Video Tube Codec Malware

Computing.Net > Forums > Security and Virus > Video Tube Codec Malware

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Video Tube Codec Malware

Name: philcat
Date: March 1, 2008 at 03:08:09 Pacific
OS: XP Home
CPU/Ram: Centrino 1.7 512
Product: Gericom Ego 1780 XL+

Comment:

Ok
It's time to admit I'm a pillock, I downloaded the above and am now suffering a hijacked browser when using google, strange sound clips playing and instantaneous deleting when I type. Please help. I'm capable of editing the registry, going into safe mode etc and have got the smitfraud and hijack this logs ready, should you require them.
Thanks in advance clever folks!
Phil

Sponsored Link

Ads by Google

Response Number 1

Name: plrpro
Date: March 1, 2008 at 11:03:58 Pacific

Reply:

Because you just got infected the first thing I would do is a simple system restore. Send the computer back in time to when you were not infected. Then run your anti-spyware software and anti-virus software while in safe mode.
I know many people here will disagree but those free virus and spyware programs are not enough protection. Go out and purchase somthing.
The fact you got infected in the first place should tell you that you do not have enough protection.

Response Number 2

Name: philcat
Date: March 1, 2008 at 11:11:08 Pacific

Reply:

Thanks for that, I did try it first, but no good, so have installed the programs suggested on this forum and run them, which seems to have sorted things out. I just need somebody who can understand the log files to see if I'm completely clean at last.
Phil

Response Number 3

Name: jabuck
Date: March 1, 2008 at 16:47:47 Pacific

Reply:

Please post your Hijack This log.

Response Number 4

Name: philcat
Date: March 1, 2008 at 22:11:31 Pacific

Reply:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19:13, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp3.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\crypserv.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
E:\Program Files\PyroSim 2007\fds\smpd.exe
E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\MSMSGS.exe
E:\Program Files\Spyware Terminator\sp_rsser.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\SearchIndexer.exe
E:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.2.1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: TBSB00393 - {0F296CA4-A145-4C7C-B036-1B67F8BFFC93} - E:\PROGRA~1\QUICKN~1\YOUTUB~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Windows Desktop Search.lnk = E:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://www.mathcentre.ac.uk/resourc...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driver...
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: AvpSrv - {f55bb8d4-0538-4ffd-a3b2-e48854f7dffb} - C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}\AvpSrv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Imapi Helper - Alex Feinman - E:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - E:\Program Files\PyroSim 2007\fds\smpd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - E:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 6258 bytes

Response Number 5

Name: jabuck
Date: March 2, 2008 at 18:06:18 Pacific

Reply:

Sorry for the delay.
The following item appears to be a trojan:
O21 - SSODL: AvpSrv - {f55bb8d4-0538-4ffd-a3b2-e48854f7dffb} - C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}\AvpSrv.dll
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Please download SmitFraudFix from this link:
SmitfraudFix
Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

AVP.EXE avp.exe fix.reg [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardpro	SystemIndex.chk2.gthr crypkey license Perflib_Perfdata_694
See More

Response Number 6

Name: philcat
Date: March 2, 2008 at 21:05:42 Pacific

Reply:

