malware name: Win32: BHO-KD [Trj] [RESOLVED]

Hi there I can't see it but I know where it is - so to work

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please check this up


ComboFix 08-01-17.5 - muugii 2004-01-28 13:51:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.266 [GMT -8:00]
Running from: C:\Documents and Settings\muugii\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2004-03-28 16:16 744,529 ----a-w C:\Program Files\bazookasetup.exe
2004-03-28 11:36 571,392 ----a-w C:\Program Files\SoftyVisII.exe
2004-03-28 11:26 197,120 ----a-w C:\Program Files\picturevizII.exe
2004-03-27 16:47 4,189,850 ----a-w C:\Program Files\sysclean.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1C40F7D-5218-4709-8696-0605EFF0F82D}]
2004-08-03 20:56 84480 --a------ C:\WINDOWS\system32\actxprx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2006-09-02 01:25 877752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-28 02:12 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-03-28 03:11 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

R0 jdcqnxsh;jdcqnxsh;C:\WINDOWS\system32\drivers\ooygsluy.dat []
R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys [2004-08-03 14:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 13:53:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Found it

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\actxprx.dll
C:\WINDOWS\system32\drivers\ooygsluy.dat

Driver::
jdcqnxsh

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1C40F7D-5218-4709-8696-0605EFF0F82D}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

ComboFix 08-01-17.5 - muugii 2008-01-17 23:54:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -8:00]
Running from: C:\Documents and Settings\muugii\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\muugii\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\actxprx.dll
C:\WINDOWS\system32\drivers\ooygsluy.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\actxprx.dll
C:\WINDOWS\system32\drivers\ooygsluy.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_JDCQNXSH
-------\jdcqnxsh


((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-17 13:01 . 2004-08-03 20:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-17 10:06 . 2008-01-17 10:06 25,984 --a------ C:\WINDOWS\system32\drivers\Ejs75.sys
2008-01-17 03:00 . 2008-01-17 23:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-17 03:00 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-17 00:59 . 2008-01-17 00:59 <DIR> d-------- C:\Documents and Settings\muugii\Application Data\Yahoo!
2008-01-17 00:59 . 2008-01-17 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-17 00:53 . 2008-01-17 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-17 00:51 . 2008-01-17 00:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-10 04:03 . 2008-01-08 04:13 202,160 --a------ C:\WINDOWS\system32\idmmbc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 07:26 --------- d-----w C:\Documents and Settings\muugii\Application Data\DMCache
2008-01-17 12:27 --------- d-----w C:\Program Files\Internet Download Manager
2008-01-17 08:38 --------- d-----w C:\Documents and Settings\muugii\Application Data\IDM
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2004-03-28 16:16 744,529 ----a-w C:\Program Files\bazookasetup.exe
2004-03-28 11:36 571,392 ----a-w C:\Program Files\SoftyVisII.exe
2004-03-28 11:26 197,120 ----a-w C:\Program Files\picturevizII.exe
2004-03-27 16:47 4,189,850 ----a-w C:\Program Files\sysclean.zip
.

((((((((((((((((((((((((((((( snapshot_2008-01-17_23.11.44.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 07:05:24 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 07:53:58 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 07:05:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 07:53:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 07:05:24 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 07:53:58 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 07:05:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 07:53:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 07:05:25 1,777,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 07:53:58 1,777,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 07:05:25 208,896 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 07:53:58 208,896 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 07:57:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_450.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-01-10 04:29 2577840]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-17 17:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-28 02:12 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-03-28 03:11 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ejs75.sys]
@="Driver"

R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys [2004-08-03 14:32]
S3 Ejs75;Ejs75;C:\WINDOWS\System32\drivers\Ejs75.sys [2008-01-17 10:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc58a4c-51da-11d8-912d-000b6a5910f2}]
\Shell\auto\command - F:\SVCH0ST.EXE e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SVCH0ST.EXE e

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 23:58:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 23:59:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 07:59:18
ComboFix2.txt 2008-01-18 07:28:04
ComboFix3.txt 2008-01-18 07:12:19
ComboFix4.txt 2008-01-17 08:12:39
.
2008-01-17 21:07:26 --- E O F ---

OK another one has surfaced, I will kill this and do a rootkit check to ensure it has gone. Is F your memory stick or something similar as that appears to be the location of the infection ?

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
F:\SVCH0ST.EXE
C:\WINDOWS\system32\drivers\Ejs75.sys

Driver::
Ejs75

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cc58a4c-51da-11d8-912d-000b6a5910f2}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

THEN

Please download and unzip Icesword to its own folder


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings
Processes
Win32 Services
SSDT

THanks a lot. It's done.

HERE is another scan in my different computer. Please assist me to solve the infection.

best regards



ComboFix 08-01-18.5 - Administrator 2008-01-19 19:35:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1447 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 19:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 19:15 . 2008-01-19 19:15 0 --a------ C:\ComboFix.exe
2008-01-19 18:27 . 2008-01-19 18:27 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-19 12:15 . 2008-01-19 19:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-18 19:10 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-18 18:39 . 2008-01-18 18:41 <DIR> d-------- C:\Program Files\Google
2008-01-18 18:36 . 2008-01-18 18:38 13,413,048 --a------ C:\Google_Earth_BZXD.exe
2008-01-18 09:12 . 2008-01-18 09:12 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-01-15 23:06 . 2004-08-03 22:31 57,399 --a--c--- C:\WINDOWS\system32\dllcache\cplexe.exe
2008-01-14 23:12 . 2008-01-14 23:21 25,423,728 --a------ C:\kav6.0.2.621en.exe
2008-01-14 22:33 . 2008-01-19 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-14 22:33 . 2008-01-19 19:37 7,107,104 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-14 22:33 . 2008-01-14 23:30 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-14 22:33 . 2008-01-14 22:33 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-14 22:33 . 2008-01-19 19:37 70,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-14 22:33 . 2008-01-19 13:51 61,964 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-14 22:33 . 2008-01-19 13:51 7,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-14 21:57 . 2008-01-14 21:57 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-14 21:52 . 2008-01-14 21:52 <DIR> d-------- C:\KAV
2008-01-14 21:33 . 2008-01-14 21:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-14 21:33 . 2008-01-14 21:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-01-14 21:30 . 2008-01-14 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-14 21:00 . 2008-01-14 21:00 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-14 20:39 . 2008-01-14 21:29 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-14 20:28 . 2004-08-04 00:56 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2008-01-14 20:28 . 2004-08-04 00:56 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax
2008-01-14 20:27 . 2008-01-14 20:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-01-14 18:05 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-01-14 18:05 . 2008-01-14 18:05 376 --a------ C:\WINDOWS\ODBC.INI
2008-01-14 18:04 . 2008-01-14 18:04 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-14 18:04 . 2008-01-14 18:04 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-01-14 18:04 . 2008-01-14 18:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 15:34 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-01-14 12:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 09:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-14 09:58 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-14 09:54 --------- d-----w C:\Program Files\My Company Name
2008-01-14 09:54 --------- d-----w C:\Program Files\ASUS
2008-01-14 09:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-14 09:50 --------- d-----w C:\Program Files\Intel
2008-01-14 09:48 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-14 09:48 --------- d-----w C:\Program Files\Realtek
2008-01-14 09:43 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-18 18:41 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 15:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 17:22 1822720 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"ASUSGamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-07-12 10:03 380928]
"VM30xSnap"="VM30xSnap.exe" [2007-02-15 18:04 53248 C:\WINDOWS\VM30xSnap.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 10:03]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-07-03 18:33]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10:03]
R3 VM30xx86;Vimicro USB PC Camera (ZC0301);C:\WINDOWS\system32\Drivers\vm30xx86.sys [2007-02-15 18:04]

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 19:37:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 19:38:01
.
2008-01-19 05:51:07 --- E O F ---

HERE is another scan in my different computer. Please assist me to solve the infection

I will do this after your main system is clean

THanks a lot. It's done.

Could I have the Icesword report please

Now post all of the data collected under the headings
Processes
Win32 Services
SSDT

Hi Essexboy, sorry for delayed my report. Therefore I really appriciate for your assistance. .



Step 1: I run Process (in Icesword), there was no process in red color.


Step 2: I clicked the "Win32 Services" tab. There was no red colored service entry.

Step 3: finally I clicked the "SSDT" tab. There was no red colored entry.


Also I am posting my ComboFix log report. It is given below: ( By the way after the first scan by combofix on 17 january, no virus warning appeared again. Before it happened that it used to warn a virus "Trojan" malware by avast)




HERE IS THE COMBOFIX LOG REPORT:

ComboFix 08-01-17.5 - muugii 2008-01-20 13:32:23.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT -8:00]
Running from: C:\Documents and Settings\muugii\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\muugii\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\Ejs75.sys
F:\SVCH0ST.EXE
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 02:03 . 2008-01-20 02:03 <DIR> d-------- C:\Program Files\Windows Live Favorites
2008-01-19 12:03 . 2008-01-19 12:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-19 09:37 . 2008-01-19 09:37 <DIR> d-------- C:\Program Files\uTorrent
2008-01-19 09:37 . 2008-01-20 13:34 <DIR> d-------- C:\Documents and Settings\muugii\Application Data\uTorrent
2008-01-19 03:06 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-19 03:06 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-19 03:06 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-18 11:28 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-01-18 11:28 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-01-18 11:28 . 2003-12-04 11:19 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-01-18 08:34 . 2008-01-18 08:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-01-18 01:56 . 2008-01-18 01:56 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-18 01:52 . 2008-01-18 11:28 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-01-18 01:49 . 2008-01-18 11:28 <DIR> d-------- C:\Program Files\Macromedia
2008-01-18 01:05 . 2008-01-20 02:03 <DIR> d-------- C:\Program Files\Windows Live Toolbar
2008-01-18 01:05 . 2008-01-18 01:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-01-18 00:18 . 2007-10-10 15:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-18 00:18 . 2007-06-30 19:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-18 00:18 . 2007-06-30 19:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-18 00:18 . 2007-10-10 15:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-18 00:18 . 2007-10-10 15:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-18 00:18 . 2007-10-10 15:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-18 00:18 . 2007-10-10 15:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-18 00:18 . 2007-10-10 15:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-18 00:18 . 2007-10-10 02:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-17 13:01 . 2004-08-03 20:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-17 03:00 . 2008-01-19 03:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-17 03:00 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-17 00:59 . 2008-01-17 00:59 <DIR> d-------- C:\Documents and Settings\muugii\Application Data\Yahoo!
2008-01-17 00:59 . 2008-01-17 00:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-17 00:53 . 2008-01-17 00:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-17 00:51 . 2008-01-17 00:53 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-10 04:03 . 2008-01-08 04:13 202,160 --a------ C:\WINDOWS\system32\idmmbc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 21:29 --------- d-----w C:\Documents and Settings\muugii\Application Data\DMCache
2008-01-18 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 16:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-18 09:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-17 12:27 --------- d-----w C:\Program Files\Internet Download Manager
2008-01-17 08:38 --------- d-----w C:\Documents and Settings\muugii\Application Data\IDM
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-03-28 16:16 744,529 ----a-w C:\Program Files\bazookasetup.exe
2004-03-28 11:36 571,392 ----a-w C:\Program Files\SoftyVisII.exe
2004-03-28 11:26 197,120 ----a-w C:\Program Files\picturevizII.exe
2004-03-27 16:47 4,189,850 ----a-w C:\Program Files\sysclean.zip
.

((((((((((((((((((((((((((((( snapshot_2008-01-19_ 4.27.25.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 07:53:58 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 21:32:07 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 07:53:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 21:32:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 07:53:58 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 21:32:07 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 07:53:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 21:32:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 07:53:58 1,777,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 21:32:07 2,453,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 07:53:58 208,896 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 21:32:07 278,528 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-14 02:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
- 2007-08-14 02:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2008-01-20 15:43:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_450.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-01-10 04:29 2577840]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-17 17:13 3810544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 20:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-03-28 02:12 77824]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-03-28 03:11 185896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ejs75.sys]
@="Driver"

R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys [2004-08-03 14:32]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 21:26:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-20 12:46:10 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B87E9C15-03AF-4F7A-868B-D59DF316F98B}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 13:34:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 13:34:53
ComboFix-quarantined-files.txt 2008-01-20 21:34:50
ComboFix2.txt 2008-01-19 14:39:41
ComboFix3.txt 2008-01-19 12:27:47
ComboFix4.txt 2008-01-18 07:59:21
ComboFix5.txt 2008-01-18 07:28:04
.
2008-01-20 10:03:56 --- E O F ---

No problems OK system One has the all clear Roll out system Two

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.