Vnafudcc.dat Virus

OYE · 12-07-2008, 02:00 PM

I'm infected with the above referenced virus. It interferes with Internet Explorer. It redirects searches. I also get a system message to install virus2009remover.

I tried to remove it with synamtic and Malwarebytes Antimalware but they are unable to remove.

As per intructions I have posted below the logs requested. Please help ASAP.

Thank you

DDS (Version 1.0) - NTFSx86
Run by European Art Design at 15:13:25.70 on Sun 12/07/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.132 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\SYSTEM32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Peachw\peachw.exe
C:\Peachw\W32MKDE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\European Art Design\Local Settings\Temporary Internet Files\Content.IE5\R36OVHTV\dds[1].com

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {4A4B0ABE-124F-41A1-B3E1-0C18A3CEAF73} - c:\windows\system32\ATKCTR.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {850DE269-D599-4C07-A8BE-AC1C3A6AB197} - c:\documents and settings\european art design\my documents\my music\5\pjn-toolbar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {7A22E28C-2E4E-4B3C-AA6F-A126F63253DA} - c:\documents and settings\european art design\my documents\my music\5\pjn-toolbar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {7A22E28C-2E4E-4B3C-AA6F-A126F63253DA} - c:\documents and settings\european art design\my documents\my music\5\pjn-toolbar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\european art design\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ADATA_PLUtil] c:\program files\a-data\usb flash disk utility\PLBkMon.exe
mRun: [PLFFAP] c:\windows\system32\HotfixQ0306270.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\europe~1\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: uLxSDPNjk - {8C7A089A-26D0-A230-2468-42548FD3071F} - c:\windows\system32\aca.dll

============= SERVICES / DRIVERS ===============

R0 mglpewgn;mglpewgn;c:\windows\system32\drivers\vnafudcc.dat []
R0 PLFF;USB Flash Disk Driver;c:\windows\system32\drivers\PLFF.sys [2005-4-2 7424]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21 169576]
R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-3-16 47640]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-31 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081206.003\naveng.sys [2008-12-6 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081206.003\navex15.sys [2008-12-6 876112]
S0 kvfdo;kvfdo;c:\windows\system32\drivers\bxgsuh.sys []
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2004-8-4 5120]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2008-12-07 14:54 61,440 a------- c:\windows\system32\drivers\llia.sys
2008-11-24 00:04 <DIR> --d----- c:\docume~1\europe~1\applic~1\Malwarebytes
2008-11-24 00:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-24 00:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-24 00:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-24 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-11-12 12:52 116,480 a------- c:\windows\system32\ATKCTR.dll
2008-11-01 18:15 110,080 a------- c:\windows\system32\services.exe
2008-11-01 18:15 14,336 a------- c:\windows\system32\lsass.exe
2008-11-01 18:15 505,856 a------- c:\windows\system32\winlogon.exe
2008-10-31 15:19 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-31 15:19 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-31 15:19 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-31 15:19 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 23:25 388,608 a------- c:\windows\system32\CF26772.exe
2008-10-23 23:24 388,608 a------- c:\windows\system32\CF26674.exe
2008-10-23 23:23 388,608 a------- c:\windows\system32\CF26439.exe
2008-10-23 23:21 388,608 a------- c:\windows\system32\CF25910.exe
2008-10-23 23:19 388,608 a------- c:\windows\system32\CF25607.exe
2008-10-19 21:54 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-17 14:11 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-17 14:11 47,640 a------- c:\windows\system32\drivers\LMIRfsDriver.sys
2008-10-17 14:11 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-17 14:11 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-17 14:11 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-17 14:11 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-17 01:17 18,688 a------- c:\windows\system32\drivers\vnafudcc.dat
2008-10-17 01:17 5,120 a------- c:\windows\system32\drivers\pvhwydib.dat
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-08-04 11:53 308,240 a------- c:\docume~1\europe~1\applic~1\GDIPFONTCACHEV1.DAT
2007-12-10 23:17 540,488 a------- c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe
2007-09-30 23:41 439,296 a------- c:\documents and settings\european art design\GoToAssist_phone__317_en.exe
2007-08-22 13:34 258 ac------ c:\documents and settings\european art design\jobq.dat
2006-07-09 20:24 560 ac------ c:\docume~1\europe~1\applic~1\ViewerApp.dat
2005-09-07 18:25 6,668 ac------ c:\program files\Uninst.isu
2005-09-07 18:24 1,202 ac------ c:\program files\Responsa.ini
2002-04-29 04:28 36,864 ac------ c:\program files\UNINST.DLL
2002-04-21 22:43 507,904 ac------ c:\program files\Engeng.dll
2002-04-21 22:26 499,712 ac------ c:\program files\Hebrew.dll
2002-04-21 22:25 507,904 ac------ c:\program files\English.dll
2001-02-12 06:07 737,280 ac------ c:\program files\OT79ASU.DLL
2001-02-12 06:06 294,912 ac------ c:\program files\SFL9ASU.DLL
1999-12-07 03:00 995,384 ac------ c:\program files\MFC42U.DLL
1999-12-07 03:00 295,000 ac------ c:\program files\MSVCRT.DLL
1998-08-19 03:56 40,960 ac------ c:\program files\BIDIEX.DLL
1998-05-14 23:00 73,184 ac------ c:\program files\common files\dao2535.tlb
1998-04-26 23:00 570,128 a------- c:\program files\common files\Dao350.dll
2005-03-17 19:23 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:14:01.79 ===============

tetonbob · 12-08-2008, 08:49 AM

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

tetonbob · 12-11-2008, 12:42 PM

Still with me, OYE?

I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 3 days of this post, this topic will be closed.

OYE · 12-14-2008, 04:46 PM

I'm still working on it.

OYE · 12-14-2008, 05:46 PM

ComboFix 08-12-14.04 - European Art Design 2008-12-14 19:17:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.200 [GMT -5:00]
Running from: c:\documents and settings\European Art Design\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\European Art Design\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\system32\atkctr.dll
c:\windows\system32\bszip.dll
c:\windows\system32\drivers\pvhwydib.dat
c:\windows\system32\drivers\vnafudcc.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mglpewgn
-------\Service_mglpewgn

((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-07 15:16 . 2008-12-07 15:16 250 --a------ c:\windows\gmer.ini
2008-12-05 13:57 . 2005-03-11 17:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-05 13:57 . 2005-03-11 16:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-05 13:57 . 2005-03-11 17:03 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-05 13:57 . 2008-12-05 13:57 <DIR> d-------- c:\documents and settings\Administrator
2008-12-03 13:52 . 2008-12-04 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 00:04 . 2008-11-24 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\European Art Design\Application Data\Malwarebytes
2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-24 00:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-24 00:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 00:24 --------- d-----w c:\documents and settings\European Art Design\Application Data\Hamachi
2008-12-15 00:22 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-14 10:59 --------- d-----w c:\program files\LogMeIn
2008-12-09 03:08 --------- d-----w c:\program files\PCCW
2008-12-05 04:58 --------- d--h--w c:\program files\Zero G Registry
2008-12-05 04:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 04:42 --------- d-----w c:\program files\Airport Mania
2008-11-18 23:31 --------- d-----w c:\program files\Yahoo SiteBuilder
2008-10-31 20:19 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-31 20:19 8,014 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-31 20:19 110,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-31 20:19 --------- d-----w c:\program files\Symantec
2008-10-31 20:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-31 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-31 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-10-31 19:11 --------- d-----w c:\program files\Enigma Software Group
2008-10-31 19:11 --------- d-----w c:\documents and settings\European Art Design\Application Data\SUPERAntiSpyware.com
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 04:26 --------- d-----w c:\program files\Exterminate It!
2008-10-23 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-10-23 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-23 03:28 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-20 02:54 --------- d-----w c:\program files\Java
2008-10-17 19:11 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-08-04 16:53 308,240 ----a-w c:\documents and settings\European Art Design\Application Data\GDIPFONTCACHEV1.DAT
2007-12-11 04:17 540,488 ----a-w c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe
2007-10-01 04:41 439,296 ----a-w c:\documents and settings\European Art Design\GoToAssist_phone__317_en.exe
2007-08-22 18:34 258 -c--a-w c:\documents and settings\European Art Design\jobq.dat
2006-07-10 01:24 560 -c--a-w c:\documents and settings\European Art Design\Application Data\ViewerApp.dat
2005-09-07 23:25 6,668 -c--a-w c:\program files\Uninst.isu
2005-09-07 23:24 1,202 -c--a-w c:\program files\Responsa.ini
2002-04-29 09:28 36,864 -c--a-w c:\program files\UNINST.DLL
2002-04-22 03:43 507,904 -c--a-w c:\program files\Engeng.dll
2002-04-22 03:26 499,712 -c--a-w c:\program files\Hebrew.dll
2002-04-22 03:25 507,904 -c--a-w c:\program files\English.dll
2001-02-12 11:07 737,280 -c--a-w c:\program files\OT79ASU.DLL
2001-02-12 11:06 294,912 -c--a-w c:\program files\SFL9ASU.DLL
1999-12-07 08:00 995,384 -c--a-w c:\program files\MFC42U.DLL
1999-12-07 08:00 295,000 -c--a-w c:\program files\MSVCRT.DLL
1998-08-19 08:56 40,960 -c--a-w c:\program files\BIDIEX.DLL
1998-05-15 04:00 73,184 -c--a-w c:\program files\Common Files\dao2535.tlb
1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\Dao350.dll
2005-03-18 00:23 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-11-01 18:15 505856 e853481fef64a5be3fc3732d9d3d926a c:\windows\SYSTEM32\winlogon.exe

2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2008-11-01 18:15 110080 5812a3513734517f8c2c5eab6b269864 c:\windows\SYSTEM32\services.exe

2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2008-11-01 18:15 14336 c3e6b717e7b284e1fa89ba9f7a1be1ed c:\windows\SYSTEM32\lsass.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ADATA_PLUtil"="c:\program files\A-DATA\USB Flash Disk Utility\PLBkMon.exe" [2004-09-10 90112]
"PLFFAP"="c:\windows\system32\HotfixQ0306270.exe" [2003-08-05 45056]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-19 144792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-13 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\European Art Design\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-03-24 625952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-03-19 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 14:11 87352 c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22004

R0 PLFF;USB Flash Disk Driver;c:\windows\system32\Drivers\PLFF.sys [2005-04-02 7424]
R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2007-08-03 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-16 47640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-31 99376]
S0 kvfdo;kvfdo;c:\windows\system32\drivers\bxgsuh.sys []
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2004-08-04 5120]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
S4 LMIRfsClientNP;LMIRfsClientNP; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e28ffe6c-c312-11dc-9bc1-001111e870e5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-12-14 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2008-12-14 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-07 22:14]

2008-12-15 c:\windows\Tasks\User_Feed_Synchronization-{BB087463-F4F9-4412-9080-854ED8BDC299}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{850DE269-D599-4C07-A8BE-AC1C3A6AB197} - c:\documents and settings\European Art Design\My Documents\My Music\5\PJN-ToolBar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll
Toolbar-{7A22E28C-2E4E-4B3C-AA6F-A126F63253DA} - c:\documents and settings\European Art Design\My Documents\My Music\5\PJN-ToolBar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll
WebBrowser-{7A22E28C-2E4E-4B3C-AA6F-A126F63253DA} - c:\documents and settings\European Art Design\My Documents\My Music\5\PJN-ToolBar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll
SSODL-uLxSDPNjk-{8C7A089A-26D0-A230-2468-42548FD3071F} - c:\windows\System32\aca.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\OneCC.dll - O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
hxxp://d.66.155.171.111.downloads.estara.com./as/OneCCDM.php?template=41870&sessionid=1139088675_66.155.171.111_35028&=&req=1188958507816OneCC.cab
c:\windows\Downloaded Program Files\OneCC.inf

c:\windows\SYSTEM32\ATL.DLL - c:\windows\SYSTEM32\MFC42.DLL
c:\windows\SYSTEM32\MSVCRT.DLL
c:\windows\SYSTEM32\OLEPRO32.DLL
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\cselexpt.ocx
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011}
hxxps://vimas.cynergydata.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 19:23:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\progra~1\SYMANT~1\VPTray.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\SYSTEM32\IoctlSvc.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\FXSSVC.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-12-14 19:32:30 - machine was rebooted [European Art Design]
ComboFix-quarantined-files.txt 2008-12-15 00:32:12

Pre-Run: 1,586,126,848 bytes free
Post-Run: 1,800,974,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

257 --- E O F --- 2008-12-12 08

14

tetonbob · 12-14-2008, 06:52 PM

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following:

c:\windows\SYSTEM32\winlogon.exe
Then click the "Send File " button just below.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- c:\windows\SYSTEM32\services.exe
- c:\windows\SYSTEM32\lsass.exe

OYE · 12-15-2008, 12:51 AM

File winlogon.exe received on 11.04.2008 22:02:14 (CET)
Current status: finished

Result: 5/36 (13.89%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Patched.CX.155
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Patched.E.gen!Eldorado
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan.Win32.Patched.g
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
SecureWeb-Gateway - - Trojan.Patched.CX.155
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - Trojan/Patched.cx
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: e853481fef64a5be3fc3732d9d3d926a
SHA1: 3bc3f70bae2fbda88641a1e9dda1a4829fb1d87b
SHA256: 16a889f78308d8819d8dbf930949f995c14adbdf0e14a36c5466ac7db1058537
SHA512: e2e74acb8020aec95485c1552c2609822e5a5b41d0840595216dbce220f78922c3504abcda84372a44e43bc19a9adf9aa6252715861b7d9afe32185259a211b6

File services.exe received on 08.12.2008 11:56:25 (CET)
Current status: finished

Result: 1/36 (2.78%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Win32.Malware.gen (suspicious)
Additional information
MD5: 5812a3513734517f8c2c5eab6b269864
SHA1: e66854ef7a4431a1a4b45b33f020d98b19004546
SHA256: 5377d171fd562bea8cbae266c90e2be735d92a853621b4bfa0bd652368f4cc0d
SHA512: b81e2132c6737cfb210f21bb4e73261d07847926404af6dc5bd9be27c7c93e41473f150ef779d52aeb1e575ae9d5c82f001067c389a5a85458e209485464ce46

File lsass.e received on 08.12.2008 11:47:41 (CET)
Current status: finished

Result: 1/36 (2.78%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.8.12.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 -
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.11 -
AVG 8.0.0.156 2008.08.12 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.11 -
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.11 -
eTrust-Vet 31.6.6027 2008.08.12 -
Ewido 4.0 2008.08.11 -
F-Prot 4.4.4.56 2008.08.12 -
F-Secure 7.60.13501.0 2008.08.12 -
Fortinet 3.14.0.0 2008.08.12 -
GData 2.0.7306.1023 2008.08.12 -
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.411 2008.08.11 -
Kaspersky 7.0.0.125 2008.08.12 -
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 -
NOD32v2 3348 2008.08.12 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.11 -
Prevx1 V2 2008.08.12 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 -
Sunbelt 3.1.1542.1 2008.08.12 -
Symantec 10 2008.08.12 -
TheHacker 6.2.96.396 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.11.1331 2008.08.11 -
VirusBuster 4.5.11.0 2008.08.11 -
Webwasher-Gateway 6.6.2 2008.08.12 Win32.Malware.gen (suspicious)
Additional information
File size: 14336 bytes
MD5...: c3e6b717e7b284e1fa89ba9f7a1be1ed
SHA1..: 3b4b7c5711bfcf378d3cff4406a65305d1c80725
SHA256: a1e6df0db509885e3b9761a22122fed0778bfb4192c25a033bf17cc0aceda2dc
SHA512: 4b26b690db91a80531b87de6b2aed403a32b667f8b8a8f7921431fa1313ca80d
5e40c2d894259faf07516b719f6b5157fe258d63bd99ed59804d90ef9efc1d3d
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10014bd
timedatestamp.....: 0x41107b4d (Wed Aug 04 05:59:41 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d0 0x1200 6.01 d107b4f218abee66665545859fb9cc89
.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250
.rsrc 0x4000 0x3000 0x2000 6.56 7f2c6b63c3587c210b4e84d26843bfd9

( 5 imports )
> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
> SAMSRV.dll: SamIInitialize, SampUsingDsData

( 0 exports )

tetonbob · 12-15-2008, 08:50 AM

these core system files are patched. This next step will be used to replace them.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Fcopy::
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe | c:\windows\SYSTEM32\winlogon.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe | c:\windows\SYSTEM32\services.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe | c:\windows\SYSTEM32\lsass.exe

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

OYE · 12-15-2008, 09:38 PM

ComboFix 08-12-14.04 - European Art Design 2008-12-15 23:24:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.193 [GMT -5:00]
Running from: c:\documents and settings\European Art Design\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\European Art Design\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe --> c:\windows\SYSTEM32\winlogon.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe --> c:\windows\SYSTEM32\services.exe
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe --> c:\windows\SYSTEM32\lsass.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 23:25 . 2008-12-15 23:25 <DIR> d-------- c:\windows\LastGood
2008-12-15 23:25 . 2008-04-13 19:12 507,904 --a------ c:\windows\SYSTEM32\OLD988.tmp
2008-12-15 23:25 . 2008-04-13 19:12 108,544 --a------ c:\windows\SYSTEM32\OLD98B.tmp
2008-12-15 23:25 . 2008-04-13 19:12 13,312 --a------ c:\windows\SYSTEM32\OLD98E.tmp
2008-12-07 15:16 . 2008-12-07 15:16 250 --a------ c:\windows\gmer.ini
2008-12-05 13:57 . 2005-03-11 17:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-05 13:57 . 2005-03-11 16:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-05 13:57 . 2005-03-11 17:03 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-05 13:57 . 2008-12-05 13:57 <DIR> d-------- c:\documents and settings\Administrator
2008-12-03 13:52 . 2008-12-04 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 00:04 . 2008-11-24 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\European Art Design\Application Data\Malwarebytes
2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-24 00:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-24 00:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 04:29 --------- d-----w c:\documents and settings\European Art Design\Application Data\Hamachi
2008-12-16 04:21 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-15 11:38 --------- d-----w c:\program files\LogMeIn
2008-12-09 03:08 --------- d-----w c:\program files\PCCW
2008-12-05 04:58 --------- d--h--w c:\program files\Zero G Registry
2008-12-05 04:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 04:42 --------- d-----w c:\program files\Airport Mania
2008-11-18 23:31 --------- d-----w c:\program files\Yahoo SiteBuilder
2008-10-31 20:19 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-31 20:19 8,014 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-31 20:19 48,768 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL
2008-10-31 20:19 110,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-31 20:19 --------- d-----w c:\program files\Symantec
2008-10-31 20:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-31 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-31 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-10-31 19:11 --------- d-----w c:\program files\Enigma Software Group
2008-10-31 19:11 --------- d-----w c:\documents and settings\European Art Design\Application Data\SUPERAntiSpyware.com
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-24 04:26 --------- d-----w c:\program files\Exterminate It!
2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-23 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-10-23 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-23 03:28 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-20 02:54 410,976 ----a-w c:\windows\SYSTEM32\deploytk.dll
2008-10-20 02:54 --------- d-----w c:\program files\Java
2008-10-17 19:11 87,352 ----a-w c:\windows\SYSTEM32\LMIinit.dll
2008-10-17 19:11 83,288 ----a-w c:\windows\SYSTEM32\LMIRfsClientNP.dll
2008-10-17 19:11 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-10-17 19:11 28,984 ----a-w c:\windows\SYSTEM32\LMIport.dll
2008-10-17 19:11 23,736 ----a-w c:\windows\SYSTEM32\lmimirr.dll
2008-10-17 19:11 10,040 ----a-w c:\windows\SYSTEM32\lmimirr2.dll
2008-10-17 07:08 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\WUPS.DLL
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-08-04 16:53 308,240 ----a-w c:\documents and settings\European Art Design\Application Data\GDIPFONTCACHEV1.DAT
2007-12-11 04:17 540,488 ----a-w c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe
2007-10-01 04:41 439,296 ----a-w c:\documents and settings\European Art Design\GoToAssist_phone__317_en.exe
2007-08-22 18:34 258 -c--a-w c:\documents and settings\European Art Design\jobq.dat
2006-07-10 01:24 560 -c--a-w c:\documents and settings\European Art Design\Application Data\ViewerApp.dat
2005-09-07 23:25 6,668 -c--a-w c:\program files\Uninst.isu
2005-09-07 23:24 1,202 -c--a-w c:\program files\Responsa.ini
2002-04-29 09:28 36,864 -c--a-w c:\program files\UNINST.DLL
2002-04-22 03:43 507,904 -c--a-w c:\program files\Engeng.dll
2002-04-22 03:26 499,712 -c--a-w c:\program files\Hebrew.dll
2002-04-22 03:25 507,904 -c--a-w c:\program files\English.dll
2001-02-12 11:07 737,280 -c--a-w c:\program files\OT79ASU.DLL
2001-02-12 11:06 294,912 -c--a-w c:\program files\SFL9ASU.DLL
1999-12-07 08:00 995,384 -c--a-w c:\program files\MFC42U.DLL
1999-12-07 08:00 295,000 -c--a-w c:\program files\MSVCRT.DLL
1998-08-19 08:56 40,960 -c--a-w c:\program files\BIDIEX.DLL
1998-05-15 04:00 73,184 -c--a-w c:\program files\Common Files\dao2535.tlb
1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\Dao350.dll
2005-03-18 00:23 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-14_19.30.13.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:24 13,312 ----a-w c:\windows\LastGood\system32\lsass.exe
+ 2008-04-14 00:12:34 108,544 ----a-w c:\windows\LastGood\system32\services.exe
+ 2008-04-14 00:12:39 507,904 ----a-w c:\windows\LastGood\system32\winlogon.exe
+ 2004-08-04 11:00:00 13,312 ----a-w c:\windows\SYSTEM32\DLLCACHE\lsass.exe
+ 2004-08-04 11:00:00 108,032 ----a-w c:\windows\SYSTEM32\DLLCACHE\services.exe
+ 2004-08-04 11:00:00 502,272 ----a-w c:\windows\SYSTEM32\DLLCACHE\winlogon.exe
+ 2008-12-15 00:23:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ADATA_PLUtil"="c:\program files\A-DATA\USB Flash Disk Utility\PLBkMon.exe" [2004-09-10 90112]
"PLFFAP"="c:\windows\system32\HotfixQ0306270.exe" [2003-08-05 45056]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-19 144792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-13 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\European Art Design\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-03-24 625952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-03-19 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 14:11 87352 c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22004

R0 PLFF;USB Flash Disk Driver;c:\windows\system32\Drivers\PLFF.sys [2005-04-02 7424]
R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2007-08-03 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-16 47640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-31 99376]
S0 kvfdo;kvfdo;c:\windows\system32\drivers\bxgsuh.sys []
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2004-08-04 5120]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
S4 LMIRfsClientNP;LMIRfsClientNP; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e28ffe6c-c312-11dc-9bc1-001111e870e5}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - F:\system.exe
\Shell\Open\command - F:\system.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-12-15 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2008-12-16 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-07 22:14]

2008-12-16 c:\windows\Tasks\User_Feed_Synchronization-{BB087463-F4F9-4412-9080-854ED8BDC299}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\OneCC.dll - O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
hxxp://d.66.155.171.111.downloads.estara.com./as/OneCCDM.php?template=41870&sessionid=1139088675_66.155.171.111_35028&=&req=1188958507816OneCC.cab
c:\windows\Downloaded Program Files\OneCC.inf

c:\windows\SYSTEM32\ATL.DLL - c:\windows\SYSTEM32\MFC42.DLL
c:\windows\SYSTEM32\MSVCRT.DLL
c:\windows\SYSTEM32\OLEPRO32.DLL
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\cselexpt.ocx
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011}
hxxps://vimas.cynergydata.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 23:29:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2008-12-15 23:31:14
ComboFix-quarantined-files.txt 2008-12-16 04:30:28
ComboFix2.txt 2008-12-15 00:32:32

Pre-Run: 1,727,811,584 bytes free
Post-Run: 1,759,404,032 bytes free

264 --- E O F --- 2008-12-12 08

14

tetonbob · 12-15-2008, 09:51 PM

Looks better.

We need to run another script.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\windows\Tasks\ErrorSmart Scheduled Scan.job

Rootkit::
c:\windows\system32\drivers\bxgsuh.sys

Driver::
kvfdo

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e28ffe6c-c312-11dc-9bc1-001111e870e5}]

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should.

You should also update your Java(TM) 6 Update 10. You can do this by going to Control Panel (using Classic View) > Java (looks like a coffee cup) > Update tab > Update now. An update should begin, follow the prompts.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

---------------------------------------------------------------------------------------------
Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
- Click Run at the Security prompt.
- The program will then begin downloading and installing and will also update the database.
- Please be patient as this can take several minutes.
- Once the update is complete, click on Settings. Uncheck Mail databases.
- Next, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Click View scan report at the bottom.
- Click the Save Report As... button.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
---------------------------------------------------------------------------------------------

Post logs from ComboFix and Kaspersky, and let me know how the machine is behaving.

---------------------------------------------------------------------------------------------

OYE · 12-17-2008, 11:42 AM

the machine is behaving so far so good i hope it stays clean i see in the win task manager a new processe ALG.EXE LOCAL SERVICE is this OK or a new vilent ??

Thanks a lot for your help

ComboFix 08-12-14.04 - European Art Design 2008-12-16 0:05:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.201 [GMT -5:00]
Running from: c:\documents and settings\European Art Design\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\European Art Design\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\ErrorSmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\ErrorSmart Scheduled Scan.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kvfdo

((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 23:25 . <DIR> c:\windows\LastGood.Tmp
2008-12-07 15:16 . 2008-12-07 15:16 250 --a------ c:\windows\gmer.ini
2008-12-05 13:57 . 2005-03-11 17:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2008-12-05 13:57 . 2005-03-11 16:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2008-12-05 13:57 . 2005-03-11 17:03 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2008-12-05 13:57 . 2008-12-05 13:57 <DIR> d-------- c:\documents and settings\Administrator
2008-12-03 13:52 . 2008-12-04 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 00:04 . 2008-11-24 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\European Art Design\Application Data\Malwarebytes
2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-24 00:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-24 00:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 05:13 --------- d-----w c:\documents and settings\European Art Design\Application Data\Hamachi
2008-12-16 05:10 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-16 05:05 --------- d-----w c:\program files\LogMeIn
2008-12-09 03:08 --------- d-----w c:\program files\PCCW
2008-12-05 04:58 --------- d--h--w c:\program files\Zero G Registry
2008-12-05 04:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 04:42 --------- d-----w c:\program files\Airport Mania
2008-11-18 23:31 --------- d-----w c:\program files\Yahoo SiteBuilder
2008-10-31 20:19 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-31 20:19 8,014 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-31 20:19 110,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-31 20:19 --------- d-----w c:\program files\Symantec
2008-10-31 20:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-31 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-31 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-10-31 19:11 --------- d-----w c:\program files\Enigma Software Group
2008-10-31 19:11 --------- d-----w c:\documents and settings\European Art Design\Application Data\SUPERAntiSpyware.com
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 04:26 --------- d-----w c:\program files\Exterminate It!
2008-10-23 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2008-10-23 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-23 03:28 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-20 02:54 --------- d-----w c:\program files\Java
2008-10-17 19:11 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-08-04 16:53 308,240 ----a-w c:\documents and settings\European Art Design\Application Data\GDIPFONTCACHEV1.DAT
2007-12-11 04:17 540,488 ----a-w c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe
2007-10-01 04:41 439,296 ----a-w c:\documents and settings\European Art Design\GoToAssist_phone__317_en.exe
2007-08-22 18:34 258 -c--a-w c:\documents and settings\European Art Design\jobq.dat
2006-07-10 01:24 560 -c--a-w c:\documents and settings\European Art Design\Application Data\ViewerApp.dat
2005-09-07 23:25 6,668 -c--a-w c:\program files\Uninst.isu
2005-09-07 23:24 1,202 -c--a-w c:\program files\Responsa.ini
2002-04-29 09:28 36,864 -c--a-w c:\program files\UNINST.DLL
2002-04-22 03:43 507,904 -c--a-w c:\program files\Engeng.dll
2002-04-22 03:26 499,712 -c--a-w c:\program files\Hebrew.dll
2002-04-22 03:25 507,904 -c--a-w c:\program files\English.dll
2001-02-12 11:07 737,280 -c--a-w c:\program files\OT79ASU.DLL
2001-02-12 11:06 294,912 -c--a-w c:\program files\SFL9ASU.DLL
1999-12-07 08:00 995,384 -c--a-w c:\program files\MFC42U.DLL
1999-12-07 08:00 295,000 -c--a-w c:\program files\MSVCRT.DLL
1998-08-19 08:56 40,960 -c--a-w c:\program files\BIDIEX.DLL
1998-05-15 04:00 73,184 -c--a-w c:\program files\Common Files\dao2535.tlb
1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\Dao350.dll
2005-03-18 00:23 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-14_19.30.13.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:24 13,312 ----a-w c:\windows\LastGood.Tmp\system32\lsass.exe
+ 2008-04-14 00:12:34 108,544 ----a-w c:\windows\LastGood.Tmp\system32\services.exe
+ 2008-04-14 00:12:39 507,904 ----a-w c:\windows\LastGood.Tmp\system32\winlogon.exe
+ 2004-08-04 11:00:00 13,312 ----a-w c:\windows\SYSTEM32\DLLCACHE\lsass.exe
+ 2004-08-04 11:00:00 108,032 ----a-w c:\windows\SYSTEM32\DLLCACHE\services.exe
+ 2004-08-04 11:00:00 502,272 ----a-w c:\windows\SYSTEM32\DLLCACHE\winlogon.exe
- 2008-11-01 23:15:38 14,336 ----a-w c:\windows\SYSTEM32\lsass.exe
+ 2004-08-04 11:00:00 13,312 ----a-w c:\windows\SYSTEM32\lsass.exe
- 2008-11-01 23:15:38 110,080 ----a-w c:\windows\SYSTEM32\services.exe
+ 2004-08-04 11:00:00 108,032 ----a-w c:\windows\SYSTEM32\services.exe
- 2008-11-01 23:15:36 505,856 ----a-w c:\windows\SYSTEM32\winlogon.exe
+ 2004-08-04 11:00:00 502,272 ----a-w c:\windows\SYSTEM32\winlogon.exe
+ 2008-12-16 05:12:05 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ADATA_PLUtil"="c:\program files\A-DATA\USB Flash Disk Utility\PLBkMon.exe" [2004-09-10 90112]
"PLFFAP"="c:\windows\system32\HotfixQ0306270.exe" [2003-08-05 45056]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-19 144792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-13 98304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\European Art Design\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-03-24 625952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-03-19 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 14:11 87352 c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22004

R0 PLFF;USB Flash Disk Driver;c:\windows\system32\Drivers\PLFF.sys [2005-04-02 7424]
R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2007-08-03 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-16 47640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-31 99376]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664]
S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2004-08-04 5120]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
S4 LMIRfsClientNP;LMIRfsClientNP; []
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-07 22:14]

2008-12-16 c:\windows\Tasks\User_Feed_Synchronization-{BB087463-F4F9-4412-9080-854ED8BDC299}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\OneCC.dll - O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7}
hxxp://d.66.155.171.111.downloads.estara.com./as/OneCCDM.php?template=41870&sessionid=1139088675_66.155.171.111_35028&=&req=1188958507816OneCC.cab
c:\windows\Downloaded Program Files\OneCC.inf

c:\windows\SYSTEM32\ATL.DLL - c:\windows\SYSTEM32\MFC42.DLL
c:\windows\SYSTEM32\MSVCRT.DLL
c:\windows\SYSTEM32\OLEPRO32.DLL
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\cselexpt.ocx
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011}
hxxps://vimas.cynergydata.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 00:12:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\SYSTEM32\IoctlSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\SYSTEM32\FXSSVC.EXE
c:\progra~1\SYMANT~1\VPTray.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2008-12-16 0:21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 05:20:43
ComboFix2.txt 2008-12-16 04:31:15
ComboFix3.txt 2008-12-15 00:32:32

Pre-Run: 1,699,295,232 bytes free
Post-Run: 1,726,017,536 bytes free

242 --- E O F --- 2008-12-12 08

14

this is the second report
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 17, 2008 05:03:00
Records in database: 1467699
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 112914
Threat name: 8
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 02:59:31

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D00001.VBN Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D00003.VBN Infected: Trojan-Dropper.Win32.Agent.yzc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D00004.VBN Infected: Trojan-Dropper.Win32.Agent.yzc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D00005.VBN Infected: Trojan-Dropper.Win32.Agent.yzc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D00006.VBN Infected: Trojan-Dropper.Win32.Agent.yzc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07D00007.VBN Infected: Trojan-Dropper.Win32.Agent.yzc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300000.VBN Infected: Trojan.Win32.Patched.cx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300001\493CE467.VBN Infected: Trojan.Win32.Patched.cx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300002\493CE4B9.VBN Infected: Trojan.Win32.Patched.cx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300003\493CE4DD.VBN Infected: Trojan.Win32.Patched.cx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300004\493CE512.VBN Infected: Trojan.Win32.Patched.cx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300005\493CE52D.VBN Infected: Trojan-Spy.Win32.Zbot.fvf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300006\493CE549.VBN Infected: Trojan.Win32.Patched.cx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09300007\493CE565.VBN Infected: Trojan-Downloader.Win32.Agent.vsh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000\4D6F8DEA.VBN Infected: Trojan-Downloader.Win32.Small.aexy 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_pvhwydib_.dat.zip Infected: Trojan.Win32.Agent.cid 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_vnafudcc_.dat.zip Infected: Trojan.Win32.Agent.cid 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\_ATKCTR_.dll.zip Infected: Rootkit.Win32.Podnuha.bjd 1

The selected area was scanned.

tetonbob · 12-17-2008, 01:02 PM

alg.exe is Windows' Application Layer Gateway. It's fine.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

OYE · 12-17-2008, 06:48 PM

here you go

סרגל הכלים של פורטל הדת היהודית
Adobe Acrobat 7.0 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Color Common Settings
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Setup
American Greetings® CreataCard® Silver 5
ArcSoft PhotoStudio 2000
Authentium AntiVirus SDK - 2
Banctec Service Agreement
Bonjour
Camera Support Core Library
Camera Window DS
Camera Window DVC
Camera Window MC
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MF Toolbox 4.9.1.1.mf03
Canon MF4100 Series
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon ScanGear Toolbox CS 2.2
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
DavkaWriter
Dell Driver Reset Tool
Dell ResourceCD
Dell Support 5.0.0 (630)
Dell System Restore
DivX Content Uploader
DivX Web Player
Documents To Go
Driver's Education '99
Ektron Starter Sites - CMS400Developer
ffdshow (remove only)
First Step Guide
FoneSync
FreeStyle CoPilot Health Management System
getPlus(R)_ocx
Google Chrome
Google Talk (remove only)
Google Toolbar for Internet Explorer
Hamachi 1.0.3.0
Handmark® MobileDB(TM) for Palm OS
Hebrew Books
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HotFix Q0306270
ImageMixer VCD2
InControl 2.2
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 10
Java(TM) 6 Update 3
Java(TM) 6 Update 5
LG USB Modem Drivers
LiveUpdate 3.1 (Symantec Corporation)
LogMeIn
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta 98 Encyclopedia
Microsoft Encarta Encyclopedia Standard 2001
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2001
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Modem Event Monitor
Modem Helper
Modem On Hold
MovieEdit Task
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Octoshape add-in for Adobe Flash Player
OLYMPUS CAMEDIA Master 4.2
OmniPage Pro 9.0
OpenOffice.org Installer 1.0
Palm Desktop
Panasonic KX-FLM600/650
PCCharge Pro
PCCharge Pro DEMO
Peachtree Complete Accounting
Photodex Presenter
PhotoStitch
Picture Package
PlayLinc
PPSDKRedistributables
Presto! PageManager 7.15.11
QuickBooks Pro Edition 2003
QuickBooks Pro Edition 2004
QuickBooks Simple Start Special Edition
QuickTime
Radialpoint Security Services
RAW Image Task 1.2
RealPlayer
RemoteCapture Task 1.1
Rhapsody Player Engine
Scan Manager 5.2
ScanSoft OmniPage SE 4.0
Security Advisor
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shockwave
Sierra Utilities
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Sony USB Driver
Sprint music manager
Stamps.com Internet Postage
Symantec AntiVirus
The Print Shop 20
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
USB Driver for Panasonic DVC
USB Flash Disk Utility
Verizon Broadband Toolbar
Verizon Online DSL
Verizon Online Help and Support
Verizon PC Security Checkup
Verizon Servicepoint 1.5.20
Virtual Earth 3D (Beta)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WordPerfect Office 12
Works Suite OS Pack
Works Synchronization
Yahoo! SiteBuilder
Yahoo! SiteBuilder2.6-J
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
ZIP Reader 8.00.0018

tetonbob · 12-17-2008, 07:18 PM

Ok, thanks.

Something I overlooked earlier, but that still needs be addressed.

As stated in our pre-posting sticky topic...

http://www.techsupportforum.com/secu...oval-help.html

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

I see you have more than one Anti-Virus program installed, Authentium AntiVirus SDK - 2 and Symantec AntiVirus. While this may seem like greater protection, it can cause problems including slowdowns and system hangs. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

It does not appear as though the older versions of Java were uninstalled, nor the Java(TM) 6 Update 10 updated to Update 11 as instructed in post #10. Please do so, it's for the security of your machine.

After that....

Several items found by Kaspersky are in Symantec quarantine. They are safe there, as they've been rendered inert. Symantec clears it's quarantine on a schedule, or, see if this helps you remove them permanently.

http://www.d.umn.edu/itss/security/nav/quarantine.html

The other items Kasperksky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

OYE · 12-17-2008, 11:15 PM

Here are some concerns

Firstly, I don't find this "Authentium AntiVirus SDK - 2" you mentioned I only see the Symantec AntiVirus. I don't remember ever installing this either.

Secondly, about the java- I already unistalled the older versions and updated the new one. I don't know why you still see them. My computer shows that I only have the update 11.

Should I install all the programs you recommended? What is important?

tetonbob · 12-17-2008, 11:56 PM

Authentium AntiVirus is referenced in the installed programs list of two tools. It has a driver installed. If it's not in your Add or Remove Programs applet, it's possible it was not uninstalled cleanly, but it was installed at one point on this machine. So, let's see what we can do about that...

Go to Start>Run then copy and paste, or type the following, then press Enter:

sc stop "Radialpoint Security Services"

Go to Start>Run then copy and paste, or type the following, then press Enter:

sc delete "Radialpoint Security Services"

---------------------------------------------------------------------------------------------

Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter

Authentium AntiVirus

& click "Ok".
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply

Also, please run DDS once again, and post both it's logs.

OYE · 12-18-2008, 11:01 AM

This the Registry Search log what is and how do i run DDS once again ??

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 12/18/2008 12:56:41 PM for strings:
; 'authentium antivirus'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D9F3ECA14ADC93F4695033C43FA75197]
"ProductName"="Authentium AntiVirus SDK - 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D9F3ECA14ADC93F4695033C43FA75197\InstallProperties]
"DisplayName"="Authentium AntiVirus SDK - 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}]
"DisplayName"="Authentium AntiVirus SDK - 2"

[HKEY_USERS\S-1-5-21-2190943862-394379874-2217056896-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="Authentium AntiVirus SDK - 2"

; End Of The Log...

tetonbob · 12-18-2008, 11:06 AM

If you've already deleted it, here's the process again

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.

-----------------------------------------------------

Please include the following logs in your thread:

Contents of the DDS.txt posted as text in your reply
Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

tetonbob · 12-18-2008, 11:09 AM

Please run this registry fix first...

Copy and paste the following into Notepad (don't forget to copy and paste Windows Registry Editor Version 5.00):

Quote:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D9F3ECA14ADC93F4695033C43FA75197]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D9F3ECA14ADC93F4695033C43FA75197\InstallProperties]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}]

[HKEY_USERS\S-1-5-21-2190943862-394379874-2217056896-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Now run DDS and post those logs.

OYE · 12-18-2008, 11:27 AM

DDS (Version 1.1.0) - NTFSx86
Run by European Art Design at 13:17:52.37 on Thu 12/18/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.121 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\SYSTEM32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Peachw\peachw.exe
C:\Peachw\W32MKDE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\European Art Design\Local Settings\Temporary Internet Files\Content.IE5\R36OVHTV\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\european art design\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ADATA_PLUtil] c:\program files\a-data\usb flash disk utility\PLBkMon.exe
mRun: [PLFFAP] c:\windows\system32\HotfixQ0306270.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\europe~1\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\docume~1\europe~1\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2FDEF853-0759-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_ENC.HTM
IE: {5DA9DE80-097A-11D4-A92E-006097DBED37} - c:\program files\common files\microsoft shared\reference 2001\a\ERS_DEF.HTM
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PLFF;USB Flash Disk Driver;c:\windows\system32\drivers\PLFF.sys [2005-4-2 7424]
R1 SAVRT;SAVRT;\??\c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;\??\c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSetMgr.exe" [2006-11-21 169576]
R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-3-16 47640]
R2 Symantec AntiVirus;Symantec AntiVirus;"c:\program files\symantec antivirus\Rtvscan.exe" [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-31 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081217.003\naveng.sys [2008-12-18 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081217.003\navex15.sys [2008-12-18 876112]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 SavRoam;SAVRoam;"c:\program files\symantec antivirus\SavRoam.exe" [2007-3-14 116416]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2008-12-18 01:19 <DIR> --d----- C:\ComboFix
2008-12-18 01:17 388,608 a------- c:\windows\system32\CF1868.exe
2008-12-18 01:17 388,608 a------- c:\windows\system32\CF1861.exe
2008-12-18 01:17 388,608 a------- c:\windows\system32\CF1855.exe
2008-12-16 00:32 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-14 19:15 <DIR> a-dshr-- C:\cmdcons
2008-12-07 15:16 250 a------- c:\windows\gmer.ini
2008-11-24 00:04 <DIR> --d----- c:\docume~1\europe~1\applic~1\Malwarebytes
2008-11-24 00:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-16 00:32 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-31 15:19 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-31 15:19 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-31 15:19 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-31 15:19 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-17 14:11 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-17 14:11 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-17 14:11 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-17 14:11 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-17 14:11 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-08-04 11:53 308,240 a------- c:\docume~1\europe~1\applic~1\GDIPFONTCACHEV1.DAT
2007-12-10 23:17 540,488 a------- c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe
2007-09-30 23:41 439,296 a------- c:\documents and settings\european art design\GoToAssist_phone__317_en.exe
2007-08-22 13:34 258 ac------ c:\documents and settings\european art design\jobq.dat
2006-07-09 20:24 560 ac------ c:\docume~1\europe~1\applic~1\ViewerApp.dat
2005-09-07 18:25 6,668 ac------ c:\program files\Uninst.isu
2005-09-07 18:24 1,202 ac------ c:\program files\Responsa.ini
2002-04-29 04:28 36,864 ac------ c:\program files\UNINST.DLL
2002-04-21 22:43 507,904 ac------ c:\program files\Engeng.dll
2002-04-21 22:26 499,712 ac------ c:\program files\Hebrew.dll
2002-04-21 22:25 507,904 ac------ c:\program files\English.dll
2001-02-12 06:07 737,280 ac------ c:\program files\OT79ASU.DLL
2001-02-12 06:06 294,912 ac------ c:\program files\SFL9ASU.DLL
1999-12-07 03:00 995,384 ac------ c:\program files\MFC42U.DLL
1999-12-07 03:00 295,000 ac------ c:\program files\MSVCRT.DLL
1998-08-19 03:56 40,960 ac------ c:\program files\BIDIEX.DLL
1998-05-14 23:00 73,184 ac------ c:\program files\common files\dao2535.tlb
1998-04-26 23:00 570,128 a------- c:\program files\common files\Dao350.dll
2005-03-17 19:23 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:18:42.35 ===============

12-08-2008, 08:49 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: Vnafudcc.dat Virus Please visit this webpage for download links, and instructions for running combofix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-11-2008, 12:42 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: Vnafudcc.dat Virus Still with me, OYE? I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 3 days of this post, this topic will be closed. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-14-2008, 04:46 PM	#4 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus I'm still working on it.

12-14-2008, 05:46 PM	#5 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus ComboFix 08-12-14.04 - European Art Design 2008-12-14 19:17:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.200 [GMT -5:00] Running from: c:\documents and settings\European Art Design\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\European Art Design\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Application Data\twain_32 c:\documents and settings\LocalService\Application Data\twain_32\user.ds c:\documents and settings\NetworkService\Application Data\twain_32 c:\documents and settings\NetworkService\Application Data\twain_32\user.ds c:\windows\system32\atkctr.dll c:\windows\system32\bszip.dll c:\windows\system32\drivers\pvhwydib.dat c:\windows\system32\drivers\vnafudcc.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_mglpewgn -------\Service_mglpewgn ((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 ))))))))))))))))))))))))))))))) . 2008-12-07 15:16 . 2008-12-07 15:16 250 --a------ c:\windows\gmer.ini 2008-12-05 13:57 . 2005-03-11 17:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic 2008-12-05 13:57 . 2005-03-11 16:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc 2008-12-05 13:57 . 2005-03-11 17:03 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek 2008-12-05 13:57 . 2008-12-05 13:57 <DIR> d-------- c:\documents and settings\Administrator 2008-12-03 13:52 . 2008-12-04 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-24 00:04 . 2008-11-24 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\European Art Design\Application Data\Malwarebytes 2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-24 00:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-11-24 00:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-15 00:24 --------- d-----w c:\documents and settings\European Art Design\Application Data\Hamachi 2008-12-15 00:22 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-14 10:59 --------- d-----w c:\program files\LogMeIn 2008-12-09 03:08 --------- d-----w c:\program files\PCCW 2008-12-05 04:58 --------- d--h--w c:\program files\Zero G Registry 2008-12-05 04:50 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-05 04:42 --------- d-----w c:\program files\Airport Mania 2008-11-18 23:31 --------- d-----w c:\program files\Yahoo SiteBuilder 2008-10-31 20:19 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2008-10-31 20:19 8,014 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2008-10-31 20:19 110,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2008-10-31 20:19 --------- d-----w c:\program files\Symantec 2008-10-31 20:19 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-10-31 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-10-31 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7 2008-10-31 19:11 --------- d-----w c:\program files\Enigma Software Group 2008-10-31 19:11 --------- d-----w c:\documents and settings\European Art Design\Application Data\SUPERAntiSpyware.com 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 04:26 --------- d-----w c:\program files\Exterminate It! 2008-10-23 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI 2008-10-23 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-10-23 03:28 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185} 2008-10-20 02:54 --------- d-----w c:\program files\Java 2008-10-17 19:11 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys 2008-08-04 16:53 308,240 ----a-w c:\documents and settings\European Art Design\Application Data\GDIPFONTCACHEV1.DAT 2007-12-11 04:17 540,488 ----a-w c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe 2007-10-01 04:41 439,296 ----a-w c:\documents and settings\European Art Design\GoToAssist_phone__317_en.exe 2007-08-22 18:34 258 -c--a-w c:\documents and settings\European Art Design\jobq.dat 2006-07-10 01:24 560 -c--a-w c:\documents and settings\European Art Design\Application Data\ViewerApp.dat 2005-09-07 23:25 6,668 -c--a-w c:\program files\Uninst.isu 2005-09-07 23:24 1,202 -c--a-w c:\program files\Responsa.ini 2002-04-29 09:28 36,864 -c--a-w c:\program files\UNINST.DLL 2002-04-22 03:43 507,904 -c--a-w c:\program files\Engeng.dll 2002-04-22 03:26 499,712 -c--a-w c:\program files\Hebrew.dll 2002-04-22 03:25 507,904 -c--a-w c:\program files\English.dll 2001-02-12 11:07 737,280 -c--a-w c:\program files\OT79ASU.DLL 2001-02-12 11:06 294,912 -c--a-w c:\program files\SFL9ASU.DLL 1999-12-07 08:00 995,384 -c--a-w c:\program files\MFC42U.DLL 1999-12-07 08:00 295,000 -c--a-w c:\program files\MSVCRT.DLL 1998-08-19 08:56 40,960 -c--a-w c:\program files\BIDIEX.DLL 1998-05-15 04:00 73,184 -c--a-w c:\program files\Common Files\dao2535.tlb 1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\Dao350.dll 2005-03-18 00:23 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys . ------- Sigcheck ------- 2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe 2008-11-01 18:15 505856 e853481fef64a5be3fc3732d9d3d926a c:\windows\SYSTEM32\winlogon.exe 2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe 2008-11-01 18:15 110080 5812a3513734517f8c2c5eab6b269864 c:\windows\SYSTEM32\services.exe 2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe 2008-11-01 18:15 14336 c3e6b717e7b284e1fa89ba9f7a1be1ed c:\windows\SYSTEM32\lsass.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Google Update"="c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-07 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ADATA_PLUtil"="c:\program files\A-DATA\USB Flash Disk Utility\PLBkMon.exe" [2004-09-10 90112] "PLFFAP"="c:\windows\system32\HotfixQ0306270.exe" [2003-08-05 45056] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576] "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960] "VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-19 144792] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840] "vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-13 98304] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] c:\documents and settings\European Art Design\Start Menu\Programs\Startup\ hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-03-24 625952] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-03-19 25214] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 24633] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-17 14:11 87352 c:\windows\SYSTEM32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "80:TCP"= 80:TCP:@xpsp2res.dll,-22004 R0 PLFF;USB Flash Disk Driver;c:\windows\system32\Drivers\PLFF.sys [2005-04-02 7424] R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2007-08-03 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-16 47640] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-31 99376] S0 kvfdo;kvfdo;c:\windows\system32\drivers\bxgsuh.sys [] S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664] S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2004-08-04 5120] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416] S4 LMIRfsClientNP;LMIRfsClientNP; [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e28ffe6c-c312-11dc-9bc1-001111e870e5}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe \Shell\Explore\command - F:\system.exe \Shell\Open\command - F:\system.exe . Contents of the 'Scheduled Tasks' folder 2008-12-14 c:\windows\Tasks\ErrorSmart Scheduled Scan.job - c:\program files\ErrorSmart\ErrorSmart.exe [] 2008-12-14 c:\windows\Tasks\ErrorSmart Scheduled Scan.job - c:\program files\ErrorSmart [] 2008-12-14 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-07 22:14] 2008-12-15 c:\windows\Tasks\User_Feed_Synchronization-{BB087463-F4F9-4412-9080-854ED8BDC299}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 10:58] . - - - - ORPHANS REMOVED - - - - BHO-{850DE269-D599-4C07-A8BE-AC1C3A6AB197} - c:\documents and settings\European Art Design\My Documents\My Music\5\PJN-ToolBar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll Toolbar-{7A22E28C-2E4E-4B3C-AA6F-A126F63253DA} - c:\documents and settings\European Art Design\My Documents\My Music\5\PJN-ToolBar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll WebBrowser-{7A22E28C-2E4E-4B3C-AA6F-A126F63253DA} - c:\documents and settings\European Art Design\My Documents\My Music\5\PJN-ToolBar\סרגל הכלים של פורטל הדת היהודית\pjn01.dll SSODL-uLxSDPNjk-{8C7A089A-26D0-A230-2468-42548FD3071F} - c:\windows\System32\aca.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/ mStart Page = hxxp://www.yahoo.com mSearch Bar = hxxp://www.google.com/ mSearchMigratedDefaultURL = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local mSearchURL = hxxp://www.google.com/ IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\windows\Downloaded Program Files\OneCC.dll - O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} hxxp://d.66.155.171.111.downloads.estara.com./as/OneCCDM.php?template=41870&sessionid=1139088675_66.155.171.111_35028&=&req=1188958507816OneCC.cab c:\windows\Downloaded Program Files\OneCC.inf c:\windows\SYSTEM32\ATL.DLL - c:\windows\SYSTEM32\MFC42.DLL c:\windows\SYSTEM32\MSVCRT.DLL c:\windows\SYSTEM32\OLEPRO32.DLL c:\windows\Downloaded Program Files\mfc42u.dll c:\windows\Downloaded Program Files\cselexpt.ocx c:\windows\Downloaded Program Files\reportparameterdialog.dll c:\windows\Downloaded Program Files\CRViewer.dll c:\windows\Downloaded Program Files\sviewhlp.dll c:\windows\Downloaded Program Files\swebrs.dll O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} hxxps://vimas.cynergydata.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab c:\windows\Downloaded Program Files\crviewer.inf . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-14 19:23:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\LogMeIn\x86\ramaint.exe c:\progra~1\SYMANT~1\VPTray.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\windows\SYSTEM32\IoctlSvc.exe c:\program files\LogMeIn\x86\LMIGuardian.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\SYSTEM32\FXSSVC.EXE c:\windows\SYSTEM32\WSCNTFY.EXE . ************************************************************************ . Completion time: 2008-12-14 19:32:30 - machine was rebooted [European Art Design] ComboFix-quarantined-files.txt 2008-12-15 00:32:12 Pre-Run: 1,586,126,848 bytes free Post-Run: 1,800,974,336 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 257 --- E O F --- 2008-12-12 0814

12-14-2008, 06:52 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: Vnafudcc.dat Virus Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following: c:\windows\SYSTEM32\winlogon.exe Then click the "Send File " button just below. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. Please repeat for the following files: c:\windows\SYSTEM32\services.exe c:\windows\SYSTEM32\lsass.exe __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-15-2008, 12:51 AM	#7 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus File winlogon.exe received on 11.04.2008 22:02:14 (CET) Current status: finished Result: 5/36 (13.89%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - TR/Patched.CX.155 Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - W32/Patched.E.gen!Eldorado F-Secure - - - Fortinet - - - GData - - - Ikarus - - Trojan.Win32.Patched.g K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - - NOD32 - - - Norman - - - Panda - - - PCTools - - - Prevx1 - - - Rising - - - SecureWeb-Gateway - - Trojan.Patched.CX.155 Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - Trojan/Patched.cx TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster - - - Additional information MD5: e853481fef64a5be3fc3732d9d3d926a SHA1: 3bc3f70bae2fbda88641a1e9dda1a4829fb1d87b SHA256: 16a889f78308d8819d8dbf930949f995c14adbdf0e14a36c5466ac7db1058537 SHA512: e2e74acb8020aec95485c1552c2609822e5a5b41d0840595216dbce220f78922c3504abcda84372a44e43bc19a9adf9aa6252715861b7d9afe32185259a211b6 File services.exe received on 08.12.2008 11:56:25 (CET) Current status: finished Result: 1/36 (2.78%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 - - - AntiVir - - - Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - - K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - - NOD32v2 - - - Norman - - - Panda - - - PCTools - - - Prevx1 - - - Rising - - - Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - - VirusBuster - - - Webwasher-Gateway - - Win32.Malware.gen (suspicious) Additional information MD5: 5812a3513734517f8c2c5eab6b269864 SHA1: e66854ef7a4431a1a4b45b33f020d98b19004546 SHA256: 5377d171fd562bea8cbae266c90e2be735d92a853621b4bfa0bd652368f4cc0d SHA512: b81e2132c6737cfb210f21bb4e73261d07847926404af6dc5bd9be27c7c93e41473f150ef779d52aeb1e575ae9d5c82f001067c389a5a85458e209485464ce46 File lsass.e received on 08.12.2008 11:47:41 (CET) Current status: finished Result: 1/36 (2.78%) Compact Print results Antivirus Version Last Update Result AhnLab-V3 2008.8.12.0 2008.08.12 - AntiVir 7.8.1.19 2008.08.12 - Authentium 5.1.0.4 2008.08.12 - Avast 4.8.1195.0 2008.08.11 - AVG 8.0.0.156 2008.08.12 - BitDefender 7.2 2008.08.12 - CAT-QuickHeal 9.50 2008.08.11 - ClamAV 0.93.1 2008.08.12 - DrWeb 4.44.0.09170 2008.08.12 - eSafe 7.0.17.0 2008.08.11 - eTrust-Vet 31.6.6027 2008.08.12 - Ewido 4.0 2008.08.11 - F-Prot 4.4.4.56 2008.08.12 - F-Secure 7.60.13501.0 2008.08.12 - Fortinet 3.14.0.0 2008.08.12 - GData 2.0.7306.1023 2008.08.12 - Ikarus T3.1.1.34.0 2008.08.12 - K7AntiVirus 7.10.411 2008.08.11 - Kaspersky 7.0.0.125 2008.08.12 - McAfee 5358 2008.08.11 - Microsoft 1.3807 2008.08.12 - NOD32v2 3348 2008.08.12 - Norman 5.80.02 2008.08.12 - Panda 9.0.0.4 2008.08.12 - PCTools 4.4.2.0 2008.08.11 - Prevx1 V2 2008.08.12 - Rising 20.57.12.00 2008.08.12 - Sophos 4.32.0 2008.08.12 - Sunbelt 3.1.1542.1 2008.08.12 - Symantec 10 2008.08.12 - TheHacker 6.2.96.396 2008.08.12 - TrendMicro 8.700.0.1004 2008.08.12 - VBA32 3.12.8.3 2008.08.11 - ViRobot 2008.8.11.1331 2008.08.11 - VirusBuster 4.5.11.0 2008.08.11 - Webwasher-Gateway 6.6.2 2008.08.12 Win32.Malware.gen (suspicious) Additional information File size: 14336 bytes MD5...: c3e6b717e7b284e1fa89ba9f7a1be1ed SHA1..: 3b4b7c5711bfcf378d3cff4406a65305d1c80725 SHA256: a1e6df0db509885e3b9761a22122fed0778bfb4192c25a033bf17cc0aceda2dc SHA512: 4b26b690db91a80531b87de6b2aed403a32b667f8b8a8f7921431fa1313ca80d 5e40c2d894259faf07516b719f6b5157fe258d63bd99ed59804d90ef9efc1d3d PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10014bd timedatestamp.....: 0x41107b4d (Wed Aug 04 05:59:41 2004) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x10d0 0x1200 6.01 d107b4f218abee66665545859fb9cc89 .data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250 .rsrc 0x4000 0x3000 0x2000 6.56 7f2c6b63c3587c210b4e84d26843bfd9 ( 5 imports ) > ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf > KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery > ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter > LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo > SAMSRV.dll: SamIInitialize, SampUsingDsData ( 0 exports )

12-15-2008, 09:38 PM	#9 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus ComboFix 08-12-14.04 - European Art Design 2008-12-15 23:24:40.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1255.972.1033.18.502.193 [GMT -5:00] Running from: c:\documents and settings\European Art Design\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\European Art Design\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe --> c:\windows\SYSTEM32\winlogon.exe c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe --> c:\windows\SYSTEM32\services.exe c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe --> c:\windows\SYSTEM32\lsass.exe . ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . 2008-12-15 23:25 . 2008-12-15 23:25 <DIR> d-------- c:\windows\LastGood 2008-12-15 23:25 . 2008-04-13 19:12 507,904 --a------ c:\windows\SYSTEM32\OLD988.tmp 2008-12-15 23:25 . 2008-04-13 19:12 108,544 --a------ c:\windows\SYSTEM32\OLD98B.tmp 2008-12-15 23:25 . 2008-04-13 19:12 13,312 --a------ c:\windows\SYSTEM32\OLD98E.tmp 2008-12-07 15:16 . 2008-12-07 15:16 250 --a------ c:\windows\gmer.ini 2008-12-05 13:57 . 2005-03-11 17:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic 2008-12-05 13:57 . 2005-03-11 16:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc 2008-12-05 13:57 . 2005-03-11 17:03 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek 2008-12-05 13:57 . 2008-12-05 13:57 <DIR> d-------- c:\documents and settings\Administrator 2008-12-03 13:52 . 2008-12-04 23:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-11-24 00:04 . 2008-11-24 13:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\European Art Design\Application Data\Malwarebytes 2008-11-24 00:04 . 2008-11-24 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-24 00:04 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-11-24 00:04 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:29 --------- d-----w c:\documents and settings\European Art Design\Application Data\Hamachi 2008-12-16 04:21 --------- d-----w c:\program files\Symantec AntiVirus 2008-12-15 11:38 --------- d-----w c:\program files\LogMeIn 2008-12-09 03:08 --------- d-----w c:\program files\PCCW 2008-12-05 04:58 --------- d--h--w c:\program files\Zero G Registry 2008-12-05 04:50 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-05 04:42 --------- d-----w c:\program files\Airport Mania 2008-11-18 23:31 --------- d-----w c:\program files\Yahoo SiteBuilder 2008-10-31 20:19 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2008-10-31 20:19 8,014 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2008-10-31 20:19 48,768 ----a-w c:\windows\SYSTEM32\S32EVNT1.DLL 2008-10-31 20:19 110,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2008-10-31 20:19 --------- d-----w c:\program files\Symantec 2008-10-31 20:19 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-10-31 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-10-31 19:37 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7 2008-10-31 19:11 --------- d-----w c:\program files\Enigma Software Group 2008-10-31 19:11 --------- d-----w c:\documents and settings\European Art Design\Application Data\SUPERAntiSpyware.com 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 11:10 453,632 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys 2008-10-24 04:26 --------- d-----w c:\program files\Exterminate It! 2008-10-23 13:01 283,648 ----a-w c:\windows\SYSTEM32\gdi32.dll 2008-10-23 13:01 283,648 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll 2008-10-23 04:20 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI 2008-10-23 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-10-23 03:28 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185} 2008-10-20 02:54 410,976 ----a-w c:\windows\SYSTEM32\deploytk.dll 2008-10-20 02:54 --------- d-----w c:\program files\Java 2008-10-17 19:11 87,352 ----a-w c:\windows\SYSTEM32\LMIinit.dll 2008-10-17 19:11 83,288 ----a-w c:\windows\SYSTEM32\LMIRfsClientNP.dll 2008-10-17 19:11 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys 2008-10-17 19:11 28,984 ----a-w c:\windows\SYSTEM32\LMIport.dll 2008-10-17 19:11 23,736 ----a-w c:\windows\SYSTEM32\lmimirr.dll 2008-10-17 19:11 10,040 ----a-w c:\windows\SYSTEM32\lmimirr2.dll 2008-10-17 07:08 3,593,216 ------w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll 2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll 2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll 2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll 2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll 2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll 2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe 2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe 2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll 2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\WUPS.DLL 2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll 2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll 2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll 2008-10-16 13:11 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe 2008-10-15 16:57 332,800 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-15 07:06 633,632 ------w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe 2008-10-15 07:04 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll 2008-10-03 10:15 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll 2008-10-03 10:15 247,326 ------w c:\windows\SYSTEM32\DLLCACHE\strmdll.dll 2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll 2008-08-04 16:53 308,240 ----a-w c:\documents and settings\European Art Design\Application Data\GDIPFONTCACHEV1.DAT 2007-12-11 04:17 540,488 ----a-w c:\program files\Koshernet Client Filter - 3.4.19-kosher.exe 2007-10-01 04:41 439,296 ----a-w c:\documents and settings\European Art Design\GoToAssist_phone__317_en.exe 2007-08-22 18:34 258 -c--a-w c:\documents and settings\European Art Design\jobq.dat 2006-07-10 01:24 560 -c--a-w c:\documents and settings\European Art Design\Application Data\ViewerApp.dat 2005-09-07 23:25 6,668 -c--a-w c:\program files\Uninst.isu 2005-09-07 23:24 1,202 -c--a-w c:\program files\Responsa.ini 2002-04-29 09:28 36,864 -c--a-w c:\program files\UNINST.DLL 2002-04-22 03:43 507,904 -c--a-w c:\program files\Engeng.dll 2002-04-22 03:26 499,712 -c--a-w c:\program files\Hebrew.dll 2002-04-22 03:25 507,904 -c--a-w c:\program files\English.dll 2001-02-12 11:07 737,280 -c--a-w c:\program files\OT79ASU.DLL 2001-02-12 11:06 294,912 -c--a-w c:\program files\SFL9ASU.DLL 1999-12-07 08:00 995,384 -c--a-w c:\program files\MFC42U.DLL 1999-12-07 08:00 295,000 -c--a-w c:\program files\MSVCRT.DLL 1998-08-19 08:56 40,960 -c--a-w c:\program files\BIDIEX.DLL 1998-05-15 04:00 73,184 -c--a-w c:\program files\Common Files\dao2535.tlb 1998-04-27 04:00 570,128 ----a-w c:\program files\Common Files\Dao350.dll 2005-03-18 00:23 848 -csha-w c:\windows\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-14_19.30.13.12 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-14 00:12:24 13,312 ----a-w c:\windows\LastGood\system32\lsass.exe + 2008-04-14 00:12:34 108,544 ----a-w c:\windows\LastGood\system32\services.exe + 2008-04-14 00:12:39 507,904 ----a-w c:\windows\LastGood\system32\winlogon.exe + 2004-08-04 11:00:00 13,312 ----a-w c:\windows\SYSTEM32\DLLCACHE\lsass.exe + 2004-08-04 11:00:00 108,032 ----a-w c:\windows\SYSTEM32\DLLCACHE\services.exe + 2004-08-04 11:00:00 502,272 ----a-w c:\windows\SYSTEM32\DLLCACHE\winlogon.exe + 2008-12-15 00:23:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4c0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Google Update"="c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-07 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-05-06 118784] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ADATA_PLUtil"="c:\program files\A-DATA\USB Flash Disk Utility\PLBkMon.exe" [2004-09-10 90112] "PLFFAP"="c:\windows\system32\HotfixQ0306270.exe" [2003-08-05 45056] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576] "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350] "Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632] "Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960] "VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-11-16 2065648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-19 144792] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840] "vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-13 98304] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] c:\documents and settings\European Art Design\Start Menu\Programs\Startup\ hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-03-24 625952] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-03-19 25214] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 24633] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-10-17 14:11 87352 c:\windows\SYSTEM32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "80:TCP"= 80:TCP:@xpsp2res.dll,-22004 R0 PLFF;USB Flash Disk Driver;c:\windows\system32\Drivers\PLFF.sys [2005-04-02 7424] R2 lmiinfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2007-08-03 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-16 47640] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-31 99376] S0 kvfdo;kvfdo;c:\windows\system32\drivers\bxgsuh.sys [] S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\DRIVERS\gan_adapter.sys [2006-10-19 10664] S3 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [2004-08-04 5120] S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416] S4 LMIRfsClientNP;LMIRfsClientNP; [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e28ffe6c-c312-11dc-9bc1-001111e870e5}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe \Shell\Explore\command - F:\system.exe \Shell\Open\command - F:\system.exe Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-12-15 c:\windows\Tasks\ErrorSmart Scheduled Scan.job - c:\program files\ErrorSmart\ErrorSmart.exe [] 2008-12-15 c:\windows\Tasks\ErrorSmart Scheduled Scan.job - c:\program files\ErrorSmart [] 2008-12-16 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\documents and settings\European Art Design\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-07 22:14] 2008-12-16 c:\windows\Tasks\User_Feed_Synchronization-{BB087463-F4F9-4412-9080-854ED8BDC299}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 10:58] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/ mStart Page = hxxp://www.yahoo.com mSearch Bar = hxxp://www.google.com/ mSearchMigratedDefaultURL = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = .local mSearchURL = hxxp://www.google.com/ IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\windows\Downloaded Program Files\OneCC.dll - O16 -: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} hxxp://d.66.155.171.111.downloads.estara.com./as/OneCCDM.php?template=41870&sessionid=1139088675_66.155.171.111_35028&=&req=1188958507816OneCC.cab c:\windows\Downloaded Program Files\OneCC.inf c:\windows\SYSTEM32\ATL.DLL - c:\windows\SYSTEM32\MFC42.DLL c:\windows\SYSTEM32\MSVCRT.DLL c:\windows\SYSTEM32\OLEPRO32.DLL c:\windows\Downloaded Program Files\mfc42u.dll c:\windows\Downloaded Program Files\cselexpt.ocx c:\windows\Downloaded Program Files\reportparameterdialog.dll c:\windows\Downloaded Program Files\CRViewer.dll c:\windows\Downloaded Program Files\sviewhlp.dll c:\windows\Downloaded Program Files\swebrs.dll O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} hxxps://vimas.cynergydata.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab c:\windows\Downloaded Program Files\crviewer.inf . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 23:29:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(772) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll c:\windows\system32\igfxsrvc.dll c:\windows\system32\hccutils.DLL . Completion time: 2008-12-15 23:31:14 ComboFix-quarantined-files.txt 2008-12-16 04:30:28 ComboFix2.txt 2008-12-15 00:32:32 Pre-Run: 1,727,811,584 bytes free Post-Run: 1,759,404,032 bytes free 264 --- E O F --- 2008-12-12 0814

12-17-2008, 01:02 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: Vnafudcc.dat Virus alg.exe is Windows' Application Layer Gateway. It's fine. Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\Add-Remove Programs.txt A text file should open. Please post the contents of that file in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-17-2008, 06:48 PM	#13 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus here you go סרגל הכלים של פורטל הדת היהודית Adobe Acrobat 7.0 Professional Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Color Common Settings Adobe ExtendScript Toolkit 2 Adobe Flash Player ActiveX Adobe Flash Player Plugin Adobe Photoshop 7.0 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Adobe Setup American Greetings® CreataCard® Silver 5 ArcSoft PhotoStudio 2000 Authentium AntiVirus SDK - 2 Banctec Service Agreement Bonjour Camera Support Core Library Camera Window DS Camera Window DVC Camera Window MC Canon Camera Support Core Library Canon Camera Window DS for ZoomBrowser EX Canon Camera Window DVC for ZoomBrowser EX Canon Camera Window for ZoomBrowser EX Canon MF Toolbox 4.9.1.1.mf03 Canon MF4100 Series Canon MovieEdit Task for ZoomBrowser EX Canon PhotoRecord Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon ScanGear Toolbox CS 2.2 Canon Utilities PhotoStitch 3.1 Canon ZoomBrowser EX DavkaWriter Dell Driver Reset Tool Dell ResourceCD Dell Support 5.0.0 (630) Dell System Restore DivX Content Uploader DivX Web Player Documents To Go Driver's Education '99 Ektron Starter Sites - CMS400Developer ffdshow (remove only) First Step Guide FoneSync FreeStyle CoPilot Health Management System getPlus(R)_ocx Google Chrome Google Talk (remove only) Google Toolbar for Internet Explorer Hamachi 1.0.3.0 Handmark® MobileDB(TM) for Palm OS Hebrew Books Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) Hotfix for Windows XP (KB952287) HotFix Q0306270 ImageMixer VCD2 InControl 2.2 Intel(R) 537EP V9x DF PCI Modem Intel(R) Graphics Media Accelerator Driver Intel(R) PRO Network Adapters and Drivers Intel(R) PROSet for Wired Connections Internet Explorer Default Page J2SE Runtime Environment 5.0 Update 6 Java(TM) 6 Update 10 Java(TM) 6 Update 3 Java(TM) 6 Update 5 LG USB Modem Drivers LiveUpdate 3.1 (Symantec Corporation) LogMeIn Macromedia Flash Player Malwarebytes' Anti-Malware Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Encarta 98 Encyclopedia Microsoft Encarta Encyclopedia Standard 2001 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office XP Professional with FrontPage Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Microsoft Streets and Trips 2001 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Web Publishing Wizard 1.52 Microsoft Works 2001 Setup Launcher Microsoft Works 6.0 Modem Event Monitor Modem Helper Modem On Hold MovieEdit Task MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) Octoshape add-in for Adobe Flash Player OLYMPUS CAMEDIA Master 4.2 OmniPage Pro 9.0 OpenOffice.org Installer 1.0 Palm Desktop Panasonic KX-FLM600/650 PCCharge Pro PCCharge Pro DEMO Peachtree Complete Accounting Photodex Presenter PhotoStitch Picture Package PlayLinc PPSDKRedistributables Presto! PageManager 7.15.11 QuickBooks Pro Edition 2003 QuickBooks Pro Edition 2004 QuickBooks Simple Start Special Edition QuickTime Radialpoint Security Services RAW Image Task 1.2 RealPlayer RemoteCapture Task 1.1 Rhapsody Player Engine Scan Manager 5.2 ScanSoft OmniPage SE 4.0 Security Advisor Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Security Update for Windows XP (KB950749) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Shockwave Sierra Utilities Sonic DLA Sonic RecordNow! Sonic Update Manager Sony USB Driver Sprint music manager Stamps.com Internet Postage Symantec AntiVirus The Print Shop 20 Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB932823-v3) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) Update for Windows XP (KB951072-v2) Update for Windows XP (KB955839) USB Driver for Panasonic DVC USB Flash Disk Utility Verizon Broadband Toolbar Verizon Online DSL Verizon Online Help and Support Verizon PC Security Checkup Verizon Servicepoint 1.5.20 Virtual Earth 3D (Beta) WebFldrs XP Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Installer 3.1 (KB893803) Windows Installer Clean Up Windows Internet Explorer 7 Windows Media Format 11 runtime Windows Media Player 10 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB888310 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 WinRAR archiver WordPerfect Office 12 Works Suite OS Pack Works Synchronization Yahoo! SiteBuilder Yahoo! SiteBuilder2.6-J Yahoo! Toolbar Yahoo! Toolbar for Internet Explorer ZIP Reader 8.00.0018

12-17-2008, 11:15 PM	#15 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus Here are some concerns Firstly, I don't find this "Authentium AntiVirus SDK - 2" you mentioned I only see the Symantec AntiVirus. I don't remember ever installing this either. Secondly, about the java- I already unistalled the older versions and updated the new one. I don't know why you still see them. My computer shows that I only have the update 11. Should I install all the programs you recommended? What is important?

12-17-2008, 11:56 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: Vnafudcc.dat Virus Authentium AntiVirus is referenced in the installed programs list of two tools. It has a driver installed. If it's not in your Add or Remove Programs applet, it's possible it was not uninstalled cleanly, but it was installed at one point on this machine. So, let's see what we can do about that... Go to Start>Run then copy and paste, or type the following, then press Enter: sc stop "Radialpoint Security Services" Go to Start>Run then copy and paste, or type the following, then press Enter: sc delete "Radialpoint Security Services" --------------------------------------------------------------------------------------------- Download & extract this file to it's own folder - Registry Search Launch Registry Search In the search box, enter Authentium AntiVirus & click "Ok". Notepad will open with some text in it (the file will also be saved in the program's folder as well). Post this text in your next reply Also, please run DDS once again, and post both it's logs. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

12-18-2008, 11:01 AM	#17 (permalink)
OYE Registered User Join Date: Dec 2008 Posts: 18 OS: WIN XP	Re: Vnafudcc.dat Virus This the Registry Search log what is and how do i run DDS once again ?? Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.6.0 ; Results at 12/18/2008 12:56:41 PM for strings: ; 'authentium antivirus' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D9F3ECA14ADC93F4695033C43FA75197] "ProductName"="Authentium AntiVirus SDK - 2" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D9F3ECA14ADC93F4695033C43FA75197\InstallProperties] "DisplayName"="Authentium AntiVirus SDK - 2" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1ACE3F9D-CDA4-4F39-9605-334CF37A1579}] "DisplayName"="Authentium AntiVirus SDK - 2" [HKEY_USERS\S-1-5-21-2190943862-394379874-2217056896-1006\Software\Microsoft\Search Assistant\ACMru\5603] "000"="Authentium AntiVirus SDK - 2" ; End Of The Log...

12-18-2008, 11:06 AM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: Vnafudcc.dat Virus If you've already deleted it, here's the process again Download DDS and save it to your desktop from here or here or here. Disable any script blocker, and then double click dds to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. ----------------------------------------------------- Please include the following logs in your thread: Contents of the DDS.txt posted as text in your reply *Attach* the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009