trojan.win32.monder.gen - help

[Xeqtrr]

Hi everyone,

my Kaspersky Internet Security 2009 detects trojan.win32.monder.gen and can't seem to remove it. Can you please help me. Here is the log from DDS.txt.

////////////////////////////////////////////////////////////////////////////


DDS (Version 1.0) - NTFSx86
Run by Krasi at 10:42:26.68 on ўІ®°*ЁЄ 12/02/2008
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1033.18.2046.1394 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\DOCUME~1\Krasi\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Krasi\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://support.kaspersky.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {101561B2-4657-468B-A398-8D9DC740D8E8} -
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {8621835E-7A6A-4CB0-B66D-3C8C059B1EE8} - c:\windows\system32\mlJApPIc.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {B3983B5E-1B68-44D8-8D36-D9AD07F4778D} -
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [10ff25e8] rundll32.exe "c:\windows\system32\rlbnitve.dll",b
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\windows\datecs\Flex2K.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
LSP: imon.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {B3983B5E-1B68-44D8-8D36-D9AD07F4778D} -
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJApPIc

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-8-14 213008]
R1 oreans32;oreans32;\??\c:\windows\system32\drivers\oreans32.sys [2008-11-18 33824]
R2 NOD32krn;NOD32 Kernel Service;"c:\program files\eset\nod32krn.exe" [2008-11-22 507904]
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [2008-8-13 26368]
R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2008-8-13 42240]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
S2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-4-25 201992]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\system32\drivers\ss_bus.sys [2008-10-15 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\drivers\ss_mdfl.sys [2008-10-15 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\drivers\ss_mdm.sys [2008-10-15 94000]

=============== Created Last 30 ================

2008-11-22 17:25 <DIR> --d----- c:\docume~1\krasi\applic~1\TeamViewer
2008-11-22 16:35 <DIR> --d----- c:\program files\ESET
2008-11-21 20:58 <DIR> --d----- c:\docume~1\krasi\applic~1\Thinking Minds Budiling Bytes
2008-11-21 19:02 <DIR> --d----- c:\docume~1\krasi\applic~1\Real Desktop
2008-11-21 19:01 <DIR> --d----- c:\docume~1\krasi\applic~1\AD ON Multimedia

==================== Find3M ====================

2008-08-13 23:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081420080815\index.dat

============= FINISH: 10:42:51.04 ===============

[tetonbob]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Xeqtrr]

Hi tetonbob, thank you for the fast responce. I've done everything - installed Recovery Console and ran ComboFix. Here's the log. There's also a message that a .dll file could not be loaded on system startup, I'll write down the name and show it to you with my next reply - I don't know, it could be important.

ComboFix 08-12-01.03 - Krasi 2008-12-03 10:58:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1033.18.1530 [GMT 2:00]
Running from: c:\documents and settings\Krasi\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cIPpAJlm.ini
c:\windows\system32\cIPpAJlm.ini2
c:\windows\system32\evtinblr.ini
c:\windows\system32\ijgtbvih.ini
c:\windows\system32\lffpfjds.ini
c:\windows\system32\mlJApPIc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-03 11:03 . 2008-12-03 11:03 <DIR> d-------- c:\windows\system32\xircom
2008-12-03 11:03 . 2008-12-03 11:03 <DIR> d-------- c:\program files\microsoft frontpage
2008-12-02 10:25 . 2008-12-02 10:26 250 --a------ c:\windows\gmer.ini
2008-12-02 08:39 . 2008-08-13 23:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intel
2008-12-02 08:39 . 2008-08-13 23:09 <DIR> d-------- c:\documents and settings\Administrator\7zS2092.tmp
2008-12-02 08:39 . 2008-08-13 23:09 <DIR> d-------- c:\documents and settings\Administrator\_ir_sf7_temp_0
2008-12-02 08:39 . 2008-12-02 08:39 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 17:25 . 2008-11-22 19:31 <DIR> d-------- c:\documents and settings\Krasi\Application Data\TeamViewer
2008-11-22 16:35 . 2008-12-02 02:22 <DIR> d-------- c:\program files\ESET
2008-11-22 16:35 . 2008-11-22 16:35 502,368 --a------ c:\windows\system32\drivers\amon.sys
2008-11-22 16:35 . 2008-11-22 16:35 270,336 --a------ c:\windows\system32\imon.dll
2008-11-21 20:58 . 2008-11-21 20:58 <DIR> d-------- c:\documents and settings\Krasi\Application Data\Thinking Minds Budiling Bytes
2008-11-21 19:02 . 2008-11-21 19:02 <DIR> d-------- c:\documents and settings\Krasi\Application Data\Real Desktop
2008-11-21 19:01 . 2008-11-21 19:01 <DIR> d-------- c:\documents and settings\Krasi\Application Data\AD ON Multimedia
2008-11-19 18:45 . 2008-11-19 18:45 30,206 --a------ c:\windows\system32\msiexec.rar
2008-11-18 18:59 . 2008-11-18 18:59 33,824 --a------ c:\windows\system32\drivers\oreans32.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 09:04 22,528 ----a-w c:\windows\system32\drivers\nhcDriver.sys
2008-12-03 09:04 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-03 09:01 426,016 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-03 09:01 3,584 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-03 09:01 21,308 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-03 09:01 2,455,072 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-02 08:13 --------- d-----w c:\documents and settings\Krasi\Application Data\Skype
2008-11-30 14:04 --------- d-----w c:\documents and settings\Krasi\Application Data\skypePM
2008-11-21 19:33 --------- d-----w c:\documents and settings\Krasi\Application Data\uTorrent
2008-11-19 16:52 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-19 14:46 --------- d-----w c:\documents and settings\Krasi\Application Data\PC Suite
2008-11-02 15:29 --------- d-----w c:\documents and settings\Krasi\Application Data\WeatherWatcher
2008-11-01 17:19 --------- d-----w c:\program files\Launch Manager
2008-10-25 21:44 --------- d-----w c:\program files\Skype
2008-10-15 16:22 --------- d-----w c:\documents and settings\Krasi\Application Data\Samsung
2008-10-15 16:20 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-15 16:17 --------- d-----w c:\program files\Samsung
2008-10-15 16:06 --------- d-----w c:\program files\Common Files\Adobe
2008-10-04 06:50 --------- d-----w c:\documents and settings\Krasi\Application Data\Ubisoft
2008-10-04 06:50 --------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2008-08-13 21:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081420080815\index.dat
.

------- Sigcheck -------

2008-04-23 16:32 361344 68f06fe0021b01e670af37b8c5964fdf c:\windows\system32\drivers\tcpip.sys

2008-04-23 07:58 2306560 8c4050bd9fd87e23cded28ffa889b0ba c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-22 1271808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 133576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-06-12 174872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 860160]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-06-29 707080]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-03-06 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-03-06 970752]
"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nwiz"="nwiz.exe" [2007-06-06 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2008-04-23 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 568176]
FlexType 2K.lnk - c:\windows\Datecs\Flex2K.exe [2008-08-14 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
--a------ 2008-11-22 16:35 917504 c:\program files\ESET\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-06-17 15:00 1249280 c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-23 16:45 22058792 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-11-02 20:22 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2008-08-13 26368]
R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2008-08-13 42240]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-03-25 24592]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\system32\DRIVERS\ss_bus.sys [2008-10-15 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\DRIVERS\ss_mdfl.sys [2008-10-15 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\DRIVERS\ss_mdm.sys [2008-10-15 94000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
- - - - ORPHANS REMOVED - - - -

BHO-{101561B2-4657-468B-A398-8D9DC740D8E8} - (no file)
BHO-{A4DF5B08-406D-40CA-967B-57EC0503E38E} - c:\windows\system32\mlJApPIc.dll
BHO-{B3983B5E-1B68-44D8-8D36-D9AD07F4778D} - (no file)
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKLM-Run-10ff25e8 - c:\windows\system32\rlbnitve.dll
ShellExecuteHooks-{B3983B5E-1B68-44D8-8D36-D9AD07F4778D} - (no file)
Notify-tuvVMDwU - (no file)
MSConfigStartUp-Real Desktop - d:\games\game\Real Desktop\Real Desktop.exe
MSConfigStartUp-Yodm3D - d:\games\game\Real Desktop\Yod'm 3D\Yodm3D.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Krasi\Application Data\Mozilla\Firefox\Profiles\lvsvkv3w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.bg/ig?hl=bg
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 11:03:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1124)
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1180)
c:\windows\system32\imon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\ESET\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wscntfy.exe
c:\docume~1\Krasi\LOCALS~1\temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2008-12-03 1145 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 0939

Pre-Run: 110,814,855,168 bytes free
Post-Run: 111,036,563,456 bytes free

187

[tetonbob]

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[Xeqtrr]

Hi tetonbob,

here are the contents of C:\QooBox\Add-Remove Programs.txt
.................................................................................................

П°єµт ·° µ·ёєѕІ ёЅтµрфµ№с Ѕ° Windows
Acrobat.com
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Alky for Applications (Windows XP)
AMX Mod X Installer 1.8.1
Apple Software Update
AVerMedia A310 (MiniCard, DVB-T) 1.1.0.19
CubeDesktop 1.3.1
DAMN NFO Viewer v2.10.0032.RC3 (Remove Only)
FlexType 2K
Gadget Installer
Google Toolbar for Internet Explorer
HDAUDIO Soft Data Fax Modem with SmartCP
IconPackager
Intel(R) Matrix Storage Manager
Intel(R) PROSet/Wireless Software
Java(TM) 6 Update 6
Java(TM) 6 Update 7
K-Lite Codec Pack 4.1.4 (Full)
Kaspersky Internet Security 2009
Launch Manager
LClock
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Recent Documents Gadget
Microsoft User-Mode Driver Framework Feature Pack 1.5
mIRC
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.4)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSVC80_x86
MSXML 6.0 Parser
MV2Player (remove only)
mWlsSafe
mZConfig
NOD32 antivirus system
Nokia Connectivity Cable Driver
Nokia PC Suite
Notebook Hardware Control 2.0 Pre-Release-06
NVIDIA Drivers
PC Connectivity Solution
PrisonBreak mIRC By Lovdjiev
Real Desktop 1.42 Light
Realtek High Definition Audio Driver
Resource Hacker 3.4.0
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
Skype™ 3.8
Synaptics Pointing Device Driver
System Requirements Lab
Weather Watcher
WebFldrs XP
WIDCOMM Bluetooth Software
Winamp
Windows Driver Package - Nokia Modem (05/22/2008 3.8)
Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Sidebar
Windows Vista Sounds Pack
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
µTorrent
.....................................................................................

P.S. Don't worry about the missing DLL file on system startup - the problem is gone now, I guess ComboFix fixed it

[tetonbob]

Hi Xeqtrr -

I overlooked this earlier. As stated in our pre-posting sticky topic...

http://www.techsupportforum.com/secu...oval-help.html

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

I see you have more than one Anti-Virus program installed, Kaspersky Internet Security 2009 and NOD32 antivirus system. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Once you've done that, please post a new log from DDS

[Xeqtrr]

Tetonbob, sorry for the second AV program. This is my mom's laptop and my dad's first thing when one AV detects a virus is to install another six or seven of them KIS wanted an update this morning, I allowed it and it detected mlJApPIC.dll, deleted it again and created a backup copy, or atleast it sais so. I think everything started (the trojan) from the AMX mod for Counter Strike that my brother installed.
Here is the DDS log, I have also attached the Attach.txt:
....................................................................................................


