWS\system32\pm_proc2.exe.old61
C:\WINDOWS\system32\pm_proc2.exe.old62
C:\WINDOWS\system32\pm_proc2.exe.old63
C:\WINDOWS\system32\pm_proc2.exe.old64
C:\WINDOWS\system32\pm_proc2.exe.old65
C:\WINDOWS\system32\pm_proc2.exe.old66
C:\WINDOWS\system32\pm_proc2.exe.old67
C:\WINDOWS\system32\pm_proc2.exe.old68
C:\WINDOWS\system32\pm_proc2.exe.old69
C:\WINDOWS\system32\pm_proc2.exe.old7
C:\WINDOWS\system32\pm_proc2.exe.old70
C:\WINDOWS\system32\pm_proc2.exe.old71
C:\WINDOWS\system32\pm_proc2.exe.old72
C:\WINDOWS\system32\pm_proc2.exe.old73
C:\WINDOWS\system32\pm_proc2.exe.old74
C:\WINDOWS\system32\pm_proc2.exe.old75
C:\WINDOWS\system32\pm_proc2.exe.old76
C:\WINDOWS\system32\pm_proc2.exe.old77
C:\WINDOWS\system32\pm_proc2.exe.old78
C:\WINDOWS\system32\pm_proc2.exe.old79
C:\WINDOWS\system32\pm_proc2.exe.old8
C:\WINDOWS\system32\pm_proc2.exe.old80
C:\WINDOWS\system32\pm_proc2.exe.old81
C:\WINDOWS\system32\pm_proc2.exe.old82
C:\WINDOWS\system32\pm_proc2.exe.old83
C:\WINDOWS\system32\pm_proc2.exe.old84
C:\WINDOWS\system32\pm_proc2.exe.old85
C:\WINDOWS\system32\pm_proc2.exe.old86
C:\WINDOWS\system32\pm_proc2.exe.old87
C:\WINDOWS\system32\pm_proc2.exe.old88
C:\WINDOWS\system32\pm_proc2.exe.old89
C:\WINDOWS\system32\pm_proc2.exe.old9
C:\WINDOWS\system32\pm_proc2.exe.old90
C:\WINDOWS\system32\pm_proc2.exe.old91
C:\WINDOWS\system32\pm_proc2.exe.old92
C:\WINDOWS\system32\pm_proc2.exe.old93
C:\WINDOWS\system32\pm_proc2.exe.old94
C:\WINDOWS\system32\pm_proc2.exe.old95
C:\WINDOWS\system32\pm_proc2.exe.old96
C:\WINDOWS\system32\pm_proc2.exe.old97
C:\WINDOWS\system32\pm_proc2.exe.old98
C:\WINDOWS\system32\pm_proc2.exe.old99
C:\WINDOWS\system32\pm_proc2.exe
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pzreg1.exe.bak0
C:\WINDOWS\system32\pzreg1.exe
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-22-2008, 04:18 PM   #15 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi,
Heres the Moveit log:

Error: Unable to interpret <c:\windows\system32\pm_setup_util.exe.old1> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc1.exe.old0> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc1.exe.old1> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old0> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old1> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old10> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old100> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old101> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old102> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old103> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old104> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old105> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old106> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old107> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old108> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old109> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old11> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old110> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old111> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old112> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old113> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old114> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old115> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old116> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old117> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old118> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old119> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old12> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old120> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old121> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old122> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old123> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old124> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old125> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old126> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old127> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old128> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old129> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old13> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old130> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old131> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old132> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old133> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old134> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old135> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old136> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old14> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old15> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old16> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old17> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old18> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old19> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old2> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old20> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old21> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old22> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old23> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old24> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old25> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old26> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old27> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old28> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old29> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old3> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old30> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old31> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old32> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old33> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old34> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old35> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old36> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old37> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old38> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old39> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old4> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old40> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old41> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old42> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old43> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old44> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old45> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old46> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old47> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old48> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old49> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old5> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old50> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old51> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old52> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old53> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old54> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old55> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old56> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old57> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old58> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old59> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old6> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old60> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old61> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old62> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old63> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old64> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old65> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old66> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old67> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old68> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old69> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old7> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old70> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old71> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old72> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old73> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old74> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old75> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old76> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old77> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old78> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old79> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old8> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old80> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old81> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old82> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old83> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old84> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old85> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old86> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old87> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old88> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old89> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old9> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old90> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old91> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old92> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old93> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old94> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old95> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old96> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old97> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old98> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe.old99> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc2.exe> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pm_proc1.exe> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pzreg1.exe.bak0> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\pzreg1.exe > in the current context!

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11222008_231744
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-23-2008, 11:06 AM   #16 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi massey91

An error on my part, I want you to re-run combofix with the following script, just make sure you copy and paste the whole script starting and including the line File::

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:
File::
C:\WINDOWS\system32\pm_proc1.exe.old0
C:\WINDOWS\system32\pm_proc1.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old0
C:\WINDOWS\system32\pm_proc2.exe.old1
C:\WINDOWS\system32\pm_proc2.exe.old10
C:\WINDOWS\system32\pm_proc2.exe.old100
C:\WINDOWS\system32\pm_proc2.exe.old101
C:\WINDOWS\system32\pm_proc2.exe.old102
C:\WINDOWS\system32\pm_proc2.exe.old103
C:\WINDOWS\system32\pm_proc2.exe.old104
C:\WINDOWS\system32\pm_proc2.exe.old105
C:\WINDOWS\system32\pm_proc2.exe.old106
C:\WINDOWS\system32\pm_proc2.exe.old107
C:\WINDOWS\system32\pm_proc2.exe.old108
C:\WINDOWS\system32\pm_proc2.exe.old109
C:\WINDOWS\system32\pm_proc2.exe.old11
C:\WINDOWS\system32\pm_proc2.exe.old110
C:\WINDOWS\system32\pm_proc2.exe.old111
C:\WINDOWS\system32\pm_proc2.exe.old112
C:\WINDOWS\system32\pm_proc2.exe.old113
C:\WINDOWS\system32\pm_proc2.exe.old114
C:\WINDOWS\system32\pm_proc2.exe.old115
C:\WINDOWS\system32\pm_proc2.exe.old116
C:\WINDOWS\system32\pm_proc2.exe.old117
C:\WINDOWS\system32\pm_proc2.exe.old118
C:\WINDOWS\system32\pm_proc2.exe.old119
C:\WINDOWS\system32\pm_proc2.exe.old12
C:\WINDOWS\system32\pm_proc2.exe.old120
C:\WINDOWS\system32\pm_proc2.exe.old121
C:\WINDOWS\system32\pm_proc2.exe.old122
C:\WINDOWS\system32\pm_proc2.exe.old123
C:\WINDOWS\system32\pm_proc2.exe.old124
C:\WINDOWS\system32\pm_proc2.exe.old125
C:\WINDOWS\system32\pm_proc2.exe.old126
C:\WINDOWS\system32\pm_proc2.exe.old127
C:\WINDOWS\system32\pm_proc2.exe.old128
C:\WINDOWS\system32\pm_proc2.exe.old129
C:\WINDOWS\system32\pm_proc2.exe.old13
C:\WINDOWS\system32\pm_proc2.exe.old130
C:\WINDOWS\system32\pm_proc2.exe.old131
C:\WINDOWS\system32\pm_proc2.exe.old132
C:\WINDOWS\system32\pm_proc2.exe.old133
C:\WINDOWS\system32\pm_proc2.exe.old134
C:\WINDOWS\system32\pm_proc2.exe.old135
C:\WINDOWS\system32\pm_proc2.exe.old136
C:\WINDOWS\system32\pm_proc2.exe.old14
C:\WINDOWS\system32\pm_proc2.exe.old15
C:\WINDOWS\system32\pm_proc2.exe.old16
C:\WINDOWS\system32\pm_proc2.exe.old17
C:\WINDOWS\system32\pm_proc2.exe.old18
C:\WINDOWS\system32\pm_proc2.exe.old19
C:\WINDOWS\system32\pm_proc2.exe.old2
C:\WINDOWS\system32\pm_proc2.exe.old20
C:\WINDOWS\system32\pm_proc2.exe.old21
C:\WINDOWS\system32\pm_proc2.exe.old22
C:\WINDOWS\system32\pm_proc2.exe.old23
C:\WINDOWS\system32\pm_proc2.exe.old24
C:\WINDOWS\system32\pm_proc2.exe.old25
C:\WINDOWS\system32\pm_proc2.exe.old26
C:\WINDOWS\system32\pm_proc2.exe.old27
C:\WINDOWS\system32\pm_proc2.exe.old28
C:\WINDOWS\system32\pm_proc2.exe.old29
C:\WINDOWS\system32\pm_proc2.exe.old3
C:\WINDOWS\system32\pm_proc2.exe.old30
C:\WINDOWS\system32\pm_proc2.exe.old31
C:\WINDOWS\system32\pm_proc2.exe.old32
C:\WINDOWS\system32\pm_proc2.exe.old33
C:\WINDOWS\system32\pm_proc2.exe.old34
C:\WINDOWS\system32\pm_proc2.exe.old35
C:\WINDOWS\system32\pm_proc2.exe.old36
C:\WINDOWS\system32\pm_proc2.exe.old37
C:\WINDOWS\system32\pm_proc2.exe.old38
C:\WINDOWS\system32\pm_proc2.exe.old39
C:\WINDOWS\system32\pm_proc2.exe.old4
C:\WINDOWS\system32\pm_proc2.exe.old40
C:\WINDOWS\system32\pm_proc2.exe.old41
C:\WINDOWS\system32\pm_proc2.exe.old42
C:\WINDOWS\system32\pm_proc2.exe.old43
C:\WINDOWS\system32\pm_proc2.exe.old44
C:\WINDOWS\system32\pm_proc2.exe.old45
C:\WINDOWS\system32\pm_proc2.exe.old46
C:\WINDOWS\system32\pm_proc2.exe.old47
C:\WINDOWS\system32\pm_proc2.exe.old48
C:\WINDOWS\system32\pm_proc2.exe.old49
C:\WINDOWS\system32\pm_proc2.exe.old5
C:\WINDOWS\system32\pm_proc2.exe.old50
C:\WINDOWS\system32\pm_proc2.exe.old51
C:\WINDOWS\system32\pm_proc2.exe.old52
C:\WINDOWS\system32\pm_proc2.exe.old53
C:\WINDOWS\system32\pm_proc2.exe.old54
C:\WINDOWS\system32\pm_proc2.exe.old55
C:\WINDOWS\system32\pm_proc2.exe.old56
C:\WINDOWS\system32\pm_proc2.exe.old57
C:\WINDOWS\system32\pm_proc2.exe.old58
C:\WINDOWS\system32\pm_proc2.exe.old59
C:\WINDOWS\system32\pm_proc2.exe.old6
C:\WINDOWS\system32\pm_proc2.exe.old60
C:\WINDOWS\system32\pm_proc2.exe.old61
C:\WINDOWS\system32\pm_proc2.exe.old62
C:\WINDOWS\system32\pm_proc2.exe.old63
C:\WINDOWS\system32\pm_proc2.exe.old64
C:\WINDOWS\system32\pm_proc2.exe.old65
C:\WINDOWS\system32\pm_proc2.exe.old66
C:\WINDOWS\system32\pm_proc2.exe.old67
C:\WINDOWS\system32\pm_proc2.exe.old68
C:\WINDOWS\system32\pm_proc2.exe.old69
C:\WINDOWS\system32\pm_proc2.exe.old7
C:\WINDOWS\system32\pm_proc2.exe.old70
C:\WINDOWS\system32\pm_proc2.exe.old71
C:\WINDOWS\system32\pm_proc2.exe.old72
C:\WINDOWS\system32\pm_proc2.exe.old73
C:\WINDOWS\system32\pm_proc2.exe.old74
C:\WINDOWS\system32\pm_proc2.exe.old75
C:\WINDOWS\system32\pm_proc2.exe.old76
C:\WINDOWS\system32\pm_proc2.exe.old77
C:\WINDOWS\system32\pm_proc2.exe.old78
C:\WINDOWS\system32\pm_proc2.exe.old79
C:\WINDOWS\system32\pm_proc2.exe.old8
C:\WINDOWS\system32\pm_proc2.exe.old80
C:\WINDOWS\system32\pm_proc2.exe.old81
C:\WINDOWS\system32\pm_proc2.exe.old82
C:\WINDOWS\system32\pm_proc2.exe.old83
C:\WINDOWS\system32\pm_proc2.exe.old84
C:\WINDOWS\system32\pm_proc2.exe.old85
C:\WINDOWS\system32\pm_proc2.exe.old86
C:\WINDOWS\system32\pm_proc2.exe.old87
C:\WINDOWS\system32\pm_proc2.exe.old88
C:\WINDOWS\system32\pm_proc2.exe.old89
C:\WINDOWS\system32\pm_proc2.exe.old9
C:\WINDOWS\system32\pm_proc2.exe.old90
C:\WINDOWS\system32\pm_proc2.exe.old91
C:\WINDOWS\system32\pm_proc2.exe.old92
C:\WINDOWS\system32\pm_proc2.exe.old93
C:\WINDOWS\system32\pm_proc2.exe.old94
C:\WINDOWS\system32\pm_proc2.exe.old95
C:\WINDOWS\system32\pm_proc2.exe.old96
C:\WINDOWS\system32\pm_proc2.exe.old97
C:\WINDOWS\system32\pm_proc2.exe.old98
C:\WINDOWS\system32\pm_proc2.exe.old99
C:\WINDOWS\system32\pm_proc2.exe
c:\windows\system32\pm_setup_util.exe.old1
C:\WINDOWS\system32\pm_proc1.exe
C:\WINDOWS\system32\pzreg1.exe.bak0
C:\WINDOWS\system32\pzreg1.exe
- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
Post this back to me in your next post.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-23-2008, 02:13 PM   #17 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi, heres the new log:

ComboFix 08-11-21.04 - User 2008-11-23 20:51:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.190 [GMT 0:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\pm_proc1.exe
c:\windows\system32\pm_proc1.exe.old0
c:\windows\system32\pm_proc1.exe.old1
c:\windows\system32\pm_proc2.exe
c:\windows\system32\pm_proc2.exe.old0
c:\windows\system32\pm_proc2.exe.old1
c:\windows\system32\pm_proc2.exe.old10
c:\windows\system32\pm_proc2.exe.old100
c:\windows\system32\pm_proc2.exe.old101
c:\windows\system32\pm_proc2.exe.old102
c:\windows\system32\pm_proc2.exe.old103
c:\windows\system32\pm_proc2.exe.old104
c:\windows\system32\pm_proc2.exe.old105
c:\windows\system32\pm_proc2.exe.old106
c:\windows\system32\pm_proc2.exe.old107
c:\windows\system32\pm_proc2.exe.old108
c:\windows\system32\pm_proc2.exe.old109
c:\windows\system32\pm_proc2.exe.old11
c:\windows\system32\pm_proc2.exe.old110
c:\windows\system32\pm_proc2.exe.old111
c:\windows\system32\pm_proc2.exe.old112
c:\windows\system32\pm_proc2.exe.old113
c:\windows\system32\pm_proc2.exe.old114
c:\windows\system32\pm_proc2.exe.old115
c:\windows\system32\pm_proc2.exe.old116
c:\windows\system32\pm_proc2.exe.old117
c:\windows\system32\pm_proc2.exe.old118
c:\windows\system32\pm_proc2.exe.old119
c:\windows\system32\pm_proc2.exe.old12
c:\windows\system32\pm_proc2.exe.old120
c:\windows\system32\pm_proc2.exe.old121
c:\windows\system32\pm_proc2.exe.old122
c:\windows\system32\pm_proc2.exe.old123
c:\windows\system32\pm_proc2.exe.old124
c:\windows\system32\pm_proc2.exe.old125
c:\windows\system32\pm_proc2.exe.old126
c:\windows\system32\pm_proc2.exe.old127
c:\windows\system32\pm_proc2.exe.old128
c:\windows\system32\pm_proc2.exe.old129
c:\windows\system32\pm_proc2.exe.old13
c:\windows\system32\pm_proc2.exe.old130
c:\windows\system32\pm_proc2.exe.old131
c:\windows\system32\pm_proc2.exe.old132
c:\windows\system32\pm_proc2.exe.old133
c:\windows\system32\pm_proc2.exe.old134
c:\windows\system32\pm_proc2.exe.old135
c:\windows\system32\pm_proc2.exe.old136
c:\windows\system32\pm_proc2.exe.old14
c:\windows\system32\pm_proc2.exe.old15
c:\windows\system32\pm_proc2.exe.old16
c:\windows\system32\pm_proc2.exe.old17
c:\windows\system32\pm_proc2.exe.old18
c:\windows\system32\pm_proc2.exe.old19
c:\windows\system32\pm_proc2.exe.old2
c:\windows\system32\pm_proc2.exe.old20
c:\windows\system32\pm_proc2.exe.old21
c:\windows\system32\pm_proc2.exe.old22
c:\windows\system32\pm_proc2.exe.old23
c:\windows\system32\pm_proc2.exe.old24
c:\windows\system32\pm_proc2.exe.old25
c:\windows\system32\pm_proc2.exe.old26
c:\windows\system32\pm_proc2.exe.old27
c:\windows\system32\pm_proc2.exe.old28
c:\windows\system32\pm_proc2.exe.old29
c:\windows\system32\pm_proc2.exe.old3
c:\windows\system32\pm_proc2.exe.old30
c:\windows\system32\pm_proc2.exe.old31
c:\windows\system32\pm_proc2.exe.old32
c:\windows\system32\pm_proc2.exe.old33
c:\windows\system32\pm_proc2.exe.old34
c:\windows\system32\pm_proc2.exe.old35
c:\windows\system32\pm_proc2.exe.old36
c:\windows\system32\pm_proc2.exe.old37
c:\windows\system32\pm_proc2.exe.old38
c:\windows\system32\pm_proc2.exe.old39
c:\windows\system32\pm_proc2.exe.old4
c:\windows\system32\pm_proc2.exe.old40
c:\windows\system32\pm_proc2.exe.old41
c:\windows\system32\pm_proc2.exe.old42
c:\windows\system32\pm_proc2.exe.old43
c:\windows\system32\pm_proc2.exe.old44
c:\windows\system32\pm_proc2.exe.old45
c:\windows\system32\pm_proc2.exe.old46
c:\windows\system32\pm_proc2.exe.old47
c:\windows\system32\pm_proc2.exe.old48
c:\windows\system32\pm_proc2.exe.old49
c:\windows\system32\pm_proc2.exe.old5
c:\windows\system32\pm_proc2.exe.old50
c:\windows\system32\pm_proc2.exe.old51
c:\windows\system32\pm_proc2.exe.old52
c:\windows\system32\pm_proc2.exe.old53
c:\windows\system32\pm_proc2.exe.old54
c:\windows\system32\pm_proc2.exe.old55
