Inactive Trojan Horse readme.exe

[Inactive] Trojan Horse readme.exe

Hi guys,

I've got several programs on my pc: Spybot S&D, MBAM, Norton Anti-Virus and Spyware Doctor. I picked up a virus from a download I guess, and now Norton keeps sending me notices of a Trojan Horse located in a readme.exe on my desktop. It wasn't there before. I cannot remove it, nor right-click it. I've tried looking up if it was a process, but it wasn't in my task-manager. I've run several scans with the programs mentioned above, none of them have solved this problem so far. In need of help.

Thanks in advance,
Eatgarfield

 

DDS Logs

Ok, thanks very much, I've got the results of both the logs here.
Have to say though, the file no longer shows on my desktop and I don't get any pop-ups anymore but I still don't trust it.


DDS (Ver_09-01-07.01) - NTFSx86
Run by lijklema at 19:07:10,92 on za 17-01-2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2046.1014 [GMT 1:00]

AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Wireless\Client Manager\CMags.EXE
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\lijklema\Bureaublad\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.startpagina.nl/
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: CmjBrowserHelperObject Object: {ac41d38f-b56d-40ad-94e0-b493d130c959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [pdfSaver3] "c:\program files\tracker software\pdf-xchange 3\pdfsaver\pdfSaver3.exe "
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Lexmark X83 Button Manager] c:\progra~1\lexmar~1\AcBtnMgr_X83.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
mRun: [MMReminderService] c:\program files\mindjet\mindmanager 6\MMReminderService.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe "
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe "
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\lijklema\menust~1\progra~1\opstar~1\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\wirele~1.lnk - c:\program files\wireless\client manager\CMags.EXE
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 3.78\amvconverter\grab.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 3.78\mediamanager\grab.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - {AC41D38F-B56D-40AD-94E0-B493D130C959} - c:\program files\mindjet\mindmanager 6\Mm6InternetExplorer.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-17 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-17 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-17 81288]
R1 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-2 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090117.006\NAVENG.Sys [2009-1-17 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090117.006\NavEx15.Sys [2009-1-17 876112]
R3 wlags51b;Agere Wireless USB Driver;c:\windows\system32\drivers\wlags51b.sys [2008-2-15 178688]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-17 99328]
R4 navapsvc;Norton AntiVirus Auto-Protect-service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-17 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-17 1079176]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-2-15 1251720]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]
S4 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2008-2-16 15104]

=============== Created Last 30 ================

2009-01-17 00:37 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-17 00:37 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-17 00:37 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-17 00:37 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-17 00:37 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-17 00:37 <DIR> --d----- c:\docume~1\lijklema\applic~1\PC Tools
2009-01-16 21:04 69 a------- c:\windows\NeroDigital.ini
2009-01-16 20:50 <DIR> --d----- c:\program files\Nero
2009-01-16 20:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-01-14 19:25 <DIR> --d----- c:\docume~1\lijklema\applic~1\Petroglyph
2009-01-14 19:03 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-01-14 19:03 <DIR> --d----- c:\program files\MagicDisc
2009-01-14 15:06 <DIR> --d----- c:\program files\LucasArts
2009-01-04 13:28 <DIR> --d----- c:\program files\Bethesda Softworks
2009-01-04 13:27 <DIR> --d----- c:\windows\Logs
2009-01-04 13:24 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-04 13:23 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-04 13:22 <DIR> --d----- c:\windows\system32\xlive
2008-12-25 18:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Launcher
2008-12-25 18:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Graboid Inc
2008-12-25 18:11 <DIR> --d----- c:\docume~1\lijklema\applic~1\MozillaControl
2008-12-25 17:42 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2008-12-25 17:42 <DIR> --d----- c:\program files\VideoLAN
2008-12-25 17:42 <DIR> --d----- c:\program files\Graboid
2008-12-24 08:26 268 a---h--- C:\sqmdata12.sqm
2008-12-24 08:26 244 a---h--- C:\sqmnoopt12.sqm
2008-12-24 00:45 268 a---h--- C:\sqmdata11.sqm
2008-12-24 00:45 244 a---h--- C:\sqmnoopt11.sqm