Thank you very much for your reply and time, I can wait so no need to apologise ever. I definitely still have something, ad windows pop up in a browser spontaneously trying to get me to download and install more rubbish probably. I am also constantly being warned about file extension changes, since installing the protection, but don't know if this is good or bad? Here are the logs.
ComboFix 08-03-01.3 - Phil 2008-03-03 4:59:54.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT 0:00]
Running from: C:\Documents and Settings\Phil\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.
2008-03-02 07:07 . 2008-03-02 07:07 275 --a------ C:\WINDOWS\wininit.ini
2008-03-01 20:22 . 2008-03-01 20:24 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\EngMaths
2008-03-01 20:20 . 2008-03-01 20:24 <DIR> d-------- E:\Program Files\Engineering Mathematics
2008-03-01 18:49 . 2008-03-01 18:54 <DIR> d-------- E:\Program Files\Windows Live Safety Center
2008-03-01 18:19 . 2008-03-02 09:38 <DIR> d-------- E:\Program Files\RegScrubXP
2008-03-01 18:11 . 2008-03-01 18:11 <DIR> d-------- E:\Program Files\CCleaner
2008-03-01 16:12 . 2008-03-02 15:23 <DIR> d-------- E:\Program Files\WinClamAVShield
2008-03-01 16:07 . 2008-03-01 16:07 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-01 16:06 . 2008-03-01 16:06 <DIR> d-------- E:\Program Files\SUPERAntiSpyware
2008-03-01 16:06 . 2008-03-02 10:11 <DIR> d-------- E:\Program Files\Spyware Terminator
2008-03-01 16:06 . 2008-03-01 16:06 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\SUPERAntiSpyware.com
2008-03-01 16:06 . 2008-03-02 15:22 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Spyware Terminator
2008-03-01 16:06 . 2008-03-01 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 16:06 . 2008-03-02 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-01 16:03 . 2008-03-01 16:03 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-03-01 16:03 . 2008-03-01 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 15:59 . 2008-03-02 10:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 15:58 . 2008-03-02 10:02 <DIR> d-------- E:\Program Files\SpywareBlaster
2008-03-01 14:05 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-01 14:05 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-01 14:05 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-01 14:05 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-01 14:05 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-01 14:05 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-01 14:04 . 2008-03-01 14:04 <DIR> d-------- E:\Program Files\Alwil Software
2008-03-01 14:04 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-01 14:04 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-01 14:04 . 2004-01-09 09:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-01 11:15 . 2004-08-03 23:56 388,608 --a------ C:\CF19599.exe
2008-03-01 10:52 . 2008-03-01 10:52 <DIR> d-------- E:\Program Files\Trend Micro
2008-03-01 08:05 . 2008-03-01 08:05 <DIR> d-------- C:\Documents and Settings\Phil\Temporary Internet Files
2008-02-29 19:21 . 2008-02-29 19:21 <DIR> d-------- E:\Program Files\Lavasoft
2008-02-29 19:21 . 2008-02-29 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-29 17:21 . 2008-03-01 10:56 2,410 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-29 16:22 . 2008-02-29 16:22 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-02-24 18:21 . 2008-02-24 18:21 <DIR> d-------- C:\Documents and Settings\All Users\CrypKey
2008-02-24 18:07 . 2008-02-25 06:48 4,480 --a------ C:\WINDOWS\system32\esnecil.nlp
2008-02-24 18:07 . 2008-02-25 17:10 4,480 --a------ C:\WINDOWS\system32\esnecil.ind
2008-02-24 18:07 . 2008-02-25 17:10 4 --a------ C:\WINDOWS\vx86036.dat
2008-02-24 10:49 . 2008-02-24 18:23 <DIR> d-------- E:\Program Files\PyroSim 2007
2008-02-24 10:49 . 2008-02-24 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PyroSim
2008-02-24 10:48 . 2008-02-25 17:09 <DIR> d-------- E:\Program Files\PyroSim
2008-02-24 10:48 . 1999-06-18 21:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2008-02-24 10:48 . 2007-05-23 18:29 122,880 --a------ C:\WINDOWS\system32\Crypserv.exe
2008-02-24 10:48 . 1996-05-03 17:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-02-24 10:48 . 1996-05-03 15:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2008-02-24 10:48 . 2007-05-01 21:15 16,896 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-02-24 10:48 . 1995-07-04 18:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-02-24 10:48 . 2008-02-24 10:50 78 --a------ C:\WINDOWS\Crypkey.ini
2008-02-14 00:58 . 2008-02-14 00:58 <DIR> d-------- E:\Program Files\CFAST6
2008-02-13 07:06 . 2008-02-13 07:06 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-02-10 09:14 . 2008-03-02 09:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-10 09:14 . 2008-02-10 09:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-10 09:09 . 2008-02-10 09:09 <DIR> d-------- E:\Program Files\Apple Software Update
2008-02-10 09:09 . 2008-02-10 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-02 06:57 --------- d-----w C:\Documents and Settings\Phil\Application Data\EndNote
2008-03-01 17:34 --------- d-----w E:\Program Files\Quicknation
2008-03-01 16:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 18:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-09 16:41 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F296CA4-A145-4C7C-B036-1B67F8BFFC93}]
2007-02-17 06:59 868424 --a------ E:\PROGRA~1\QUICKN~1\YOUTUB~1.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 09:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2003-09-23 16:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 08:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"KTPWare"="C:\Program Files\Elantech\ktp3.exe" [2003-11-27 10:33 258048]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 13:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"Windows Defender"="E:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"SpywareTerminator"="E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-01 16:07 2957824]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - E:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= E:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AvpSrv"= {f55bb8d4-0538-4ffd-a3b2-e48854f7dffb} - C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}\AvpSrv.dll [2008-02-29 15:08 18706]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"E:\\Program Files\\PyroSim 2007\\fds\\smpd.exe"=
R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2003-10-20 18:09]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-01 16:07]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;E:\Program Files\PyroSim 2007\fds\smpd.exe [2008-01-23 21:01]
R3 Ktp3;Elantech TouchPad(KTP3);C:\WINDOWS\system32\DRIVERS\Ktp3.sys [2004-03-03 08:20]
S3 sea3bus;Sony Ericsson Device 0A3 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea3bus.sys [2007-01-26 20:05]
S3 sea3mdfl;Sony Ericsson Device 0A3 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea3mdfl.sys [2007-01-26 20:06]
S3 sea3mdm;Sony Ericsson Device 0A3 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea3mdm.sys [2007-01-26 20:06]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 10:44:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-03 04:42:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- E:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 05:00:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
folder error: C:\WINDOWS
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}\AvpSrv.dll
.
Completion time: 2008-03-03 5:01:52
ComboFix2.txt 2008-03-03 04:57:11
ComboFix3.txt 2008-03-01 11:19:40
.
2008-02-29 17:31:26 --- E O F ---

============================================

SmitFraudFix v2.298
Scan done at 5:03:01.57, 03/03/2008
Run from C:\Documents and Settings\Phil\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
E:\Program Files\PyroSim 2007\fds\smpd.exe
E:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp3.exe
C:\WINDOWS\system32\SearchIndexer.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Internet Explorer\IEXPLORE.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Phil

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Phil\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Phil\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
----------------------+
[!] Suspicious: AvpSrv.dll
SSODL: AvpSrv - {f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9CEBBDD8-F316-45D4-B13E-D67ABA6087DC}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9CEBBDD8-F316-45D4-B13E-D67ABA6087DC}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9CEBBDD8-F316-45D4-B13E-D67ABA6087DC}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Response Number 7

Name: jabuck
Date: March 6, 2008 at 18:39:11 Pacific

Reply:

Go to the following link:
http://virusscan.jotti.org/
Then use the browse button to locate this file:
Once located click submit then post the results.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}\AvpSrv.dll

Folder::
C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"AvpSrv"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Post a new Combofix log ans a new Hijack This log please.

Response Number 8

Name: philcat
Date: March 8, 2008 at 23:18:06 Pacific

Reply:

You posted:
"Go to the following link:
http://virusscan.jotti.org/
Then use the browse button to locate this file:

Once located click submit then post the results."
Could you tell me which file you want me to download and run, because the name of file was omitted? I ran Kaspersky online scan a few days back and had a number of Trojans, so I installed the trial version of Kaspersky and removed them. I was worried because I thought you'd abandoned me, sorry. All the logs are below, Kaspersky from a few days ago and the rest are up to date with the exception of the file that I don't know the name of.
---------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 11:28:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 606355
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
Z:\
Scan Statistics:
Total number of scanned objects: 59202
Number of viruses found: 6
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 00:49:23
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.158.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.158.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy82.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_5d8.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10012007-010502.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-6-2008( 8-26-53 ).LOG Object is locked skipped
C:\Documents and Settings\Phil\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{40570545-8532-468C-AB60-358D1E5936F1} Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\JURHHR6A\2250bkpazoow[1].exe Infected: Trojan-Downloader.Win32.Delf.ezu skipped
C:\Documents and Settings\Phil\Local Settings\Temporary Internet Files\Content.IE5\YMLM17ZL\2[1].htm Infected: Trojan.HTML.Agent.e skipped
C:\Documents and Settings\Phil\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Phil\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7EC48376-EEB9-4B89-8AFB-8DA80A469838}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{5eb79114-c46c-4929-8ec7-0a914328479a}\DrvService.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\WINDOWS\Installer\{e38b414a-e622-4463-a386-1f1d6f01a40e}\zip.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\WINDOWS\Installer\{f26b05f9-dbde-467d-ab9d-7702222a063d}\zip.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\WINDOWS\Installer\{f55bb8d4-0538-4ffd-a3b2-e48854f7dffb}\AvpSrv.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
E:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
E:\Program Files\Quicknation\Youtube-Download-Convert-Firefox.dll Infected: not-a-virus:AdWare.Win32.Mostofate.bc skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{7EC48376-EEB9-4B89-8AFB-8DA80A469838}\RP5\change.log Object is locked skipped
F:\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitfraudFix.zip ZIP: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\YoutubeDownloadAndConvert-Firefox.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Mostofate.bt skipped
F:\YoutubeDownloadAndConvert-Firefox.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Mostofate.bc skipped
F:\YoutubeDownloadAndConvert-Firefox.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.bc skipped
F:\YoutubeDownloadAndConvert-Firefox.exe NSIS: infected - 3 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\TEMP\Perflib_Perfdata_694.dat Object is locked skipped
G:\TEMP\~DF2E73.tmp Object is locked skipped
G:\TEMP\~DF2E7B.tmp Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:07:02, on 09/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
E:\Program Files\PyroSim 2007\fds\smpd.exe
E:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Elantech\ktp3.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\SOUNDMAN.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.2.1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp3.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Windows Desktop Search.lnk = E:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://www.mathcentre.ac.uk/resourc...
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driver...
O20 - AppInit_DLLs: E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Imapi Helper - Alex Feinman - E:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - E:\Program Files\PyroSim 2007\fds\smpd.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - E:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 5957 bytes
ComboFix 08-03-01.3 - Phil 2008-03-09 6:57:40.6 - NTFSx86
Running from: C:\Documents and Settings\Phil\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-08 21:40 . 2008-03-08 21:40 <DIR> d-------- E:\Program Files\CCleaner
2008-03-07 12:51 . 2008-03-07 12:46 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-03-07 12:48 . 2008-03-07 12:48 <DIR> d-------- E:\Program Files\Realtek AC97
2008-03-07 12:48 . 2008-03-07 12:46 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-03-07 12:48 . 2008-03-07 12:46 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-03-07 06:37 . 2008-03-07 06:37 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-03-07 06:37 . 2008-03-07 06:37 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-03-07 06:34 . 2008-03-07 06:34 <DIR> d-------- E:\Program Files\Kaspersky Lab
2008-03-07 06:34 . 2008-03-09 07:03 2,929,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 06:34 . 2008-03-08 22:28 47,144 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 06:34 . 2008-03-09 07:03 44,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-07 06:34 . 2008-03-08 22:28 10,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-06 22:26 . 2008-03-06 22:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-06 22:26 . 2008-03-09 06:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-02 07:07 . 2008-03-02 07:07 275 --a------ C:\WINDOWS\wininit.ini
2008-03-01 20:22 . 2008-03-01 20:24 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\EngMaths
2008-03-01 20:20 . 2008-03-01 20:24 <DIR> d-------- E:\Program Files\Engineering Mathematics
2008-03-01 18:49 . 2008-03-01 18:54 <DIR> d-------- E:\Program Files\Windows Live Safety Center
2008-03-01 18:19 . 2008-03-03 18:50 <DIR> d-------- E:\Program Files\RegScrubXP
2008-03-01 16:12 . 2008-03-05 11:29 <DIR> d-------- E:\Program Files\WinClamAVShield
2008-03-01 16:07 . 2008-03-01 16:07 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-01 16:06 . 2008-03-01 16:06 <DIR> d-------- E:\Program Files\SUPERAntiSpyware
2008-03-01 16:06 . 2008-03-08 11:08 <DIR> d-------- E:\Program Files\Spyware Terminator
2008-03-01 16:06 . 2008-03-01 16:06 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\SUPERAntiSpyware.com
2008-03-01 16:06 . 2008-03-08 11:01 <DIR> d-------- C:\Documents and Settings\Phil\Application Data\Spyware Terminator
2008-03-01 16:06 . 2008-03-01 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-01 16:06 . 2008-03-08 11:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-01 16:03 . 2008-03-01 16:03 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-03-01 16:03 . 2008-03-01 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-01 15:59 . 2008-03-03 19:11 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 15:58 . 2008-03-03 19:11 <DIR> d-------- E:\Program Files\SpywareBlaster
2008-03-01 14:04 . 2008-03-01 14:04 <DIR> d-------- E:\Program Files\Alwil Software
2008-03-01 14:04 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-03-01 13:47 . 2008-03-01 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-01 11:15 . 2004-08-03 23:56 388,608 --a------ C:\CF19599.exe
2008-03-01 10:52 . 2008-03-01 10:52 <DIR> d-------- E:\Program Files\Trend Micro
2008-03-01 08:05 . 2008-03-01 08:05 <DIR> d-------- C:\Documents and Settings\Phil\Temporary Internet Files
2008-02-29 19:21 . 2008-02-29 19:21 <DIR> d-------- E:\Program Files\Lavasoft
2008-02-29 19:21 . 2008-02-29 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-29 17:21 . 2008-03-03 05:03 2,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-29 16:22 . 2008-02-29 16:22 <DIR> d-------- E:\Program Files\Enigma Software Group
2008-02-24 18:21 . 2008-02-24 18:21 <DIR> d-------- C:\Documents and Settings\All Users\CrypKey
2008-02-24 18:07 . 2008-02-25 06:48 4,480 --a------ C:\WINDOWS\system32\esnecil.nlp
2008-02-24 18:07 . 2008-03-08 11:49 4,480 --a------ C:\WINDOWS\system32\esnecil.ind
2008-02-24 18:07 . 2008-03-08 11:49 4 --a------ C:\WINDOWS\vx86036.dat
2008-02-24 10:49 . 2008-03-08 11:50 <DIR> d-------- E:\Program Files\PyroSim 2007
2008-02-24 10:49 . 2008-02-24 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PyroSim
2008-02-24 10:48 . 2008-02-25 17:09 <DIR> d-------- E:\Program Files\PyroSim
2008-02-24 10:48 . 1999-06-18 21:49 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2008-02-24 10:48 . 2007-05-23 18:29 122,880 --a------ C:\WINDOWS\system32\Crypserv.exe