DDS (Version 1.0) - NTFSx86
Run by Krasi at 10:24:22.48 on ·ҐІўє°ІєЄ 12/04/2008
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1033.18.2046.1478 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\LClock\LClock.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\Datecs\Flex2K.exe
C:\DOCUME~1\Krasi\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Krasi\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://support.kaspersky.com/
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\windows\datecs\Flex2K.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-8-14 213008]
R2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-4-25 201992]
R3 A310;AVerMedia A310 DVB-T;c:\windows\system32\drivers\AVerA310USB.sys [2008-8-13 26368]
R3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2008-8-13 42240]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\system32\drivers\ss_bus.sys [2008-10-15 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\system32\drivers\ss_mdfl.sys [2008-10-15 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\system32\drivers\ss_mdm.sys [2008-10-15 94000]

=============== Created Last 30 ================

2008-12-03 11:03 <DIR> --d----- c:\windows\system32\xircom
2008-12-03 11:03 <DIR> --d----- c:\program files\msn gaming zone
2008-12-03 10:57 161,792 a------- c:\windows\SWREG.exe
2008-12-03 10:57 98,816 a------- c:\windows\sed.exe
2008-12-03 10:43 <DIR> --dshr-- C:\cmdcons
2008-12-03 10:43 <DIR> --d----- c:\windows\setup.pss
2008-12-03 10:43 <DIR> --d----- c:\windows\setupupd
2008-12-02 10:25 250 a------- c:\windows\gmer.ini
2008-12-02 02:34 <DIR> --d----- c:\windows\pss
2008-11-22 17:25 <DIR> --d----- c:\docume~1\krasi\applic~1\TeamViewer
2008-11-22 16:35 <DIR> --d----- c:\program files\ESET
2008-11-21 20:58 <DIR> --d----- c:\docume~1\krasi\applic~1\Thinking Minds Budiling Bytes
2008-11-21 19:02 <DIR> --d----- c:\docume~1\krasi\applic~1\Real Desktop
2008-11-21 19:01 <DIR> --d----- c:\docume~1\krasi\applic~1\AD ON Multimedia
2008-11-19 18:45 30,206 a------- c:\windows\system32\msiexec.rar
2008-11-18 18:59 33,824 a------- c:\windows\system32\drivers\oreans32.sys

==================== Find3M ====================

2008-12-04 10:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-12-03 11:03 <DIR> --d----- c:\program files\Windows NT
2008-11-21 21:33 <DIR> --d----- c:\docume~1\krasi\applic~1\uTorrent
2008-11-19 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-11-19 16:46 <DIR> --d----- c:\docume~1\krasi\applic~1\PC Suite
2008-11-02 17:29 <DIR> --d----- c:\docume~1\krasi\applic~1\WeatherWatcher
2008-11-01 19:19 <DIR> --d----- c:\program files\Launch Manager
2008-10-25 23:44 <DIR> --d----- c:\program files\Skype
2008-10-15 18:22 <DIR> --d----- c:\docume~1\krasi\applic~1\Samsung
2008-10-15 18:17 <DIR> --d----- c:\program files\Samsung
2008-10-04 08:50 <DIR> --d----- c:\docume~1\krasi\applic~1\Ubisoft
2008-10-04 08:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ubisoft
2008-09-27 11:32 <DIR> --d----- c:\docume~1\krasi\applic~1\Nokia
2008-09-26 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Suite
2008-09-26 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Installations
2008-08-14 00:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2008-08-14 00:43 <DIR> --d----- c:\docume~1\krasi\applic~1\DAEMON Tools Pro
2008-08-13 23:44 <DIR> --d----- c:\docume~1\krasi\applic~1\Intel
2008-08-13 23:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intel
2008-08-13 23:15 <DIR> --d----- c:\docume~1\krasi\applic~1\Styler
2008-08-13 23:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081420080815\index.dat

============= FINISH: 10:25:06.60 ===============

[tetonbob]

Hi Xeqtrr -

I believe Kaspersky was finding mlJApPIC.dll in either System Restore points, or ComboFix quarantine, as it's in the deletions list. I see no current active infection. Those will be addressed in a short while, after these next steps.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------


Please run this onlone scan to help look for remnants.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

[Xeqtrr]

Hi tetonbob,

things look very good on this side - all the adds are gone, no missing files on system sratup. Haven't run KIS scan on the laptop but the Eset Online scanner found 5 threads - scared the living c*ap out of me, luckaly they all turned out to be keymakers and patches I would like to give you the adress, where I get all this stuff from, the best torrent site in Bulgaria and probably the world, but I'm not sure if it's not against the rules of www.techsupportforum.com. P.M. maybe? Anyway, here is the Eset log file:
....................................................................................................
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3664 (20081204)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ac1dfff403abe14daa9cabfa2d3897ed
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-12-04 05:54:48
# local_time=2008-12-04 07:54:48 (+0200, FLE Standard Time)
# country="Bulgaria"
# osver=5.1.2600 NT Service Pack 3
# scanned=293265
# found=5
# scan_time=1694
C:\Documents and Settings\Krasi\Desktop\Dimo\Daemon.Tools.Pro.Advanced.v4.10.0218-L33VaNcL33F\daemon.tools.pro.patch.exe probably a variant of Win32/Agent trojan 841E9211B1112287DF77F95D2A3F4FCB
D:\Dimo\Winamp 5.5 Build 1640 Final\Keymaker.rar probably a variant of Win32/Rbot trojan 7D92E35526826FABE05F24ECCB65DE0B
D:\Dimo\Winamp 5.5 Build 1640 Final\Keymaker.rar »RAR »Keymaker.exe probably a variant of Win32/Rbot trojan 00000000000000000000000000000000
D:\Games\game\Daemon Tools Pro Advanced - 4.10.0218 + Patch\Daemon.Tools.Pro.Advanced.-v4.10.0218-JAAI\Daemon.Tools.Pro.Advanced.v4.10.0218-Patch + Serial\Patch\daemon.tools.pro.patch.exe probably a variant of Win32/Agent trojan 841E9211B1112287DF77F95D2A3F4FCB
D:\Games\game\Daemon Tools Pro Advanced - 4.10.0218 + Patch\Daemon.Tools.Pro.Advanced.-v4.10.0218-JAAI\Patch\daemon.tools.pro.patch.exe probably a variant of Win32/Agent trojan 841E9211B1112287DF77F95D2A3F4FCB

[tetonbob]

This is quite likely the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore. Don't think: "I have a good Antivirus and Firewall installed, they will protect me" - because that's not true... and even before you know it, your Antivirus and Firewall may become disabled by the malware which has now found its way on your system.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. Before posting for help, we ask that you uninstall any such applications, as indicated in this sticky topic.

As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine. Any future requests for help may be ignored.

Uninstall these illegal softwares now.

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Krasi\Desktop\Dimo\Daemon.Tools.Pro.Advanced.v4.10.0218-L33VaNcL33F\daemon.tools.pro.patch.exe"
"D:\Dimo\Winamp 5.5 Build 1640 Final\Keymaker.rar"
"D:\Games\game\Daemon Tools Pro Advanced - 4.10.0218 + Patch\Daemon.Tools.Pro.Advanced.-v4.10.0218-JAAI\Daemon.Tools.Pro.Advanced.v4.10.0218-Patch + Serial\Patch\daemon.tools.pro.patch.exe"
"D:\Games\game\Daemon Tools Pro Advanced - 4.10.0218 + Patch\Daemon.Tools.Pro.Advanced.-v4.10.0218-JAAI\Patch\daemon.tools.pro.patch.exe"


) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[Xeqtrr]

Hi tetonbob,

I really feel bad and guilty. I red the illegal software thread, but what makes me feel even worse - I just reallised that you wrote it Wrong man to speak for cracked content to Anyway, I'm sorry and here's what the fix.bat said - "deleted successfully!!" I also let KIS do a full scan of the system because it was scheduled and kept the log file. If it's of any use to you I'll attach it. KIS deleted some files.

[tetonbob]

Thanks. Part of our mission is to educate users on how they get infected, and how to prevent it in the future. An infected machine often affects more than just the user's machine. In that sense, we're all responsible for each other on the internet, as one bot-infested machine can cause trouble for another person's machine without either of them knowing it.

Looks like most of those items found by KIS are in System Restore points, and ComboFix quarantine. Those will be addressed by uninstalling ComboFix as instructed below.

Other than that....



The other item found is in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Xeqtrr]

Thank you Tetonbob, you're the man And thanks to www.techsupportforum.com for existing. Keep up the good work guys! I won't say "Hope to see you soon" - you're probably already sick of me Thank you guys!

[tetonbob]

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.