==================== Find3M ====================

2009-01-17 00:39 506,504 a------- c:\windows\system32\perfh013.dat
2009-01-17 00:39 90,206 a------- c:\windows\system32\perfc013.dat
2009-01-06 10:27 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 10:27 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 10:27 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 10:27 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-11 11:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-25 13:29 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 20:22 19,518 a------- c:\windows\hpqins13.dat
2008-10-23 13:43 286,720 a------- c:\windows\system32\gdi32.dll
2008-04-28 11:15 1 a------- c:\documents and settings\lijklema\SI.bin
2008-04-02 19:13 22,328 a------- c:\docume~1\lijklema\applic~1\PnkBstrK.sys
2001-06-20 15:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2008-02-17 19:43 8 ---shr-- c:\windows\system32\6622C2784B.sys
2008-09-21 18:39 88 ---shr-- c:\windows\system32\7D1A886136.sys
2008-09-21 18:39 2,724 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:08:33,15 ===============


DDS (Ver_09-01-07.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 15-2-2008 13:58:11
System Uptime: 17-1-2009 10:41:02 (9 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7235
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | Socket 775 | 2129/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 295 GiB total, 123,855 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7-12-2008 23:59:09 - Controlepunt van systeem
RP2: 7-12-2008 23:59:46 - Installed Windows XP Wudf01000.
RP3: 8-12-2008 0:01:40 - Installed Windows XP MSCompPackV1.
RP4: 8-12-2008 0:39:22 - Software Distribution Service 3.0
RP5: 8-12-2008 23:38:04 - Software Distribution Service 3.0
RP6: 9-12-2008 13:01:46 - ComboFix created restore point
RP7: 10-12-2008 16:01:07 - Controlepunt van systeem
RP8: 11-12-2008 8:42:12 - Software Distribution Service 3.0
RP9: 12-12-2008 1:09:34 - Software Distribution Service 3.0
RP10: 13-12-2008 16:09:49 - Controlepunt van systeem
RP11: 14-12-2008 16:10:17 - Controlepunt van systeem
RP12: 15-12-2008 15:51:09 - Installed Far Cry
RP13: 17-12-2008 14:38:47 - Controlepunt van systeem
RP14: 18-12-2008 23:38:47 - Controlepunt van systeem
RP15: 19-12-2008 1:23:18 - Software Distribution Service 3.0
RP16: 20-12-2008 15:33:15 - Controlepunt van systeem
RP17: 21-12-2008 16:01:30 - Controlepunt van systeem
RP18: 22-12-2008 20:50:16 - Controlepunt van systeem
RP19: 23-12-2008 21:17:23 - Controlepunt van systeem
RP20: 24-12-2008 22:37:28 - Controlepunt van systeem
RP21: 25-12-2008 23:19:00 - Controlepunt van systeem
RP22: 27-12-2008 14:19:38 - Controlepunt van systeem
RP23: 28-12-2008 20:55:52 - Controlepunt van systeem
RP24: 2-1-2009 18:00:57 - Controlepunt van systeem
RP25: 4-1-2009 13:19:57 - Controlepunt van systeem
RP26: 4-1-2009 13:22:37 - DirectX is geïnstalleerd.
RP27: 4-1-2009 13:23:23 - Installed %1 %2.
RP28: 4-1-2009 13:23:28 - Printerstuurprogramma Microsoft XPS Document W is geïnstalleerd
RP29: 4-1-2009 13:27:50 - DirectX is geïnstalleerd.
RP30: 4-1-2009 13:28:37 - Installed Fallout 3
RP31: 5-1-2009 20:49:58 - Controlepunt van systeem
RP32: 6-1-2009 20:57:53 - Controlepunt van systeem
RP33: 7-1-2009 21:28:25 - Controlepunt van systeem
RP34: 8-1-2009 21:40:31 - Controlepunt van systeem
RP35: 12-1-2009 21:24:53 - Controlepunt van systeem
RP36: 13-1-2009 21:55:45 - Controlepunt van systeem
RP37: 14-1-2009 15:06:46 - Installed Star Wars Republic Commando
RP38: 14-1-2009 19:16:31 - Installed Star Wars Empire at War
RP39: 15-1-2009 12:45:36 - Software Distribution Service 3.0
RP40: 16-1-2009 14:06:31 - Controlepunt van systeem
RP41: 16-1-2009 20:49:56 - Geïnstalleerd: Nero 8

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Aangifte inkomstenbelasting 2007
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AIO_Scan
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
ArcSoft WebCam Companion 2
Audiosurf
Azureus Vuze
Beveiligingsupdate for Windows Media Player 10 (KB911565)
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows Media Player 10 (KB936782)
Beveiligingsupdate for Windows XP (KB923689)
Beveiligingsupdate for Windows XP (KB941569)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB938127)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB944533)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB950759)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB953838)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB956390)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB958215)
Beveiligingsupdate voor Windows Internet Explorer 7 (KB960714)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows Media Player (KB952069)
Beveiligingsupdate voor Windows Media Player 11 (KB936782)
Beveiligingsupdate voor Windows Media Player 11 (KB954154)
Beveiligingsupdate voor Windows Media Player 6.4 (KB925398)
Beveiligingsupdate voor Windows XP (KB913433)
Beveiligingsupdate voor Windows XP (KB938464)
Beveiligingsupdate voor Windows XP (KB946648)
Beveiligingsupdate voor Windows XP (KB950760)
Beveiligingsupdate voor Windows XP (KB950762)
Beveiligingsupdate voor Windows XP (KB950974)
Beveiligingsupdate voor Windows XP (KB951066)
Beveiligingsupdate voor Windows XP (KB951376-v2)
Beveiligingsupdate voor Windows XP (KB951376)
Beveiligingsupdate voor Windows XP (KB951698)
Beveiligingsupdate voor Windows XP (KB951748)
Beveiligingsupdate voor Windows XP (KB952954)
Beveiligingsupdate voor Windows XP (KB953839)
Beveiligingsupdate voor Windows XP (KB954211)
Beveiligingsupdate voor Windows XP (KB954459)
Beveiligingsupdate voor Windows XP (KB954600)
Beveiligingsupdate voor Windows XP (KB955069)
Beveiligingsupdate voor Windows XP (KB956391)
Beveiligingsupdate voor Windows XP (KB956802)
Beveiligingsupdate voor Windows XP (KB956803)
Beveiligingsupdate voor Windows XP (KB956841)
Beveiligingsupdate voor Windows XP (KB957095)
Beveiligingsupdate voor Windows XP (KB957097)
Beveiligingsupdate voor Windows XP (KB958644)
Beveiligingsupdate voor Windows XP (KB958687)
Bonjour
BufferChm
C6200
C6200_Help
Cards_Calendar_OrderGift_DoMorePlugout
Cavoca
CC_ccProxyExt
ccCommon
ccPxyCore
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Web Player
DocProc
DocProcQFolder
Download Manager 2.3.6
ESET Online Scanner
eSupportQFolder
Fallout 3
Fax
FrostWire 4.13.4
Google Earth
Google Updater
GPBaseService
Graboid Video 1.3
Guitar Pro 5.0
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HighMAT-uitbreiding voor de wizard Cd branden van Microsoft Windows XP
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix voor Windows Internet Explorer 7 (KB947864)
Hotfix voor Windows Media Player 11 (KB939683)
Hotfix voor Windows XP (KB952287)
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 3.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotosmartEssential
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
Huur- en zorgtoeslag 2008
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Kaspersky Online Scanner
KB898458: Beveiligingsupdate voor Step by Step Interactive Training
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
MarketingReg
MarketResearch
Medieval II Total War
Medieval II Total War : Kingdoms : Britannia
Medieval II Total War : Kingdoms : Crusades
Medieval II Total War : Kingdoms : Teutonic
MGI PhotoSuite 8.1 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Dutch) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Dutch) 2007
Microsoft Office Groove MUI (Dutch) 2007
Microsoft Office InfoPath MUI (Dutch) 2007
Microsoft Office OneNote MUI (Dutch) 2007
Microsoft Office Outlook MUI (Dutch) 2007
Microsoft Office PowerPoint MUI (Dutch) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proofing (Dutch) 2007
Microsoft Office Publisher MUI (Dutch) 2007
Microsoft Office Shared MUI (Dutch) 2007
Microsoft Office Word MUI (Dutch) 2007
Microsoft Software Update for Web Folders (Dutch) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft XML Parser
Mindjet MindManager Pro 6
Mozilla ActiveX Control v1.7.12
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB925673)
Nero 8
neroxml
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
NVIDIA Drivers
Oblivion
OCR Software by I.R.I.S. 10.0
Pakket voor de provider van Microsoft Base-smartcardcryptografieservice
PanoStandAlone
PDF-XChange 3.0
PL-2303 USB-to-Serial
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QuickTime
Realtek High Definition Audio Driver
Recovery Media Creator Library Update
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Shop for HP Supplies
SmartWebPrintingOC
SolutionCenter
SPBBC
Spybot - Search & Destroy
Spyware Doctor 6.0
Star Wars Empire at War
Star Wars Republic Commando
Status
Symantec Technical Support Web Controls
SymNet
System Requirements Lab
Toolbox
TrayApp
Trust Webcam Live
TuxGuitar
UnloadSupport
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update Rollup 2 voor Windows XP Media Center Edition 2005
Update voor Windows XP (KB951072-v2)
Update voor Windows XP (KB951978)
Update voor Windows XP (KB955839)
VCRedistSetup
VideoLAN VLC media player 0.8.6d
VideoToolkit01
WebFldrs XP
WebReg
Windows Communication Foundation
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live aanmeldhulp
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Media Center Edition 2005 KB919803
Windows XP Service Pack 3
WinRAR
WinZip 12.0
Wireless Client
Wireless Client Manager V3.30
XML Paper Specification Shared Components Pack 1.0

