worm agent.sps

Computing.Net > Forums > Security and Virus > worm agent.sps

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

worm agent.sps

Name: spark
Date: September 30, 2007 at 23:30:38 Pacific
OS: XP
CPU/Ram: core 2 duo 2.13ghz
Product: enspire

Comment:

My trend micro anti-virus found the following worm.
http://www.trendmicro.com/vinfo/vir...
It deleted the files and I followed the solution procedures.
I think I got the worm from my USB key which I use at uni. The USB key is still playing up, files dont copy properly and the same problems are now happening on a second USB key.
I havent used either of them with another computer to risk spreading the worm, but this means I dont know if the worm is localised to my computer or if it has spread to the USB keys.
No scanning program has found anymore problems (Trend, AVG).
Im a bit stumped as to what is causing the problems.
Will any scanlogs help? hijackthis etc
Cheers.

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: October 1, 2007 at 03:35:02 Pacific

Reply:

Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: spark
Date: October 1, 2007 at 19:03:59 Pacific

Reply:

Combofix Log
ComboFix 07-10-02.2 - Neil 2007-10-02 11:53:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1282 [GMT 10:00]
Running from: C:\Documents and Settings\Neil\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.
2007-10-02 11:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 15:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 15:06 <DIR> d-------- C:\Documents and Settings\Neil\.housecall6.6
2007-09-29 18:49 <DIR> d-------- C:\Program Files\iTunes
2007-09-29 18:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-29 18:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-29 15:43 <DIR> d-------- C:\Program Files\ImageJ
2007-09-29 15:09 <DIR> dr------- C:\Program Files\Centricity
2007-09-26 14:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-09-26 13:21 72,672 --a------ C:\WINDOWS\system32\drivers\LxrSII1d.sys
2007-09-26 13:21 49,152 --a------ C:\WINDOWS\system32\LxrSII1s.exe
2007-09-26 13:21 28,672 --a------ C:\WINDOWS\system32\LxrUnplug.exe
2007-09-26 13:21 139,264 --a------ C:\WINDOWS\system32\LxrSII1.dll
2007-09-25 19:26 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\Ceedo
2007-09-21 21:34 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\teamspeak2
2007-09-05 21:35 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 1rogram Files\Trend Micro
2007-10-01 1ocuments and Settings\All Users\Application Data\Microsoft Help
2007-09-29 1rogram Files\iPod
2007-09-20 1rogram Files\InstallShield Installation Information
2007-09-14 2rogram Files\Common Files\Wise Installation Wizard
2007-09-14 1rogram Files\MSN Messenger
2007-08-27 1rogram Files\AGEIA Technologies
2007-08-27 11:24 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-13 1ocuments and Settings\Neil\Application Data\Soldat
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 09:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 09:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 09:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 09:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 09:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-27 09:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 09:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-27 09:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 09:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 09:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 09:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 09:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 09:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 09:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 09:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 09:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 09:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-06 21:33 1 --a------ C:\Documents and Settings\Neil\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-03 11:17]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-23 06:22]
"nwiz"="nwiz.exe" [2006-10-23 06:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-23 06:22]
"NWEReboot"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Version Cue CS2"="E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 17:58]
"Acrobat Assistant 8.0"="E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2006-12-08 09:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 14:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"PowerBar"="" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]
C:\Documents and Settings\Neil\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-01-30 18:20:46]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-12-06 16:19:55]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-05 17:36 140976 E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
"C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
R2 LxrSII1d;Secure II Driver;\??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
R3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys
R3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311nd5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\Neil\LOCALS~1\Temp\sony_ssm.sys
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 11:57:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-02 11:59:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 11:59
.
--- E O F ---
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51, on 2007-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\AllChars\AllChars.exe
E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\sed.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - E:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AllChars.lnk = E:\Program Files\AllChars\AllChars.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FreshDownload - {0C6A3455-C7AA-4837-9D4D-ACF9A9E78281} - E:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - E:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 10909 bytes

AVG picked up another one, trojan.hider.i
this file is present on all external harddrives (USB key), each folder on the key becomes a .exe, it even found it on my ipod heh.
cheers for your help jabuck. greatly appreciated.

Response Number 3

Name: jabuck
Date: October 1, 2007 at 19:26:47 Pacific

Reply:

Are the external drives "jump" or "flash" drives that plug into a usb port?
If so do the following.
Please download Flash_Disinfector.exe by sUBs and save to your desktop.
NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.

Response Number 4

Name: spark
Date: October 2, 2007 at 00:44:35 Pacific

Reply:

yeah sorry i call them usb keys, they are flash drives indeed.
i ran flashdisinfector on both drives, one with infected files quarantined one without..no problems on the clean drive.
appeared not to do much with the infected one however. the infected files are still there. i took screen shots to try and explain it a bit better ( i dont think i did a very good job )
http://img250.imageshack.us/img250/...
http://img250.imageshack.us/img250/...
the malicious code seems to replace the folders with an odd looking folder icon and they are now .exe (i know not to open them now)
once the file/folders are quarantined the flash drive shows its still full but there are no folders visible. can i salvage whats on the flash drive? (there are some files i need from it)
i seem to have rid the trojan from my computer however

Response Number 5

Name: jabuck
Date: October 2, 2007 at 16:09:11 Pacific

Reply:

plug the infected jump drive into the computer and run combofix and post the log.
Remove the jump drive once you have a log.

software.log powerreg scheduler extend.dat	macro excel PDF FileName e SaveAS imageJ quicktime awindis5.sys
See More

Response Number 6

Name: spark
Date: October 2, 2007 at 19:59:08 Pacific

Reply:

ComboFix 07-10-02.2 - Neil 2007-10-03 12:50:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1179 [GMT 10:00]
Running from: C:\Documents and Settings\Neil\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.
2007-10-02 17:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-10-02 17:15 <DIR> drahs---- C:\autorun.inf
2007-10-01 15:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 15:06 <DIR> d-------- C:\Documents and Settings\Neil\.housecall6.6
2007-09-29 18:49 <DIR> d-------- C:\Program Files\iTunes
2007-09-29 18:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-29 18:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-29 15:43 <DIR> d-------- C:\Program Files\ImageJ
2007-09-29 15:09 <DIR> dr------- C:\Program Files\Centricity
2007-09-26 14:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-09-26 13:21 72,672 --a------ C:\WINDOWS\system32\drivers\LxrSII1d.sys
2007-09-26 13:21 49,152 --a------ C:\WINDOWS\system32\LxrSII1s.exe
2007-09-26 13:21 28,672 --a------ C:\WINDOWS\system32\LxrUnplug.exe
2007-09-26 13:21 139,264 --a------ C:\WINDOWS\system32\LxrSII1.dll
2007-09-25 19:26 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\Ceedo
2007-09-21 21:34 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\teamspeak2
2007-09-05 21:35 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 1rogram Files\Trend Micro
2007-10-01 1ocuments and Settings\All Users\Application Data\Microsoft Help
2007-09-29 1rogram Files\iPod
2007-09-20 1rogram Files\InstallShield Installation Information
2007-09-14 2rogram Files\Common Files\Wise Installation Wizard
2007-09-14 1rogram Files\MSN Messenger
2007-08-27 1rogram Files\AGEIA Technologies
2007-08-27 11:24 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-13 1ocuments and Settings\Neil\Application Data\Soldat
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 09:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 09:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 09:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 09:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 09:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-27 09:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 09:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-27 09:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 09:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 09:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 09:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 09:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 09:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 09:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 09:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 09:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 09:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-06 21:33 1 --a------ C:\Documents and Settings\Neil\SI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-03 11:17]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-23 06:22]
"nwiz"="nwiz.exe" [2006-10-23 06:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-23 06:22]
"NWEReboot"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Version Cue CS2"="E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 17:58]
"Acrobat Assistant 8.0"="E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2006-12-08 09:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 14:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"PowerBar"="" []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]
C:\Documents and Settings\Neil\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-01-30 18:20:46]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-12-06 16:19:55]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-05 17:36 140976 E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
"C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
R2 LxrSII1d;Secure II Driver;\??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
R3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys
R3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311nd5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\Neil\LOCALS~1\Temp\sony_ssm.sys
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 12:52:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-03 12:53:00
C:\ComboFix-quarantined-files.txt ... 2007-10-03 12:52
C:\ComboFix2.txt ... 2007-10-02 11:59
.
--- E O F ---

EDIT:
when running the flashdisinfector again (dont know why) I got the following error message
Processing Message c0000012 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
It came up about 100 times before it said it was finished scanning...

Response Number 7

Name: jabuck
Date: October 3, 2007 at 19:57:26 Pacific

Reply:

Run the flash_disinfector from the link below but this time plug all the infected jump drives in at one time.Please download http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe and save to your desktop.
NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
With the jump drive connected run the following scan.
Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

Response Number 8

Name: spark
Date: October 4, 2007 at 06:34:26 Pacific

Reply:

---------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 04, 2007 11:29:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 427021
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
W:\
X:\
Y:\
Z:\
Scan Statistics:
Total number of scanned objects: 153697
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 02:36:07
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Neil\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\dfsr.db Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\fsr.log Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\tmp.edb Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows Live Contacts\minidaws@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows Live Contacts\minidaws@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\History\History.IE5\MSHist012007100420071005\index.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DF5B63.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFCA8B.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFCA96.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFE6FA.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFE705.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Neil\ntuser.dat Object is locked skipped
C:\Documents and Settings\Neil\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CB0807AE-C5D5-4CB7-A60B-BB60583F7704}\RP11\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe WiseSFX: infected - 4 skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe WiseSFX Dropper: infected - 4 skipped
E:\Ben's Stuff\My Music\iTunes\iTunes Library.itl Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{CB0807AE-C5D5-4CB7-A60B-BB60583F7704}\RP11\change.log Object is locked skipped
Scan process completed.
OK, I think the trojan has finally gone. Flash drives seem ok. New drives arent being infected by the looks of things. However I think something has happened to change autoplay.
Some CD's/DVD's I put in the computer will not read and nothing autoplays. CD works fine on another computer.

Response Number 9

Name: jabuck
Date: October 4, 2007 at 17:55:53 Pacific

Reply:

Navigate to and delete this file if found:
E:\Ben's Stuff\Downloads\BSINSTALL.exe
Go to the following link and run the repair wizard:
Microsoft Autoplay Repair Wizard
Let me know how it works.

Response Number 10

Name: spark
Date: October 5, 2007 at 02:06:42 Pacific

Reply:

thanks so much for your advice jabuck. all problems now seemed to be fixed :)
that autofix did wonders.
cheers mate

Response Number 11

Name: jabuck
Date: October 5, 2007 at 03:41:20 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

undeliverable email / spa...

Computer Virus Trouble ??

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: worm agent.sps

Infected with Trojans/worm etc

Summary

www.computing.net/answers/security/infected-with-trojansworm-etc/26221.html

Infostealer/Drivecleaner etc.

Summary

www.computing.net/answers/security/infostealerdrivecleaner-etc/20810.html

speed slow and too many worms

Summary

www.computing.net/answers/security/speed-slow-and-too-many-worms/20369.html

From the Geek Dictionary
PL - A very short acronym standing for Power Level. This is a term commonly used...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
Why Additional Domain Controller

Should I reconfigure my servers?

How to convert PPT to video wiht good quality

How do i connect Dell D620 to TV

Java Enabling

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE