[Chris Owen]

Hi Guys....I'm hoping someone who is a lot more experienced than myself can advise on getting shot of a really annoying malware problem that's been hassling one of my PCs for the last week. I'm in the process of starting a video production business, and this is making doing my market research and advertising almost impossible!

Symptoms...

Blank Desktop - After closing a program, sometimes the desktop is devoid of all shortcuts, info bars, start-up button, etc. Apart from my background picture, there's NOTHING there, forcing me to reboot. This is happeninig several times a day.

After rebooting, a red warninig window comes up, saying 'exception processing message c000003 parameters 75b6bf9c 4 75b6bf9c 75b6bf9c'

Unwanted internet pages popping up, advertising the usual crap, poker, etc

Programs often unresponsive in starting (either from desktop shortcut or from within directory), sometimes taking a minute or two to start after being executed.

IE often very slow in loading pages. Even when page seems fully loaded and 'done' has appeared, page remains unresponsive for a long time.


I regularly run stuff like Spybot, CCleaner and ATF Cleaner, and use AVG Anti-spyware and free AVG Anti-virus, and Black Ice firewall. AVG alerted me of a possible infection of few times, which were sent to the vault, but nothing's been spotted for a day or two now. I downloaded a copy of McAfee anti-virus, but that didn't spot anything.

I've already got HijackThis, Killbox and combofix from the only other time I've requested assistance on here (12/18 months ago? maybe more), and have pasted a Hijack logfile below.

Huge thanks to anyone who can help.

Regards,

- Chris Owen

Logfile of HijackThis v1.99.1
Scan saved at 17:55:22, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141702308341
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146016606019
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


***EDIT***

After looking through the forums here, I noticed the info about the zlob trojan, and remember that being one of the viruses that AVG picked up...so I followed the instructions in the removal forum and ran FixIEDef, but it doesn't seem to have found anything....log file below

********************************************************************************
* *
* FixIEDef Log *
* Version 1.0.0.1000 *
* *
********************************************************************************

Created at 19:05:45 on Thursday, January 24, 2008

Operating System : Windows XP
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

No malicious files found

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found



IMPORTANT ADDITION TO POST......Over the last hour AVG has found LOP, Win32/Virut, Dialer.RIF and Generic6.AFBL trojans....I sent them to the vault, but we all know they'll return until properly dealt with!

Many thanks!!

Edited by Chris Owen, 24 January 2008 - 03:54 PM.

[Advertisements]

Hello Chris Owen

Welcome to G2Go.
==================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[kahdah]

Hello Chris Owen

Welcome to G2Go.
==================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[Chris Owen]

THANKS for your reply, it's very much appreciated.

Had one problem with disabling all anti-virus progs...in AVG Anti-Spyware, the link you gave said to go to 'status', and then 'change status'. Well, I could not see any 'change status' option within 'status'. I looked elsewhere for it but it was nowhere. I 'closed' the program as far as I could tell. Apart from that, all progs disabled.

I followed your instructions. Logs below.

Thanks again!