==== End Of File ===========================

 

Hi Eatgarfield,

Nothing stands out in your log to cause suspicion. Since the file is gone and you no longer get any infection warnings, the only thing I could suggest at this time is an online scan as a double check. Instructions below.

Do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

 

Here's the log from Kaspersky, I noticed that most files are quarantined files from Norton, because Norton, most of the time, keeps telling me that it cannot remove files so it puts them in quarantine

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 13:45:30
Records in database: 1647770
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 178220
Threat name: 17
Infected objects: 42
Suspicious objects: 0
Duration of the scan: 03:45:46


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02C2146C.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03BD1EDF.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\09565141.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\098627C7.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D434B80.exe Infected: Trojan.Win32.Monderb.aeis 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0E762BEF.tmp Infected: Packed.Win32.****.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\11525D33.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\163F4036.DLL Infected: Rootkit.Win32.Clbd.lc 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17BA0FEF.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\199357E6.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\199601E3.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\199A2BDF.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EB152EB.dll Infected: Backdoor.Win32.TDSS.asz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20153363.sys Infected: Backdoor.Win32.TDSS.bkw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25872B12.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\259E50F9.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25B820DC.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2BF9623D.exe Infected: not-a-virus:AdWare.Win32.BHO.ejm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2C6221CA.tmp Infected: Rootkit.Win32.TDSS.cig 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2C866FA3.tmp Infected: Packed.Win32.****.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31D51E8C.exe Infected: Trojan-Downloader.Win32.Agent.agld 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CA72629.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CAA2980.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D72514A.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D757B47.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\438D7341.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\47CC64AD.dll Infected: Backdoor.Win32.TDSS.blh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4AEC133D.dll Infected: Backdoor.Win32.TDSS.atb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B4033E2.sys Infected: Backdoor.Win32.TDSS.bkw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4E301FC4.exe Infected: Trojan-Downloader.Win32.Agent.azjn 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5082749E.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52D416A7.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\55BC2776.dll Infected: not-a-virus:AdWare.Win32.BHO.ejh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\55C6256C.dll Infected: not-a-virus:AdWare.Win32.BHO.efr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E5B3E82.tmp Infected: Packed.Win32.****.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65F2108C.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66060C76.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66093672.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\711B1E88.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Mijn Backup -- 08-02-15 0219PM\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1878564E.exe Infected: Trojan.Win32.Agent.abg 2
C:\Mijn Backup -- 08-02-15 0219PM\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31B12088.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.59 1

The selected area was scanned.

 

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

 

ComboFix log

Here's the log from Combofix

ComboFix 09-01-19.05 - lijklema 2009-01-20 10:28:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.2046.1310 [GMT 1:00]
Gestart vanuit: c:\documents and settings\lijklema\Bureaublad\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated)
FW: Norton Internet Security 2006 *disabled*
FW: Norton Internet Worm Protection *disabled*
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Mogelijk geïnfecteerde sites -----

hxxp://www.graboid.com
.
(((((((((((((((((((( Bestanden Gemaakt van 2008-12-20 to 2009-01-20 ))))))))))))))))))))))))))))))
.

2009-01-20 10:21 . 2009-01-20 10:21 <DIR> d-------- c:\windows\LastGood
2009-01-17 00:37 . 2009-01-19 10:24 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-17 00:37 . 2009-01-17 00:37 <DIR> d-------- c:\documents and settings\lijklema\Application Data\PC Tools
2009-01-17 00:37 . 2009-01-20 10:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-17 00:37 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-17 00:37 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-17 00:37 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-17 00:37 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-16 21:04 . 2009-01-19 11:30 69 --a------ c:\windows\NeroDigital.ini
2009-01-16 20:54 . 2009-01-16 20:54 <DIR> d-------- c:\documents and settings\lijklema\Application Data\Nero
2009-01-16 20:50 . 2009-01-16 20:50 <DIR> d-------- c:\program files\Nero
2009-01-16 20:50 . 2009-01-16 20:52 <DIR> d-------- c:\program files\Common Files\Nero
2009-01-16 20:50 . 2009-01-16 20:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-14 19:25 . 2009-01-14 19:25 <DIR> d-------- c:\documents and settings\lijklema\Application Data\Petroglyph
2009-01-14 19:03 . 2009-01-14 19:04 <DIR> d-------- c:\program files\MagicDisc
2009-01-14 19:03 . 2008-07-28 17:19 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2009-01-14 15:06 . 2009-01-14 19:16 <DIR> d-------- c:\program files\LucasArts
2009-01-04 13:28 . 2009-01-04 13:28 <DIR> d-------- c:\program files\Bethesda Softworks
2009-01-04 13:28 . 2009-01-04 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2009-01-04 13:27 . 2009-01-04 13:27 <DIR> d-------- c:\windows\Logs
2009-01-04 13:24 . 2009-01-20 10:22 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-04 13:23 . 2009-01-04 13:23 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-04 13:23 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-04 13:22 . 2009-01-04 13:22 <DIR> d-------- c:\windows\system32\xlive
2008-12-25 18:13 . 2008-12-25 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2008-12-25 18:12 . 2008-12-27 13:54 <DIR> d-------- c:\documents and settings\lijklema\Application Data\vlc
2008-12-25 18:12 . 2008-12-25 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2008-12-25 18:11 . 2008-12-25 18:11 <DIR> d-------- c:\documents and settings\lijklema\Application Data\MozillaControl
2008-12-25 17:42 . 2008-12-25 17:42 <DIR> d-------- c:\program files\VideoLAN
2008-12-25 17:42 . 2008-12-25 17:42 <DIR> d-------- c:\program files\Mozilla ActiveX Control v1.7.12
2008-12-25 17:42 . 2008-12-25 18:11 <DIR> d-------- c:\program files\Graboid
2008-12-24 08:26 . 2008-12-24 08:26 268 --ah----- C:\sqmdata12.sqm
2008-12-24 08:26 . 2008-12-24 08:26 244 --ah----- C:\sqmnoopt12.sqm
2008-12-24 00:45 . 2008-12-24 00:45 268 --ah----- C:\sqmdata11.sqm
2008-12-24 00:45 . 2008-12-24 00:45 244 --ah----- C:\sqmnoopt11.sqm

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 22:48 --------- d-----w c:\documents and settings\lijklema\Application Data\Azureus
2009-01-19 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-17 19:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 11:50 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 11:49 --------- d-----w c:\program files\Norton Internet Security
2009-01-14 18:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-06 09:27 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 09:27 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-06 09:27 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 09:27 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 09:27 --------- d-----w c:\program files\Symantec
2009-01-04 12:26 --------- d-----w c:\program files\MSBuild
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 20:20 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-07 23:01 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-07 19:42 --------- d-----w c:\program files\Azureus
2008-12-07 19:33 --------- d-----w c:\program files\EsetOnlineScanner
2008-12-07 18:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 16:55 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-07 14:34 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-07 12:50 --------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-26 18:20 --------- d-----w c:\program files\tuxguitar-1.0
2008-11-26 13:44 --------- d-----w c:\program files\DivX
2008-10-23 12:43 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-04-28 10:15 1 ----a-w c:\documents and settings\lijklema\SI.bin
2008-04-02 18:13 22,328 ----a-w c:\documents and settings\lijklema\Application Data\PnkBstrK.sys
2001-06-20 14:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2008-02-17 18:43 8 --sh--r c:\windows\system32\6622C2784B.sys
2008-09-21 17:39 88 --sh--r c:\windows\system32\7D1A886136.sys
2008-09-21 17:39 2,724 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-03-21 486856]
"igndlm.exe "= "c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"pdfSaver3 "= "c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Lexmark X83 Button Manager "= "c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe" [2001-06-10 53248]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 53096]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"PrinTray "= "c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-25 36864]
"snp2std "= "c:\windows\vsnp2std.exe" [2006-09-15 675840]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"MMReminderService "= "c:\program files\Mindjet\MindManager 6\MMReminderService.exe" [2005-09-13 28672]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NeroFilterCheck "= "c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan "= "c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"nwiz "= "nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2006-04-04 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\lijklema\Menu Start\Programma's\Opstarten\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-01-14 575488]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Wireless Client Manager.lnk - c:\program files\Wireless\Client Manager\CMags.EXE [2008-02-15 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\FrostWire\\FrostWire.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe "=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe "=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 wlags51b;Agere Wireless USB Driver;c:\windows\system32\drivers\wlags51b.sys [2008-02-15 178688]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-17 356920]
S4 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2008-02-16 15104]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - COMHOST
*NewlyCreated* - FONTCACHE3.0.0.0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Inhoud van de 'Gedeelde Taken' map

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-01-16 c:\windows\Tasks\Norton AntiVirus - Volledige systeemscan uitvoeren - lijklema.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-28 12:00]
.
.
------- Bijkomende Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.startpagina.nl/
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 3.78\AMVConverter\grab.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 3.78\MediaManager\grab.html
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 10:32:28
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\S-1-5-21-429115175-1296836545-315636210-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:5d,13,66,8f,bf,24,9f,02,6d,cb,8a,77,60,6f,ac,4f,49,32,62,5c,88,ce,91,
72,de,d6,92,4f,f1,ce,df,b0,1c,6d,14,10,10,f1,9d,1f,8f,0c,bc,44,83,63,bd,16,\
"?? "=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-429115175-1296836545-315636210-1006\Software\SecuROM\License information*]
"datasecu "=hex:01,fc,f9,76,07,d9,dc,50,df,18,b2,14,fa,42,54,8f,e1,94,58,95,d8,
9f,1c,72,d3,e3,66,19,c3,d3,6c,3f,31,38,76,39,96,9b,28,42,c5,f0,af,3b,7f,37,\
"rkeysecu "=hex:32,cd,e3,62,54,1e,11,b2,13,15,cc,e7,87,c0,f6,24
.
Voltooingstijd: 2009-01-20 10:34:20
ComboFix-quarantined-files.txt 2009-01-20 09:34:10
ComboFix2.txt 2008-12-09 12:12:37

Pre-Run: 137.185.701.888 bytes beschikbaar
Post-Run: 137,729,904,640 bytes beschikbaar

216 --- E O F --- 2009-01-15 11:50:11

 

Open Norton and delete all items in quarantine.
This backup needs to be removed, unless you can delete the infected files within it.

C:\Mijn Backup

C:\Mijn Backup -- 08-02-15 0219PM\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1878564E.exe
C:\Mijn Backup -- 08-02-15 0219PM\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31B12088.exe

I'd like to run a rootkit scan just to make sure ..... there are traces of one in Norton's quarantine.

Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

 

I've managed to delete the files in the back-up, and the regular quarantined files. Here's the log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-21 11:17:09
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT 8A545E98 ZwAlertResumeThread
SSDT 8A5134C0 ZwAlertThread
SSDT 8A4C7950 ZwAllocateVirtualMemory
SSDT 8A573650 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB695A020]
SSDT 8A7CBF40 ZwCreateMutant
SSDT 8A585998 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB695A2A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB695A800]
SSDT sper.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT sper.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT 8A7CE668 ZwFreeVirtualMemory
SSDT 8A5136C8 ZwImpersonateAnonymousToken
SSDT 8A5114C0 ZwImpersonateThread
SSDT 8A5860B8 ZwMapViewOfSection
SSDT 8A6AAE98 ZwOpenEvent
SSDT sper.sys ZwOpenKey [0xBA6A80C0]
SSDT 8A4F2E98 ZwOpenProcessToken
SSDT 8A8D9848 ZwOpenThreadToken
SSDT sper.sys ZwQueryKey [0xBA6C7108]
SSDT 8A7C8C08 ZwQueryValueKey
SSDT 8A5107B8 ZwResumeThread
SSDT 8A530E98 ZwSetContextThread
SSDT 8A894BE0 ZwSetInformationProcess
SSDT 8A7D7418 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB695AA50]
SSDT 8A4EABC0 ZwSuspendProcess
SSDT 8A51CC40 ZwSuspendThread
SSDT 8A546E98 ZwTerminateProcess
SSDT 8A512A10 ZwTerminateThread
SSDT 8A520E98 ZwUnmapViewOfSection
SSDT 8A7C35D0 ZwWriteVirtualMemory

INT 0x63 ? 8A67ABF8
INT 0x73 ? 8A98BBF8
INT 0x73 ? 8A98BBF8
INT 0x73 ? 8A98BBF8
INT 0x73 ? 8A98BBF8
INT 0x73 ? 8A67ABF8
INT 0x73 ? 8A98BBF8
INT 0x83 ? 8A98EBF8
INT 0x83 ? 8A67ABF8
INT 0x83 ? 8A98EBF8
INT 0x94 ? 8A67ABF8
INT 0xB4 ? 8A67ABF8

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A9071F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{197D0539-062A-4888-8EA0-2F3A9C214C1F} 8A70E500
Device \Driver\usbuhci \Device\USBPDO-0 8A7471F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A98C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A98C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A98C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A98C1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A7471F8
Device \Driver\usbehci \Device\USBPDO-2 8A6651F8
Device \Driver\usbuhci \Device\USBPDO-3 8A7471F8
Device \Driver\usbuhci \Device\USBPDO-4 8A7471F8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-5 8A7471F8
Device \Driver\usbehci \Device\USBPDO-6 8A6651F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A91E1F8
Device \Driver\Cdrom \Device\CdRom0 8A6581F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A91E1F8
Device \Driver\USBSTOR \Device\000000b0 8A521500
Device \Driver\Cdrom \Device\CdRom1 8A6581F8
Device \Driver\Cdrom \Device\CdRom2 8A6581F8
Device \Driver\USBSTOR \Device\000000b2 8A521500
Device \Driver\USBSTOR \Device\000000b3 8A521500
Device \Driver\PCI_PNP4486 \Device\00000081 sper.sys
Device \Driver\USBSTOR \Device\000000b4 8A521500
Device \Driver\USBSTOR \Device\000000b5 8A521500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A70E500
Device \Driver\NetBT \Device\NetbiosSmb 8A70E500
Device \Driver\sptd \Device\699478236 sper.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 8A7471F8
Device \Driver\usbuhci \Device\USBFDO-1 8A7471F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A6FF500
Device \Driver\usbehci \Device\USBFDO-2 8A6651F8
Device 8A6FF500
Device \Driver\usbuhci \Device\USBFDO-3 8A7471F8
Device \Driver\usbuhci \Device\USBFDO-4 8A7471F8
Device \Driver\Ftdisk \Device\FtControl 8A91E1F8
Device \Driver\usbuhci \Device\USBFDO-5 8A7471F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{44B4C7F4-6E30-4CF1-BF98-7B91A78EAC37} 8A70E500
Device \Driver\usbehci \Device\USBFDO-6 8A6651F8
Device \Driver\aeyzxx83 \Device\Scsi\aeyzxx831 8A625500
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8A9091F8
Device \Driver\aeyzxx83 \Device\Scsi\aeyzxx831Port6Path0Target0Lun0 8A625500
Device \Driver\JRAID \Device\Scsi\JRAID1 8A9091F8
Device 88A5E1F8
Device B27F2297

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs 8A710500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x78 0x05 0x58 0xD2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6B 0x97 0x0D 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x72 0x87 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x71 0x10 0xD7 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x78 0x05 0x58 0xD2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6B 0x97 0x0D 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x72 0x87 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBD 0xCC 0x3E 0xA5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x78 0x05 0x58 0xD2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6B 0x97 0x0D 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x5B 0x72 0x87 0xDF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x71 0x10 0xD7 0x85 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\18F6CF348E791D54983FE578EF60A65E\Usage@Program_Pro 976556475

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\lijklema\Local Settings\Temporary Internet Files\Content.IE5\07NMUJOY\ratingsandrecommendationshandler[3].ashx 0 bytes
File C:\Documents and Settings\lijklema\Local Settings\Temporary Internet Files\Content.IE5\07NMUJOY\beautiful-calendar-girl-jen[1].jpg 8792 bytes

---- EOF - GMER 1.0.14 ----

 

Looks good.

Click Start>Run and type or paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

Restart the computer to complete the uninstallation of gmer.


Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

Delete DDS and the gmer file and folder.
You can delete any other logs that were created/saved too.
Empty the recycle bin when done.


That should finish things up. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!