2008-02-24 10:48 . 1996-05-03 17:21 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-02-24 10:48 . 1996-05-03 15:36 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2008-02-24 10:48 . 2007-05-01 21:15 16,896 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-02-24 10:48 . 1995-07-04 18:33 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-02-24 10:48 . 2008-02-24 10:50 78 --a------ C:\WINDOWS\Crypkey.ini
2008-02-14 00:58 . 2008-02-14 00:58 <DIR> d-------- E:\Program Files\CFAST6
2008-02-13 07:06 . 2008-02-13 07:06 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-02-10 09:14 . 2008-03-02 09:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-10 09:14 . 2008-02-10 09:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-10 09:09 . 2008-02-10 09:09 <DIR> d-------- E:\Program Files\Apple Software Update
2008-02-10 09:09 . 2008-02-10 09:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 19:46 --------- d-----w C:\Documents and Settings\Phil\Application Data\EndNote
2008-03-08 15:57 --------- d-----w E:\Program Files\FPETool
2008-03-07 12:48 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-03-07 12:46 577,536 ----a-w C:\WINDOWS\soundman.exe
2008-03-07 12:46 147,456 ----a-w C:\WINDOWS\system32\RtlCPAPI.dll
2008-03-07 12:46 10,528,768 ----a-w C:\WINDOWS\system32\RTLCPL.exe
2008-03-07 06:52 --------- d-----w E:\Program Files\Quicknation
2008-03-02 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-01 16:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-11 18:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-10 09:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-08 18:37 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2008-02-08 18:35 23,604 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-01-24 16:36 4,127,488 ----a-r C:\WINDOWS\system32\drivers\alcxwdm.sys
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-10-09 16:41 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SUPERAntiSpyware"="E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2003-09-23 16:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 08:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"KTPWare"="C:\Program Files\Elantech\ktp3.exe" [2003-11-27 10:33 258048]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 13:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"Windows Defender"="E:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SpywareTerminator"="E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-03-01 16:07 2957824]
"AVP"="E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]
"SoundMan"="SOUNDMAN.EXE" [2008-03-07 12:46 577536 C:\WINDOWS\soundman.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - E:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= E:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"E:\\Program Files\\PyroSim 2007\\fds\\smpd.exe"=
R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2003-10-20 18:09]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-01 16:07]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;E:\Program Files\PyroSim 2007\fds\smpd.exe [2008-01-23 21:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 Ktp3;Elantech TouchPad(KTP3);C:\WINDOWS\system32\DRIVERS\Ktp3.sys [2004-03-03 08:20]
S3 sea3bus;Sony Ericsson Device 0A3 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea3bus.sys [2007-01-26 20:05]
S3 sea3mdfl;Sony Ericsson Device 0A3 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea3mdfl.sys [2007-01-26 20:06]
S3 sea3mdm;Sony Ericsson Device 0A3 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea3mdm.sys [2007-01-26 20:06]
.
Contents of the 'Scheduled Tasks' folder
"2008-03-08 10:41:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-09 06:44:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- E:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 07:03:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
folder error: C:\WINDOWS
**************************************************************************
.
Completion time: 2008-03-09 7:04:53
ComboFix2.txt 2008-03-08 21:53:02
ComboFix3.txt 2008-03-03 05:01:53
ComboFix4.txt 2008-03-03 04:57:11
ComboFix5.txt 2008-03-01 11:19:40
.
2008-03-07 06:54:03 --- E O F ---

Sponsored Link

Ads by Google

POS.TMP Virus

Red X on C Drive - Can yo...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Video Tube Codec Malware

redirected when clicking links

Summary

www.computing.net/answers/security/redirected-when-clicking-links/23446.html

Media Codec virus /spyware

Summary

www.computing.net/answers/security/media-codec-virus-spyware/19887.html

Help vid codec virus

Summary

www.computing.net/answers/security/help-vid-codec-virus/21819.html

From the Geek Dictionary
emo log - When the only female member in your raid felt entitled to a peice of loot t...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes Today.
Discuss in The Lounge
Poll History

Recent Posts
aol with windows 7

Flash websites and possible virus threats

VPN Connection cannot access resources

can't open share

pioneer 110 rw/dvd/cd

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

TV Market to Launch Cross-Platform App Store

Microsoft Working on XBL Help, FAQ System?

Used ATM Machines for Sale on Craigslist

Rival Publishers Collaborate on iTunes-type Store

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE