Solved Trojan spyware - HIJACK THIS LOG

Hi RebeccainTO
OK Great, That looks OK

Please delete
rootkitrevealer.exe and rootkitrevealer.txt

Everything else is showing clean.

You should be good to go.

I would run a full scan with your CA Anti-Virus, make sure it's updated before your scan.

I would recommend you install at least these from the prevention post you were looking at.
I don't rememeber seeing a Firewall, Windows Firewall is OK, but I would suggest a better one from the list if you're not running one.

Also at least these.
SpywareBlaster
WinPatrol

Let me know how things are running.

Thanks
Geri

 

Kapersky

What about the trojans found by KAPPERSKY?

 

Hi RebeccainTO

Those were in your recycle bin.
C:\RECYCLER
They should have been deleted when you emptied your recycle bin.

You can run another Kaspersky scan and post the log. make sure you run ATF Cleaner before doing the scan.

Thanks
Geri

 

Sunday, April 27, 2008 8:41:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727908


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 48576
Number of viruses found 4
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 00:38:34

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\017788aee7e964d1f680957279d42afd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0410daf915c374b96b665279eb48d2f5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05992124635c27b414dab51f1003c2c5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\066ee7c38a345a8c810e02196b16180a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0861772a42ce45f0f1dec5c31756050d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125b2b707d927254502e9355f0350261_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e77965674adee239adf2283ea8fa76_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e5a0bf170a2893b172a1f8587e7ea26_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26159d7d51220b7ae8eb1c70c556c01f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27dc6f77f550c0c4f10d27a95980d9f6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f9412c2f622b74aa26fade75d26a2f8_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\364585bc1f33820e43adcbff51917835_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40e4576ff1a43b9f80a6969a37f04659_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a64e8b738cf4da69ea96cc30a8768e3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c6e4e8fb026bcc4c86e5f763ae1958_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\570459036f5ddefc9778822c2f76a339_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a4b2c881be41987ffb6c46816d266ec_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b593af9a9ad1da6c3d692936b8b1408_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b643f2f881f1fab0ef188b4a209c055_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1aa711bcaf6a6083336b2fa9094c59_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62280fefc77d0303c05d9c223c985122_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6684fe69ab72c1115ae8b0ead2208c96_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ec45555659957f19cf6cc451ed75133_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\737807beab3e5fedbb57541c7361af87_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771631986d0eebf6defcdf3f21ed621a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2c49c0cf9af3701a2ae68dd056298f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b1df13ee8c7370457ac9d4ea01c7617_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\813c1bb8141725aac3d80887049d9750_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c22e54f00b2e2152648537a5e183c99_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9015464dff1f164f8438dc7fcaddef5b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9daaeb4809ef7549a3b47b302e86d8fa_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0d34f30e44ae4b23079179cc0ec03f0_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a67508646b45dca8ba549cec30db76cf_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa60caa4434977ee9c85d912e2fe953d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21fcf67def70100b2d0d306c2520117_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce83d46a1d72c0abd395a7ca79db682_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf50a03166257acd6800d7c698fc8cdb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c895a93762aa1d6d2bed5e53123cc37a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c9b85b981d498373c8604d8bec8446ff_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb7a96c56be83ecd699801c770b9b8ef_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda16dda4371c3a179244a9fae329dce_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a817d60f3c7b8b1bd2afe304fc98bd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4354a36a629b2ab3f2244e639319bf3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52cbc5b7bacebd3d3b029400f734218_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e116647dcb28454d9548345d3adbe60e_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2b58a1ac12067f3c9a9575a132add08_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e39b7241b018cbee16ce94bfd857dd92_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea1f342849f9f7a2a48c7b737766e92a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb05245099b8d7313a17df13bf102efc_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f22383b6c3cf70dba79583ac283ca139_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f27adc9055369c2836a77e1009083ed6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f72615baaa7308b0249044a31a7f83cb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f77b9afcba0974c1b942e4759677b511_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8a28d96468a3a70fd72434d0bfa480b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\call256.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\call512.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\callmember256.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\chat512.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\index2.dat Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\profile4096.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer256.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\transfer512.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\user1024.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\user16384.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\user256.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\user4096.dbb Object is locked skipped

C:\Documents and Settings\win\Application Data\Skype\hillierinto\voicemail256.dbb Object is locked skipped

C:\Documents and Settings\win\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\win\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\win\Local Settings\History\History.IE5\MSHist012008042720080428\index.dat Object is locked skipped

C:\Documents and Settings\win\Local Settings\temp\~DF3448.tmp Object is locked skipped

C:\Documents and Settings\win\Local Settings\temp\~DF346D.tmp Object is locked skipped

C:\Documents and Settings\win\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\win\ntuser.dat Object is locked skipped

C:\Documents and Settings\win\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\inuse.txt Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\L0000002.FCS Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\main.log Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.idx Object is locked skipped

C:\Program Files\MSTpscre\TPSCREX.EXE.0.AVB Infected: Trojan-Downloader.Win32.Agent.hyw skipped

C:\Program Files\MSTpscre\TPSCREX.EXE.1.AVB Infected: Trojan-Downloader.Win32.Agent.hyw skipped

C:\Program Files\MSTpscre\TPSCREX.EXE.2.AVB Infected: Trojan-Downloader.Win32.Agent.hyw skipped

C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc10.sys Infected: Trojan-Clicker.Win32.VB.and skipped

C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc7.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc8.exe Infected: Trojan.Win32.Agent.kiy skipped

C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc9.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP4\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F02EA450-6056-4D04-AAA6-2BE14BF70F77}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

C:\WINDOWS\system32\andt.sys Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\Indt2.sys Infected: Trojan-Clicker.Win32.VB.and skipped

C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.kiy skipped

C:\WINDOWS\system32\tmp0_169738313379.bk Object is locked skipped

C:\WINDOWS\system32\tmp0_412260398302.bk Object is locked skipped

C:\WINDOWS\system32\tmp1_5569623664.bk Object is locked skipped

C:\WINDOWS\system32\tmp1_614482403498.bk Object is locked skipped

C:\WINDOWS\system32\tmp3_510296375759.bk Object is locked skipped

C:\WINDOWS\system32\tmp3_87783046313.bk Object is locked skipped

C:\WINDOWS\system32\tmp4_46227874802.bk Object is locked skipped

C:\WINDOWS\system32\tmp4_633632236078.bk Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

C:\WINDOWS\TEMP\Perflib_Perfdata_610.dat Object is locked skipped

C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Malware Bytes LOG
Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Full Scan (C:\|)
Objects scanned: 83143
Time elapsed: 24 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\andt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Indt2.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

Hi RebeccainTO

WOW, good call running MBAM, I was unaware that it targeted this infection, they have no data log that I can go through to check.
The only one I knew of was Combofix.
Did you see it somewhere or just take a chance?
So I thank you and I will note that it kills this. Thanks.


So here is what we need to do.

Click Start> Run and type (or paste) the following lines one at a time into the run box. hit enter after each line.

sc stop WServing

Then this.

sc delete WServing


I'm guessing you have 2 folders in your C:\Recycler

So please go here.
C:\Recycler
Open the Recycler folder, then open the folder with this number.
S-1-5-21-2052111302-1035525444-839522115-500
Delete these files that are there.
Dc7.exe
Dc8.exe
Dc9.exe
Dc10.sys

Close those windows.


Now please Go here and delete these file, make sure you find these exact files, there are files that are this
TPSCREX.EXE. <<Do not delete it.

C:\Program Files\MSTpscre\TPSCREX.EXE.0.AVB <<Note the 0 AVB at the end.
C:\Program Files\MSTpscre\TPSCREX.EXE.1.AVB <<Note the 1 AVB at the end.
C:\Program Files\MSTpscre\TPSCREX.EXE.2.AVB <<Note the 2 AVB at the end.
C:\WINDOWS\system32\wserving.exe

Now run ATF cleaner again or empty your recycle bin.

Reboot your Computer.

Run another MBAM scan then a Kaspersky scan and post the log and a new HJT log.

Thanks
Geri

 

THANKS!
A friend used Malware early on in my infection....and I was super impressed with the results....so it's one of my new favs.
Here again - are trojans in my recyle box?
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 1:49:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 729027
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 48949
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 00:33:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\017788aee7e964d1f680957279d42afd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0410daf915c374b96b665279eb48d2f5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\05992124635c27b414dab51f1003c2c5_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\066ee7c38a345a8c810e02196b16180a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0861772a42ce45f0f1dec5c31756050d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\125b2b707d927254502e9355f0350261_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16e77965674adee239adf2283ea8fa76_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1e5a0bf170a2893b172a1f8587e7ea26_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26159d7d51220b7ae8eb1c70c556c01f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\27dc6f77f550c0c4f10d27a95980d9f6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2f9412c2f622b74aa26fade75d26a2f8_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\364585bc1f33820e43adcbff51917835_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\40e4576ff1a43b9f80a6969a37f04659_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a64e8b738cf4da69ea96cc30a8768e3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55c6e4e8fb026bcc4c86e5f763ae1958_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\570459036f5ddefc9778822c2f76a339_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5a4b2c881be41987ffb6c46816d266ec_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b593af9a9ad1da6c3d692936b8b1408_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b643f2f881f1fab0ef188b4a209c055_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f1aa711bcaf6a6083336b2fa9094c59_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62280fefc77d0303c05d9c223c985122_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6684fe69ab72c1115ae8b0ead2208c96_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6ec45555659957f19cf6cc451ed75133_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\737807beab3e5fedbb57541c7361af87_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771631986d0eebf6defcdf3f21ed621a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a2c49c0cf9af3701a2ae68dd056298f_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b1df13ee8c7370457ac9d4ea01c7617_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\813c1bb8141725aac3d80887049d9750_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c22e54f00b2e2152648537a5e183c99_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9015464dff1f164f8438dc7fcaddef5b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9daaeb4809ef7549a3b47b302e86d8fa_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0d34f30e44ae4b23079179cc0ec03f0_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a67508646b45dca8ba549cec30db76cf_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa60caa4434977ee9c85d912e2fe953d_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b21fcf67def70100b2d0d306c2520117_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bce83d46a1d72c0abd395a7ca79db682_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf50a03166257acd6800d7c698fc8cdb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c895a93762aa1d6d2bed5e53123cc37a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c9b85b981d498373c8604d8bec8446ff_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cb7a96c56be83ecd699801c770b9b8ef_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cda16dda4371c3a179244a9fae329dce_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1a817d60f3c7b8b1bd2afe304fc98bd_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4354a36a629b2ab3f2244e639319bf3_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d52cbc5b7bacebd3d3b029400f734218_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e116647dcb28454d9548345d3adbe60e_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2b58a1ac12067f3c9a9575a132add08_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e39b7241b018cbee16ce94bfd857dd92_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea1f342849f9f7a2a48c7b737766e92a_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb05245099b8d7313a17df13bf102efc_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f22383b6c3cf70dba79583ac283ca139_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f27adc9055369c2836a77e1009083ed6_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f72615baaa7308b0249044a31a7f83cb_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f77b9afcba0974c1b942e4759677b511_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8a28d96468a3a70fd72434d0bfa480b_e183eb92-1b86-450d-991d-d145542fa97b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\win\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Messenger\missgardner@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Messenger\missgardner@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Messenger\missgardner@hotmail.com\SharingMetadata\Working\database_F02C_2BD6_2C2B_969E\dfsr.db Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Messenger\missgardner@hotmail.com\SharingMetadata\Working\database_F02C_2BD6_2C2B_969E\fsr.log Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Messenger\missgardner@hotmail.com\SharingMetadata\Working\database_F02C_2BD6_2C2B_969E\fsrtmp.log Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Messenger\missgardner@hotmail.com\SharingMetadata\Working\database_F02C_2BD6_2C2B_969E\tmp.edb Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows Live Contacts\missgardner@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\win\Local Settings\Application Data\Microsoft\Windows Live Contacts\missgardner@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\win\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF295E.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF2987.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF3CC3.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF3D86.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF574B.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF5774.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DF6BF3.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DFDB3D.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\temp\~DFDB62.tmp Object is locked skipped
C:\Documents and Settings\win\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\win\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\win\ntuser.dat Object is locked skipped
C:\Documents and Settings\win\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\L0000002.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\win\Data\storydb.idx Object is locked skipped
C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc10.sys Infected: Trojan-Clicker.Win32.VB.and skipped
C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc7.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc8.exe Infected: Trojan.Win32.Agent.kiy skipped
C:\RECYCLER\S-1-5-21-2052111302-1035525444-839522115-500\Dc9.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EB642118-4B86-422B-A5C9-50D9A9203143}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_614.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:33 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\afinding.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wserving.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=...ly=http://mail.live.com/default.aspx&id=64855
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [Tpscrex] C:\Program Files\MSTpscre\Tpscrex.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe "
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://oweb.peelschools.org/jinitiator/jinit.exe
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 9957 bytes

 

Hi RebeccainTO
First.
I see you had a thread started at Geeks to Go.

If you plan on going somewhere else for help then I need to know so I'm not waisting my time here.
Geeks to Go has been informed, we are a fairly knit group of people and you will find that it is not polite to do that.

Now that said,

These came back after the reboot.
C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped
C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.gtj skipped

So we need to download and run Combofix again.

Please follow the instructions exactly.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the Combofix log.
Thanks
Geri

 

Combo Fix

I have had trouble ... for days ... trying to run COMBOFIX.
It would not start up properly, or begin and never finish. I've uninstalled and reinstalled and now I've ******* it up. The last time I was amidst reinstalling, I left Comodo on and now COMBOFIX won't run.
HELP!
Here is the message I recieve:
Windows cannot access the path described/ you may not have permission to access the path (I am logged on as admin)

 

Hi RebeccainTO

Lets try this with Combofix.

Delete the one you downloaded.

Re-download it from the link above, except rename it prior to clicking save. Something like FixCombo.exe

Then try running it as instructed.

If that works post the log, if it don't let me know.

Thanks
Geri

 

No such luck, but great idea...should have thought of that. I think I blocked requests for other parts of ComboFix with Comodo...the screens were poppling up like crazy ..... What if I remove Comodo completely, then re-install once I finish combofix?

Why, in my last post, is a word blanked out with stars when I didn't swear - and now it appears as I did?

 

Hi RebeccainTO

Ok First before you do anything Delete the Combofix you have downloaded.

This is very important!

Now please redownload it, sorry for this, but there was a small problem with combofix and the developer has just fixed it in the new version.

Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

I'll get back to you on a run method shortly.

Certian words, even though they may not be swear words are blocked.
Like, the alcohol drink that you make with orange juice and vodka.
Its called a...***** driver, see it blocked out the first word.
We have all age groups visit here and this is for the best.

Thanks
Geri

 

Done.
Thanks.

 

Hi RebeccainTO
This is a nasty Rootkit infection and that is why it won't go away and could be causing trouble with Combofix.

Lets see if GMER will show us anything.

Please save this to a txt file or print it out so you can follow the instruction, you will not have Internet durning the scan.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2

• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Click on "Settings ", then check the first five settings:
  *System Protection and Tracing
  *Processes
  *Save created processes to the log
  *Drivers
  *Save loaded drivers to the log
• You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.

• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All ".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE "

Important! Please do not select the "Show all" checkbox during the scan..

Thanks
Geri

 

Gmer

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2008-05-03 22:01:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwClose
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteValueKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDuplicateObject
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwQueryValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRestoreKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23FC 805012CC 8 Bytes [ F0, EE, F9, AA, F4, DC, F9, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2730 80501600 8 Bytes [ EE, DF, F9, AA, BC, DE, F9, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[2672] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe

---- EOF - GMER 1.0.12 ----

 

Hi RebeccainTO
OK GMER is not showing anything either.

Please delete it.

I hate for you to delete Comodo, we will if we have to but lets try ComboFix in safe mode first.
This is not recommended because some malware does not start up in safe mode.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in safe mode double click ComboFix,exe and see if it will run.

Please save the log where you can find it easily and post it.

Thanks
Geri

 

I can't find COMBOFIX in Safe Mode....it's on my desk top on the normal startup. I checked in All programs as well.....

 

Hi RebeccainTO
OK, Let's make sure your real time protection is disabled and then try running Combofix.
Do this in normal mode.

AVAST
Right click on the avast! icon in system tray and choose (Stop On-Access Protection)


Comodo Firewall Pro (free Personal)

* Right-click the System Tray Icon.
* Select Exit.
* On the Pop up window, Click the Yes button.

Now try running Combofix again.

Let me know.
Thanks
Geri

 

No such luck. That is what I have been doing.
I think once while trying to run Combo, I left Comodo on and blocked actions of Combo and now.....it won't run properly.
Should I sytem restore or remove comodo and put on Zone alarm for now...?

 

Hi
OK Lets make sure you signed into safe mode with your account.
That could be why combofix was not here.

make sure to scroll down to and select your username from the Safe Mode Welcome Screen.

If combofix is there try it.

Thanks
Geri