- Chris

COMBOFIX LOG

ComboFix 08-01-23.1C - Chris 2008-01-25 3:47:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.676 [GMT 0:00]
Running from: C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{30B15~1
C:\Program Files\Common Files\{30B15~1\Uninst.exe
C:\Program Files\Common Files\{D0B15~1
C:\Program Files\Helper
C:\WINDOWS\system32\gebyyxw.dll
C:\WINDOWS\system32\jao.dll
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\khfcdcy.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 03:43 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 20:10 . 2008-01-25 03:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-23 20:05 . 2008-01-23 22:56 53,760 --a------ C:\WINDOWS\system32\Squeeze.dll
2008-01-23 20:05 . 2008-01-23 23:06 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2008-01-22 16:43 . 2008-01-23 23:06 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-21 18:09 . 2008-01-23 23:59 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-21 18:09 . 2005-10-18 11:08 349,760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2008-01-21 18:09 . 2003-10-01 04:52 270,336 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2008-01-21 00:18 . 2008-01-21 18:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-10 20:58 . 2008-01-22 19:00 <DIR> d-------- C:\Program Files\Kontiki
2008-01-07 17:34 . 2008-01-07 17:34 244 --ah----- C:\sqmnoopt01.sqm
2008-01-07 17:34 . 2008-01-07 17:34 232 --ah----- C:\sqmdata01.sqm
2008-01-07 17:30 . 2008-01-07 17:30 244 --ah----- C:\sqmnoopt00.sqm
2008-01-07 17:30 . 2008-01-07 17:30 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 02:25 --------- d-----w C:\Program Files\Soulseek
2008-01-24 20:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 19:01 --------- d-----w C:\Program Files\FrostWire
2008-01-22 19:01 --------- d-----w C:\Program Files\DVD X Player Pro
2008-01-22 19:00 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-06 20:40 --------- d-----w C:\Program Files\Free FLV Converter
2007-05-23 15:43 3,071,488 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2007-05-10 12:55 3,054,592 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2007-05-02 19:42 3,048,448 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2007-05-02 19:42 2,792,448 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2007-04-29 19:11 3,691,520 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2007-02-27 15:49 3,789,312 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2007-02-27 15:49 2,466,304 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2007-02-22 07:35 140,621 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_13_03_48_46_small.dmp.zip
2007-01-18 14:30 468,006 ----a-w C:\WINDOWS\Internet Logs\imsDebug.zip
2007-01-12 02:51 2,188,288 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2007-01-08 23:55 183,444 ----a-w C:\WINDOWS\Internet Logs\Explorer_2nd_2007_01_06_16_46_05_small.dmp.zip
2007-01-08 15:24 4,148,736 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2007-01-08 15:24 2,199,552 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-01-06 03:19 132,822 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2007_01_06_03_17_09_small.dmp.zip
2006-12-27 03:41 128,603 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_12_27_03_25_43_small.dmp.zip
2006-12-25 02:51 103,748 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_12_22_19_21_58_small.dmp.zip
2006-12-22 17:49 162,947 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_12_22_16_13_00_small.dmp.zip
2006-12-22 17:49 152,536 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_12_22_16_23_13_small.dmp.zip
2006-12-22 17:49 129,429 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_12_22_17_42_03_small.dmp.zip
2006-12-22 17:49 122,369 ----a-w C:\WINDOWS\Internet Logs\explorer_2nd_2006_12_22_16_17_58_small.dmp.zip
2006-12-08 20:17 3,125,760 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2006-11-19 16:42 3,393,024 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2006-11-19 16:42 1,961,472 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2006-10-30 17:25 3,066,368 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-10-30 17:25 1,580,032 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]
C:\Program Files\Helper\findsiteonline.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40 524288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 07:19 4640768]
"nwiz"="nwiz.exe" [2003-05-02 07:19 323584 C:\WINDOWS\system32\nwiz.exe]
"adiras"="adiras.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2005-03-09 04:00 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-08 14:03 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-24 21:55 155648]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05 69632]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 09:19 757760]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-09-02 15:41 135168]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:50 219136]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-01-23 23:06 2115728]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-08 00:39:05 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26 29696]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-01-07 23:47:28 962663]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-05 05:23:00 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{D0B159BC-0489-1033-0428-04080603002c}"= "C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\Update.exe" mc-110-12-0000797

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlackICE PC Protection.lnk
backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adware.Srv32]
C:\WINDOWS\system32\runsrv32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-01-07 14:57 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-01-08 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 10:31]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-01-31 09:39]
S2 ZBJWDGTD;ZBJWDGTD;C:\WINDOWS\System32\zbjwdgtd.vvy []
S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-10-24 14:57]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 17:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 17:26]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 04:13:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 4:30:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 04:30:38
.
2008-01-09 18:05:59 --- E O F ---



HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 04:32:18, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ISS\BlackICE\blackd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\findsiteonline.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141702308341
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146016606019
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[kahdah]

Avg anti spyware has changed a bit since that was created.
========================================
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

Edited by kahdah, 25 January 2008 - 02:54 AM.

[Chris Owen]

Thanks for advice Kahdah....I have done what you said, and here is the CF_RC.txt log file

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I must add that after running combofix the other day, 99% of the problems have gone. The only remaining thing was AVG alerting me to a 'generic6.AFBL' infection. This hasn't popped up for over 36 hours now, so fingers crossed, you've sorted it.

Please let me know where I can make a donation to the site.

Cheers!

- Chris

[kahdah]

I just noticed that you have like 3 antivirus programs installed.
Please uninstall all of them but AVG.
Unless you plan on paying for Black Ice or Mcafee.
Either way you only need one.

AFter that
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\sqmnoopt01.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\System32\zbjwdgtd.vvy 
Folder::
C:\Program Files\Helper
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adware.Srv32]
Driver::
ZBJWDGTD

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[Chris Owen]

Thanks for instructions again! Mcafee now removed. Logs below as requested.

- Chris

COMBOFIX LOG

ComboFix 08-01-23.1C - Chris 2008-01-28 0:33:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.492 [GMT 0:00]Running from: C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\System32\zbjwdgtd.vvy
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ZBJWDGTD
-------\ZBJWDGTD


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 21:53 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-27 21:53 . 2008-01-26 05:24 211 --a------ C:\Boot.bak
2008-01-25 08:37 . 2008-01-25 08:37 <DIR> d-------- C:\Program Files\7-Zip
2008-01-25 03:43 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 20:10 . 2008-01-25 03:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-23 20:05 . 2008-01-23 22:56 53,760 --a------ C:\WINDOWS\system32\Squeeze.dll
2008-01-23 20:05 . 2008-01-23 23:06 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2008-01-22 16:43 . 2008-01-23 23:06 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-21 18:09 . 2008-01-23 23:59 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-21 18:09 . 2005-10-18 11:08 349,760 --a------ C:\WINDOWS\system32\mcinsctl.dll
2008-01-21 18:09 . 2003-10-01 04:52 270,336 --a------ C:\WINDOWS\system32\mcgdmgr.dll
2008-01-21 00:18 . 2008-01-21 18:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-10 20:58 . 2008-01-22 19:00 <DIR> d-------- C:\Program Files\Kontiki

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 00:34 --------- d-----w C:\Program Files\Soulseek
2008-01-24 20:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 19:01 --------- d-----w C:\Program Files\FrostWire
2008-01-22 19:01 --------- d-----w C:\Program Files\DVD X Player Pro
2008-01-22 19:00 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-06 20:40 --------- d-----w C:\Program Files\Free FLV Converter
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_ 4.29.45.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 03:44:55 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-28 00:30:58 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 03:44:55 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-28 00:30:58 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 03:44:55 6,811,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-28 00:30:58 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-25 03:44:55 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-28 00:30:59 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 03:44:55 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-28 00:31:00 6,840,320 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-25 03:44:55 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-28 00:31:00 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-10-29 18:15:59 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-25 04:16:42 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 18:15:59 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-25 04:16:42 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40 524288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-02 07:19 4640768]
"nwiz"="nwiz.exe" [2003-05-02 07:19 323584 C:\WINDOWS\system32\nwiz.exe]
"adiras"="adiras.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"EPSON Stylus Photo R220 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe" [2005-03-09 04:00 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-08 14:03 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-24 21:55 155648]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 13:05 69632]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 09:19 757760]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-07 14:57 579072]
"Adware.Srv32"="C:\WINDOWS\system32\runsrv32.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 08:50 219136]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-01-23 23:06 2115728]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-08 00:39:05 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 06:05:26 29696]
BlackICE PC Protection.lnk - C:\Program Files\ISS\BlackICE\blackice.exe [2006-05-30 18:08:44 774144]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-01-07 23:47:28 962663]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-05 05:23:00 65588]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-01-07 22:17:31 561152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{D0B159BC-0489-1033-0428-04080603002c}"= "C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\Update.exe" mc-110-12-0000797

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 10:31]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-01-31 09:39]
S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-10-24 14:57]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 17:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 17:26]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 00:59:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-28 1:17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 01:17:14
ComboFix2.txt 2008-01-25 04:30:51
.
2008-01-09 18:05:59 --- E O F ---



HIJACKTHIS LOG


Logfile of HijackThis v1.99.1
Scan saved at 01:20:33, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141702308341
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146016606019
O17 - HKLM\System\CCS\Services\Tcpip\..\{38311A06-06C4-47BC-B0F8-B39CE7A938B1}: NameServer = 212.139.132.56 212.139.132.57
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[kahdah]

You are welcome

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

[Chris Owen]

Thanks for latest instructions!

I ran the scan as described, but as the scan finished, Internet Explorer simply closed! I tried it again 3 times, but the same thing happened. IE just disappears, and I have to re-open it again from my desktop. So it looks like I can't complete the scan or see the report at the end of it.

Is there any alternative scan I can do?

Cheers,

- Chris

[kahdah]

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[Chris Owen]

Thanks for your reply and your latest instructions. Sorry for not replying sooner, but I've been away for a few days.

Okay, I've carried out your instructions, and the Kaspersky logfile is below.

I'm away for 10 days from tomorrow, and so I won't be able to carry out any further instructions until when I return on the 22nd.

Many thanks again,

- Chris

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 13, 2008 5:29:34 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 559994
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 436835
Number of viruses found: 5
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 07:21:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\Logs\[08.02.10_07.03]-#000002.log Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\Logs\[08.02.10_07.11]-#000019.log Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\Logs\[08.02.10_17.55]-#000028.log Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\GlobalSCAPE\CuteFTP Pro\8.0\Logs\[08.02.12_17.58]-#000032.log Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software\VDownloader.exe Infected: not-a-virus:Downloader.Win32.VDown.a skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software\vdownloader.zip/VDownloader.exe Infected: not-a-virus:Downloader.Win32.VDown.a skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software\vdownloader.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Application Data\Identities\{C3BFF282-99F2-488D-BD9A-F8A3BB7B5972}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Application Data\Identities\{C3BFF282-99F2-488D-BD9A-F8A3BB7B5972}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Application Data\Identities\{C3BFF282-99F2-488D-BD9A-F8A3BB7B5972}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Application Data\Identities\{C3BFF282-99F2-488D-BD9A-F8A3BB7B5972}\Microsoft\Outlook Express\Sent Items.dbx Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Local Settings\Temp\cisteDX_fm_100 Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\ISS\BlackICE\evd000.enc Object is locked skipped
C:\RECYCLER\S-1-5-21-329068152-2049760794-682003330-1003\Dc69.exe Infected: not-a-virus:Downloader.Win32.VDown.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP583\A0177403.exe Object is locked skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185070.exe Object is locked skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185073.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Agent.htu skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185073.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185073.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185073.exe/data.rar/install.exe Infected: Virus.Win32.Virut.av skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185073.exe/data.rar Infected: Virus.Win32.Virut.av skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP584\A0185073.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP588\A0194881.dll Object is locked skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP588\A0194907.dll Object is locked skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP588\A0194908.dll Object is locked skipped
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP602\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A0C2B53E-CC9E-4679-86AC-BE2B3D3366A1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP602\change.log Object is locked skipped

Scan process completed.

Edited by Chris Owen, 12 February 2008 - 11:45 PM.

[kahdah]

Ok .

When you get back do the following:

1. Please open Notepad

• Click Start , then Run
• type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software\VDownloader.exe 
C:\RECYCLER\S-1-5-21-329068152-2049760794-682003330-1003\Dc69.exe 
Folder::
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software\vdownloader.zip

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.