c:\windows\system32\pm_proc2.exe.old56
c:\windows\system32\pm_proc2.exe.old57
c:\windows\system32\pm_proc2.exe.old58
c:\windows\system32\pm_proc2.exe.old59
c:\windows\system32\pm_proc2.exe.old6
c:\windows\system32\pm_proc2.exe.old60
c:\windows\system32\pm_proc2.exe.old61
c:\windows\system32\pm_proc2.exe.old62
c:\windows\system32\pm_proc2.exe.old63
c:\windows\system32\pm_proc2.exe.old64
c:\windows\system32\pm_proc2.exe.old65
c:\windows\system32\pm_proc2.exe.old66
c:\windows\system32\pm_proc2.exe.old67
c:\windows\system32\pm_proc2.exe.old68
c:\windows\system32\pm_proc2.exe.old69
c:\windows\system32\pm_proc2.exe.old7
c:\windows\system32\pm_proc2.exe.old70
c:\windows\system32\pm_proc2.exe.old71
c:\windows\system32\pm_proc2.exe.old72
c:\windows\system32\pm_proc2.exe.old73
c:\windows\system32\pm_proc2.exe.old74
c:\windows\system32\pm_proc2.exe.old75
c:\windows\system32\pm_proc2.exe.old76
c:\windows\system32\pm_proc2.exe.old77
c:\windows\system32\pm_proc2.exe.old78
c:\windows\system32\pm_proc2.exe.old79
c:\windows\system32\pm_proc2.exe.old8
c:\windows\system32\pm_proc2.exe.old80
c:\windows\system32\pm_proc2.exe.old81
c:\windows\system32\pm_proc2.exe.old82
c:\windows\system32\pm_proc2.exe.old83
c:\windows\system32\pm_proc2.exe.old84
c:\windows\system32\pm_proc2.exe.old85
c:\windows\system32\pm_proc2.exe.old86
c:\windows\system32\pm_proc2.exe.old87
c:\windows\system32\pm_proc2.exe.old88
c:\windows\system32\pm_proc2.exe.old89
c:\windows\system32\pm_proc2.exe.old9
c:\windows\system32\pm_proc2.exe.old90
c:\windows\system32\pm_proc2.exe.old91
c:\windows\system32\pm_proc2.exe.old92
c:\windows\system32\pm_proc2.exe.old93
c:\windows\system32\pm_proc2.exe.old94
c:\windows\system32\pm_proc2.exe.old95
c:\windows\system32\pm_proc2.exe.old96
c:\windows\system32\pm_proc2.exe.old97
c:\windows\system32\pm_proc2.exe.old98
c:\windows\system32\pm_proc2.exe.old99
c:\windows\system32\pm_setup_util.exe.old1
c:\windows\system32\pzreg1.exe
c:\windows\system32\pzreg1.exe.bak0
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pm_proc1.exe.old0
c:\windows\system32\pm_proc1.exe.old1
c:\windows\system32\pm_proc2.exe.old0
c:\windows\system32\pm_proc2.exe.old1
c:\windows\system32\pm_proc2.exe.old10
c:\windows\system32\pm_proc2.exe.old100
c:\windows\system32\pm_proc2.exe.old101
c:\windows\system32\pm_proc2.exe.old102
c:\windows\system32\pm_proc2.exe.old103
c:\windows\system32\pm_proc2.exe.old104
c:\windows\system32\pm_proc2.exe.old105
c:\windows\system32\pm_proc2.exe.old106
c:\windows\system32\pm_proc2.exe.old107
c:\windows\system32\pm_proc2.exe.old108
c:\windows\system32\pm_proc2.exe.old109
c:\windows\system32\pm_proc2.exe.old11
c:\windows\system32\pm_proc2.exe.old110
c:\windows\system32\pm_proc2.exe.old111
c:\windows\system32\pm_proc2.exe.old112
c:\windows\system32\pm_proc2.exe.old113
c:\windows\system32\pm_proc2.exe.old114
c:\windows\system32\pm_proc2.exe.old115
c:\windows\system32\pm_proc2.exe.old116
c:\windows\system32\pm_proc2.exe.old117
c:\windows\system32\pm_proc2.exe.old118
c:\windows\system32\pm_proc2.exe.old119
c:\windows\system32\pm_proc2.exe.old12
c:\windows\system32\pm_proc2.exe.old120
c:\windows\system32\pm_proc2.exe.old121
c:\windows\system32\pm_proc2.exe.old122
c:\windows\system32\pm_proc2.exe.old123
c:\windows\system32\pm_proc2.exe.old124
c:\windows\system32\pm_proc2.exe.old125
c:\windows\system32\pm_proc2.exe.old126
c:\windows\system32\pm_proc2.exe.old127
c:\windows\system32\pm_proc2.exe.old128
c:\windows\system32\pm_proc2.exe.old129
c:\windows\system32\pm_proc2.exe.old13
c:\windows\system32\pm_proc2.exe.old130
c:\windows\system32\pm_proc2.exe.old131
c:\windows\system32\pm_proc2.exe.old132
c:\windows\system32\pm_proc2.exe.old133
c:\windows\system32\pm_proc2.exe.old134
c:\windows\system32\pm_proc2.exe.old135
c:\windows\system32\pm_proc2.exe.old136
c:\windows\system32\pm_proc2.exe.old14
c:\windows\system32\pm_proc2.exe.old15
c:\windows\system32\pm_proc2.exe.old16
c:\windows\system32\pm_proc2.exe.old17
c:\windows\system32\pm_proc2.exe.old18
c:\windows\system32\pm_proc2.exe.old19
c:\windows\system32\pm_proc2.exe.old2
c:\windows\system32\pm_proc2.exe.old20
c:\windows\system32\pm_proc2.exe.old21
c:\windows\system32\pm_proc2.exe.old22
c:\windows\system32\pm_proc2.exe.old23
c:\windows\system32\pm_proc2.exe.old24
c:\windows\system32\pm_proc2.exe.old25
c:\windows\system32\pm_proc2.exe.old26
c:\windows\system32\pm_proc2.exe.old27
c:\windows\system32\pm_proc2.exe.old28
c:\windows\system32\pm_proc2.exe.old29
c:\windows\system32\pm_proc2.exe.old3
c:\windows\system32\pm_proc2.exe.old30
c:\windows\system32\pm_proc2.exe.old31
c:\windows\system32\pm_proc2.exe.old32
c:\windows\system32\pm_proc2.exe.old33
c:\windows\system32\pm_proc2.exe.old34
c:\windows\system32\pm_proc2.exe.old35
c:\windows\system32\pm_proc2.exe.old36
c:\windows\system32\pm_proc2.exe.old37
c:\windows\system32\pm_proc2.exe.old38
c:\windows\system32\pm_proc2.exe.old39
c:\windows\system32\pm_proc2.exe.old4
c:\windows\system32\pm_proc2.exe.old40
c:\windows\system32\pm_proc2.exe.old41
c:\windows\system32\pm_proc2.exe.old42
c:\windows\system32\pm_proc2.exe.old43
c:\windows\system32\pm_proc2.exe.old44
c:\windows\system32\pm_proc2.exe.old45
c:\windows\system32\pm_proc2.exe.old46
c:\windows\system32\pm_proc2.exe.old47
c:\windows\system32\pm_proc2.exe.old48
c:\windows\system32\pm_proc2.exe.old49
c:\windows\system32\pm_proc2.exe.old5
c:\windows\system32\pm_proc2.exe.old50
c:\windows\system32\pm_proc2.exe.old51
c:\windows\system32\pm_proc2.exe.old52
c:\windows\system32\pm_proc2.exe.old53
c:\windows\system32\pm_proc2.exe.old54
c:\windows\system32\pm_proc2.exe.old55
c:\windows\system32\pm_proc2.exe.old56
c:\windows\system32\pm_proc2.exe.old57
c:\windows\system32\pm_proc2.exe.old58
c:\windows\system32\pm_proc2.exe.old59
c:\windows\system32\pm_proc2.exe.old6
c:\windows\system32\pm_proc2.exe.old60
c:\windows\system32\pm_proc2.exe.old61
c:\windows\system32\pm_proc2.exe.old62
c:\windows\system32\pm_proc2.exe.old63
c:\windows\system32\pm_proc2.exe.old64
c:\windows\system32\pm_proc2.exe.old65
c:\windows\system32\pm_proc2.exe.old66
c:\windows\system32\pm_proc2.exe.old67
c:\windows\system32\pm_proc2.exe.old68
c:\windows\system32\pm_proc2.exe.old69
c:\windows\system32\pm_proc2.exe.old7
c:\windows\system32\pm_proc2.exe.old70
c:\windows\system32\pm_proc2.exe.old71
c:\windows\system32\pm_proc2.exe.old72
c:\windows\system32\pm_proc2.exe.old73
c:\windows\system32\pm_proc2.exe.old74
c:\windows\system32\pm_proc2.exe.old75
c:\windows\system32\pm_proc2.exe.old76
c:\windows\system32\pm_proc2.exe.old77
c:\windows\system32\pm_proc2.exe.old78
c:\windows\system32\pm_proc2.exe.old79
c:\windows\system32\pm_proc2.exe.old8
c:\windows\system32\pm_proc2.exe.old80
c:\windows\system32\pm_proc2.exe.old81
c:\windows\system32\pm_proc2.exe.old82
c:\windows\system32\pm_proc2.exe.old83
c:\windows\system32\pm_proc2.exe.old84
c:\windows\system32\pm_proc2.exe.old85
c:\windows\system32\pm_proc2.exe.old86
c:\windows\system32\pm_proc2.exe.old87
c:\windows\system32\pm_proc2.exe.old88
c:\windows\system32\pm_proc2.exe.old89
c:\windows\system32\pm_proc2.exe.old9
c:\windows\system32\pm_proc2.exe.old90
c:\windows\system32\pm_proc2.exe.old91
c:\windows\system32\pm_proc2.exe.old92
c:\windows\system32\pm_proc2.exe.old93
c:\windows\system32\pm_proc2.exe.old94
c:\windows\system32\pm_proc2.exe.old95
c:\windows\system32\pm_proc2.exe.old96
c:\windows\system32\pm_proc2.exe.old97
c:\windows\system32\pm_proc2.exe.old98
c:\windows\system32\pm_proc2.exe.old99
c:\windows\system32\pm_setup_util.exe.old1
c:\windows\system32\pzreg1.exe.bak0

.
((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.

2008-11-22 23:17 . 2008-11-22 23:17 <DIR> d-------- C:\_OTMoveIt
2008-11-22 20:49 . 2008-11-22 20:49 0 --a------ c:\windows\nsreg.dat
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-11-20 19:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-20 19:39 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-20 19:39 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-18 22:35 . 2008-11-18 22:35 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-18 22:35 . 2008-11-18 22:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-16 11:55 . 2008-11-16 11:56 250 --a------ c:\windows\gmer.ini
2008-11-15 11:15 . 2008-11-15 11:15 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old6
2008-11-15 10:04 . 2008-11-15 10:04 1,112,064 --a------ c:\windows\system32\pm_setup_util.exe.old0
2008-11-12 20:27 . 2008-11-12 20:27 244 --ah----- C:\sqmnoopt16.sqm
2008-11-12 20:27 . 2008-11-12 20:27 232 --ah----- C:\sqmdata17.sqm
2008-11-06 17:32 . 2008-11-06 17:32 244 --ah----- C:\sqmnoopt15.sqm
2008-11-06 17:32 . 2008-11-06 17:32 232 --ah----- C:\sqmdata16.sqm
2008-11-05 20:28 . 2008-11-05 20:28 <DIR> d-------- c:\program files\Gameforge4D
2008-11-05 20:28 . 2004-05-10 13:14 118,272 --a------ c:\windows\system32\SX5363S.DLL
2008-11-05 20:28 . 2004-05-10 13:14 102,400 --a------ c:\windows\system32\RV32RTP.dll
2008-11-05 20:28 . 2004-05-10 13:15 40 --a------ c:\windows\system32\Sx5363.ini
2008-10-28 20:35 . 2008-11-18 21:07 <DIR> d-------- c:\documents and settings\User\Application Data\SPORE
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\program files\iTunes
2008-10-26 14:50 . 2008-10-26 14:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-26 14:48 . 2008-10-26 14:48 <DIR> d-------- c:\program files\Bonjour
2008-10-26 14:46 . 2008-10-26 14:47 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-23 20:49 --------- d-----w c:\program files\BOINC
2008-11-23 01:40 447,692 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-23 01:40 38,510,624 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-22 15:00 20,312,090 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-18 22:35 --------- d-----w c:\program files\Java
2008-11-12 18:58 --------- d-----w c:\documents and settings\User\Application Data\Canon
2008-10-26 14:51 --------- d-----w c:\program files\iPod
2008-10-26 14:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 22:22 4,203,520 ----a-w c:\windows\Internet Logs\xDB26.tmp
2008-10-24 22:21 771,072 ----a-w c:\windows\Internet Logs\xDB25.tmp
2008-10-24 17:15 --------- d-----w c:\program files\Microsoft Games
2008-10-24 11:44 --------- d-----w c:\program files\Cossacks - Back To War
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 19:59 --------- d-----w c:\program files\Microsoft AutoRoute
2008-10-14 19:14 4,172,288 ----a-w c:\windows\Internet Logs\xDB24.tmp
2008-10-10 19:51 --------- d-----w c:\program files\XoftSpySE
2008-10-10 19:26 --------- d-----w c:\program files\DreamQuest
2008-10-05 08:26 --------- d-----w c:\program files\Coupon Printer
2008-10-01 16:55 --------- d-----w c:\program files\Ahead
2008-10-01 16:50 --------- d-----w c:\program files\Common Files\Nero
2008-10-01 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-09 18:25 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 10:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 09:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2006-07-12 16:31 278,528 ----a-w c:\program files\Common Files\FDEUnInstaller.exe
2008-05-19 09:42 321 --sh--w c:\windows\system32\2300369754.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-18_17.56.48.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-13 01:19:56 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\java.exe
- 2005-04-13 01:20:04 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-18 22:35:15 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-04-13 02:48:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-18 22:35:15 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-11-22 21:02:18 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-11-23 10:35:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4fc.dat
+ 2008-11-23 10:34:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-15 13570048]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"SmartError_updater"="c:\program files\SmartError\SmartErrorUpdater.exe" [2006-03-08 77824]
"BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-18 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-21 185896]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-15 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"VTTimer"="VTTimer.exe" [2005-03-09 c:\windows\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 c:\windows\system32\VTTrayp.exe]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2008-08-15 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
World Community Grid - BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-03-17 3874816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\\windows\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orange\\Livebox\\RGWREPAIR.EXE"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%systemroot%\\winmech\\services.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\User\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2
"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-11 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 231704]
R2 winmech;Security Services Internet;c:\windows\winmech\NTSERV~1\srunner.exe [2007-07-13 63488]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys []
S3 GameConsoleService;GameConsoleService;"c:\program files\HP Games\My HP Game Console\GameConsoleService.exe" [2008-05-05 165416]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys [2001-11-29 1432836]
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys []
S3 ZSMC0305;VIMICRO USB PC Camera V;c:\windows\system32\Drivers\usbVM305.sys [2006-08-18 392316]
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2006-09-27 c:\windows\Tasks\XoftSpy.job
- c:\program files\XoftSpy\XoftSpy.exe []

2008-11-23 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]

2008-09-23 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 13:44]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 20:58:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-11-23 21:03:12
ComboFix-quarantined-files.txt 2008-11-23 21:01:50
ComboFix2.txt 2008-11-22 20:15:01
ComboFix3.txt 2008-11-22 09:22:54
ComboFix4.txt 2008-11-21 18:49:27
ComboFix5.txt 2008-11-23 20:50:26

Pre-Run: 5,565,542,400 bytes free
Post-Run: 5,577,367,552 bytes free

480 --- E O F --- 2008-11-13 08:28:35



Thanks
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-24-2008, 12:50 AM   #18 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there

I still see entries cropping up as we delete them.

Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click "Insall ActiveX component".
* Read the license agreement and click "Accept".
* Click "Full System Scan" to download the scanning components and begin scan and cleaning.
* When the scan completes, click the "I want to decide item by item" button.
* For each item found, Select "Disinfect" and click "Next".
* When done, click the "Show Report" button, then copy and paste the entire report into your next reply.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-25-2008, 11:09 AM   #19 (permalink)
Registered User
 
Join Date: Nov 2008
Posts: 15
OS: Win xp SP 2


Re: system 32 trojan
Hi,
After clicking Full System Scan it downloads it before giving an error alert saying to retry and in brackets (Id 12). I retried it a couple of times with the same end result. I don't think I'm doing anything wrong, but I might be?
Thanks
massey91 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 11-25-2008, 04:33 PM   #20 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: system 32 trojan
Hi there

Are you using Internet Explorer for the scans. If you cannot scan with F-Secure then try an online scan at ESET

Go here to run an online scannner from ESET.
Note: -> You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is uncheckmarked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish,
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:37 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85