Virus question

[mossy1881]

I have a test PC in which I download things to make sure they are not infected with a virus. The first thing the PC does is run a fast scan of trojan remover and today it found vundo virus and found 4 infected files which it removed from the registry and whereever else. I am now running super antispyware pro to make sure it is clear of any infected files. I then plan on running spybot s @ D to see if it finds anything.

The question I have for you is do you think it will be safe to use or do I need to reinstall the OS to ensure it is not infected?

cheers

PS... I use this PC to test things before I put them on my primary PC.

 

[KSoD]

Hello,

First wrong section. We have a Virus section for these topics.

2nd. No. Running 2 or 3 apps will not make you clear. But you also do not have to format. Check thru Osiris's guide and post up a log if you want me to really tell you if you are clear or not.

Cheers,
Mak

 

[mossy1881]

Hello,

First wrong section. We have a Virus section for these topics.

2nd. No. Running 2 or 3 apps will not make you clear. But you also do not have to format. Check thru Osiris's guide and post up a log if you want me to really tell you if you are clear or not.

Cheers,
Mak

Mak213,

Here is HJT log before doing anything on his list of things to do:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:36 PM, on 7/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3apphk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = SaveWealth.com - Estate Planning, Taxes and Retirement
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Welcome to Internet Explorer 6.0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {03E99860-E029-4B85-A901-4F76458A6658} - (no file)
O2 - BHO: (no name) - {04A5F9A9-76A2-4D48-940A-2F8F8D754642} - (no file)
O2 - BHO: (no name) - {1854EAE1-5D81-4930-B4BF-1160D0EFD30E} - (no file)
O2 - BHO: (no name) - {29DB108C-8371-4303-8A8B-918ED379A872} - (no file)
O2 - BHO: (no name) - {2DE27072-C012-4E5B-8051-FB8160EA54D1} - (no file)
O2 - BHO: (no name) - {3366BBE6-0395-448A-8248-E072578A65FF} - (no file)
O2 - BHO: (no name) - {3FFBFE87-FCA1-4727-B96F-C1295EA56AEE} - (no file)
O2 - BHO: (no name) - {400E00C9-BEAC-431D-BA4F-1BE47258516E} - (no file)
O2 - BHO: (no name) - {43359B37-15E9-41AE-B8FB-831BBA238E5D} - (no file)
O2 - BHO: (no name) - {4DA2D640-D807-4143-9284-D988689BFF3E} - (no file)
O2 - BHO: (no name) - {4DB2524E-3F1A-4A79-965F-43B04CCE348A} - (no file)
O2 - BHO: (no name) - {5DBC02BF-1D10-4CE1-8C5C-A777B204C660} - (no file)
O2 - BHO: (no name) - {8D249A9F-EDD1-47F4-AC31-4230292B6B3C} - (no file)
O2 - BHO: (no name) - {90DBD51B-9A6D-417E-938F-9A730824E12D} - (no file)
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {ADA9F749-0E76-4704-A726-0E74B2BFC0F9} - (no file)
O2 - BHO: (no name) - {B177C3AC-60A3-4FD2-B487-104CEB19E369} - (no file)
O2 - BHO: (no name) - {B25521E5-A303-4A0E-9979-90C1480D7F3C} - (no file)
O2 - BHO: (no name) - {BC2F4D04-6A01-4BC4-9941-6382AE25F6DD} - (no file)
O2 - BHO: (no name) - {CEF6F57D-3BB5-4645-B46F-8E360DCF7768} - (no file)
O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O2 - BHO: (no name) - {D2B61D94-94AC-4ACE-BE75-FAF2A8CBABC4} - (no file)
O2 - BHO: {945bbcf2-8bcd-bbf9-95a4-64a482081c3d} - {d3c18028-4a46-4a59-9fbb-dcb82fcbb549} - C:\WINNT\system32\wjjnwf.dll
O2 - BHO: (no name) - {D6D68E5C-17D5-45DE-AE72-619DD27A73B9} - (no file)
O2 - BHO: (no name) - {D8305537-57DC-4716-9692-AD2DFFD47440} - (no file)
O2 - BHO: (no name) - {DF088CAB-FE77-435D-BBBC-66B68F6DC8E9} - (no file)
O2 - BHO: (no name) - {EA2570AE-65D3-40AB-B4EB-D3309F131741} - (no file)
O2 - BHO: (no name) - {FD880EA1-C7E0-42AC-AE17-F030B676B111} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXNfEvW - C:\WINNT\
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5991 bytes

 

[KSoD]

Hello Mossy,

Without a doubt you are still infected.

O2 - BHO: (no name) - {03E99860-E029-4B85-A901-4F76458A6658} - (no file)
O2 - BHO: (no name) - {04A5F9A9-76A2-4D48-940A-2F8F8D754642} - (no file)
O2 - BHO: (no name) - {1854EAE1-5D81-4930-B4BF-1160D0EFD30E} - (no file)
O2 - BHO: (no name) - {29DB108C-8371-4303-8A8B-918ED379A872} - (no file)
O2 - BHO: (no name) - {2DE27072-C012-4E5B-8051-FB8160EA54D1} - (no file)
O2 - BHO: (no name) - {3366BBE6-0395-448A-8248-E072578A65FF} - (no file)
O2 - BHO: (no name) - {3FFBFE87-FCA1-4727-B96F-C1295EA56AEE} - (no file)
O2 - BHO: (no name) - {400E00C9-BEAC-431D-BA4F-1BE47258516E} - (no file)
O2 - BHO: (no name) - {43359B37-15E9-41AE-B8FB-831BBA238E5D} - (no file)
O2 - BHO: (no name) - {4DA2D640-D807-4143-9284-D988689BFF3E} - (no file)
O2 - BHO: (no name) - {4DB2524E-3F1A-4A79-965F-43B04CCE348A} - (no file)
O2 - BHO: (no name) - {5DBC02BF-1D10-4CE1-8C5C-A777B204C660} - (no file)
O2 - BHO: (no name) - {8D249A9F-EDD1-47F4-AC31-4230292B6B3C} - (no file)
O2 - BHO: (no name) - {90DBD51B-9A6D-417E-938F-9A730824E12D} - (no file)
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {ADA9F749-0E76-4704-A726-0E74B2BFC0F9} - (no file)
O2 - BHO: (no name) - {B177C3AC-60A3-4FD2-B487-104CEB19E369} - (no file)
O2 - BHO: (no name) - {B25521E5-A303-4A0E-9979-90C1480D7F3C} - (no file)
O2 - BHO: (no name) - {BC2F4D04-6A01-4BC4-9941-6382AE25F6DD} - (no file)
O2 - BHO: (no name) - {CEF6F57D-3BB5-4645-B46F-8E360DCF7768} - (no file)
O2 - BHO: (no name) - {D2B61D94-94AC-4ACE-BE75-FAF2A8CBABC4} - (no file)
O2 - BHO: (no name) - {D6D68E5C-17D5-45DE-AE72-619DD27A73B9} - (no file)
O2 - BHO: (no name) - {D8305537-57DC-4716-9692-AD2DFFD47440} - (no file)
O2 - BHO: (no name) - {DF088CAB-FE77-435D-BBBC-66B68F6DC8E9} - (no file)
O2 - BHO: (no name) - {EA2570AE-65D3-40AB-B4EB-D3309F131741} - (no file)
O2 - BHO: (no name) - {FD880EA1-C7E0-42AC-AE17-F030B676B111} - (no file)

These entries should be removed via HiJack This.

O20 - Winlogon Notify: byXNfEvW - C:\WINNT\

That entry is very bad. It notifies someone when you logon so that they can do whatever that virus or malware is supposed to do.

So yeah you are still infected. So please do as follows:

Step 1 | HiJack This

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {03E99860-E029-4B85-A901-4F76458A6658} - (no file)
O2 - BHO: (no name) - {04A5F9A9-76A2-4D48-940A-2F8F8D754642} - (no file)
O2 - BHO: (no name) - {1854EAE1-5D81-4930-B4BF-1160D0EFD30E} - (no file)
O2 - BHO: (no name) - {29DB108C-8371-4303-8A8B-918ED379A872} - (no file)
O2 - BHO: (no name) - {2DE27072-C012-4E5B-8051-FB8160EA54D1} - (no file)
O2 - BHO: (no name) - {3366BBE6-0395-448A-8248-E072578A65FF} - (no file)
O2 - BHO: (no name) - {3FFBFE87-FCA1-4727-B96F-C1295EA56AEE} - (no file)
O2 - BHO: (no name) - {400E00C9-BEAC-431D-BA4F-1BE47258516E} - (no file)
O2 - BHO: (no name) - {43359B37-15E9-41AE-B8FB-831BBA238E5D} - (no file)
O2 - BHO: (no name) - {4DA2D640-D807-4143-9284-D988689BFF3E} - (no file)
O2 - BHO: (no name) - {4DB2524E-3F1A-4A79-965F-43B04CCE348A} - (no file)
O2 - BHO: (no name) - {5DBC02BF-1D10-4CE1-8C5C-A777B204C660} - (no file)
O2 - BHO: (no name) - {8D249A9F-EDD1-47F4-AC31-4230292B6B3C} - (no file)
O2 - BHO: (no name) - {90DBD51B-9A6D-417E-938F-9A730824E12D} - (no file)
O2 - BHO: (no name) - {9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
O2 - BHO: (no name) - {ADA9F749-0E76-4704-A726-0E74B2BFC0F9} - (no file)
O2 - BHO: (no name) - {B177C3AC-60A3-4FD2-B487-104CEB19E369} - (no file)
O2 - BHO: (no name) - {B25521E5-A303-4A0E-9979-90C1480D7F3C} - (no file)
O2 - BHO: (no name) - {BC2F4D04-6A01-4BC4-9941-6382AE25F6DD} - (no file)
O2 - BHO: (no name) - {CEF6F57D-3BB5-4645-B46F-8E360DCF7768} - (no file)
O2 - BHO: (no name) - {D2B61D94-94AC-4ACE-BE75-FAF2A8CBABC4} - (no file)
O2 - BHO: (no name) - {D6D68E5C-17D5-45DE-AE72-619DD27A73B9} - (no file)
O2 - BHO: (no name) - {D8305537-57DC-4716-9692-AD2DFFD47440} - (no file)
O2 - BHO: (no name) - {DF088CAB-FE77-435D-BBBC-66B68F6DC8E9} - (no file)
O2 - BHO: (no name) - {EA2570AE-65D3-40AB-B4EB-D3309F131741} - (no file)
O2 - BHO: (no name) - {FD880EA1-C7E0-42AC-AE17-F030B676B111} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked.

Step 2 | CFScript

Download ComboFix from Here or Here to your Desktop.

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
O20 - Winlogon Notify: byXNfEvW - C:\WINNT\

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in next reply:

ComboFix

Cheers,
Mak

 

[mossy1881]

here you go Mak213,

ComboFix 08-07-25.4 - larry f 07/25/2008 23:10:58.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.166 [GMT -7:00]
Running from: C:\Documents and Settings\larry f\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\larry f\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
O20 - Winlogon Notify: byXNfEvW - C:\WINNT\
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\larry f\Application Data\inst.exe
C:\WINNT\system32\abcMUvut.ini
C:\WINNT\system32\abcMUvut.ini2
C:\WINNT\system32\bsbnqutr.dll
C:\WINNT\system32\dgctqlsu.dll
C:\WINNT\system32\hvobchlo.dll
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\mrxmch.dll
C:\WINNT\system32\mWaIOXbc.ini
C:\WINNT\system32\mWaIOXbc.ini2
C:\WINNT\system32\wjjnwf.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 22:02 . 08-07-25 22:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 21:54 . 08-07-25 21:54 <DIR> d-------- C:\VundoFix Backups
2008-07-25 21:50 . 08-07-25 21:50 <DIR> d---s---- C:\Documents and Settings\larry f\UserData
2008-07-25 16:52 . 08-07-25 16:52 <DIR> d-------- C:\Program Files\ESET
2008-07-25 16:08 . 08-07-25 16:09 294 ---hs---- C:\WINNT\system32\urtmmxyt.ini
2008-07-25 11:25 . 08-07-25 11:25 524,288 --a------ C:\WINNT\Setup_ver1.1530.0.exe
2008-07-24 15:44 . 08-07-24 15:45 294 ---hs---- C:\WINNT\system32\nusgxnqm.ini
2008-07-23 19:39 . 08-07-23 19:39 <DIR> d-------- C:\Program Files\Burn4Free Toolbar
2008-07-23 19:39 . 08-07-23 19:39 <DIR> d-------- C:\Program Files\Burn4Free
2008-07-23 19:39 . 08-07-23 19:39 232,075 --a------ C:\WINNT\Burn4Free_Toolbar_Uninstaller_1485.exe
2008-07-23 15:40 . 08-07-23 15:40 294 --ahs---- C:\WINNT\system32\ehyhkneu.ini
2008-07-23 10:15 . 08-07-23 10:15 294 --ahs---- C:\WINNT\system32\efaqwxsg.ini
2008-07-22 21:40 . 08-07-22 21:40 294 --ahs---- C:\WINNT\system32\vstysgsa.ini
2008-07-21 23:26 . 08-07-21 23:26 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\ESET
2008-07-21 23:21 . 08-07-21 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-19 19:46 . 08-07-25 19:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 19:44 . 08-07-25 18:44 <DIR> d-a------ C:\Program Files\Trojan Remover
2008-07-19 19:44 . 08-07-19 19:44 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\Simply Super Software
2008-07-19 19:44 . 08-07-19 19:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-07-19 19:44 . 06-05-25 15:52 162,304 --a------ C:\WINNT\system32\ztvunrar36.dll
2008-07-19 19:44 . 03-02-02 20:06 153,088 --a------ C:\WINNT\system32\UNRAR3.dll
2008-07-19 19:44 . 05-08-26 01:50 77,312 --a------ C:\WINNT\system32\ztvunace26.dll
2008-07-19 19:44 . 02-03-06 01:00 75,264 --a------ C:\WINNT\system32\unacev2.dll
2008-07-19 19:44 . 06-06-19 13:01 69,632 --a------ C:\WINNT\system32\ztvcabinet.dll
2008-07-17 20:46 . 08-07-17 20:46 <DIR> d-------- C:\Program Files\Driver-Soft
2008-07-17 20:46 . 07-09-02 20:56 1,686,016 --a------ C:\WINNT\system32\clinetsuitex6.ocx
2008-07-17 20:46 . 05-04-15 19:58 1,071,088 --a------ C:\WINNT\system32\MSCOMCTL.OCX
2008-07-17 20:46 . 04-03-09 16:45 662,288 --a------ C:\WINNT\system32\MSCOMCT2.OCX
2008-07-17 20:46 . 04-06-14 14:56 427,864 --a------ C:\WINNT\system32\XceedZip.dll
2008-07-17 18:05 . 08-07-17 18:05 <DIR> d-------- C:\Documents and Settings\userone\Application Data\Nero
2008-07-17 18:05 . 08-07-17 18:05 <DIR> d-------- C:\Documents and Settings\userone\Application Data\Comodo
2008-07-17 18:04 . 08-07-17 18:04 <DIR> d-------- C:\Documents and Settings\userone
2008-07-17 14:57 . 08-07-23 10:25 <DIR> d-------- C:\Program Files\Invisible IP Map
2008-07-16 18:38 . 08-07-16 18:47 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\Hide IP NG
2008-07-16 18:34 . 08-07-16 18:34 32 --a------ C:\WINNT\go
2008-07-13 19:21 . 08-07-13 19:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-13 19:21 . 08-07-13 19:21 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\SUPERAntiSpyware.com
2008-07-13 19:21 . 08-07-13 19:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-13 19:10 . 08-07-13 19:10 <DIR> d-------- C:\Program Files\uTorrent
2008-07-13 19:10 . 08-07-13 19:18 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\uTorrent
2008-07-11 19:42 . 08-07-11 19:42 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\vlc
2008-07-11 19:41 . 08-07-22 18:34 69 --a------ C:\WINNT\NeroDigital.ini
2008-07-11 19:38 . 08-07-11 19:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-11 15:58 . 08-07-11 15:58 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-07-11 15:53 . 08-07-11 15:53 685,816 --a------ C:\WINNT\system32\drivers\sptd.sys
2008-07-10 21:45 . 08-07-10 21:45 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\Nero
2008-07-10 21:38 . 08-07-10 21:38 <DIR> d-------- C:\Program Files\Nero
2008-07-10 21:38 . 08-07-10 21:42 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-10 21:38 . 08-07-10 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-10 20:31 . 08-07-10 20:32 <DIR> d-------- C:\WINNT\Windows Update Setup Files
2008-07-10 20:31 . 08-07-10 20:34 <DIR> d--h----- C:\WINNT\msdownld.tmp
2008-07-10 19:23 . 08-07-10 19:23 <DIR> d-------- C:\WINNT\winsxs
2008-07-10 19:11 . 08-07-10 19:11 <DIR> d--h-c--- C:\WINNT\$MSI30UninstallMSI30-KB884016$
2008-07-08 23:26 . 01-07-31 08:43 1,112,827 -ra------ C:\WINNT\system32\tridicdp.dll
2008-07-08 23:26 . 01-07-12 15:28 167,936 -ra------ C:\WINNT\system32\S3Info2.dll
2008-07-08 23:26 . 01-06-14 17:29 53,386 -ra------ C:\WINNT\system32\S3Disply.cfg
2008-07-08 23:26 . 01-06-14 17:43 48,045 -ra------ C:\WINNT\system32\S3Gamma2.cfg
2008-07-08 23:26 . 01-12-04 16:02 28,672 -ra------ C:\WINNT\system32\S3apphk.exe
2008-07-08 23:26 . 01-06-11 13:06 21,163 -ra------ C:\WINNT\system32\S3Info2.cfg
2008-07-08 23:25 . 02-09-24 10:49 320,696 --a------ C:\WINNT\system32\trid3d.dll
2008-07-08 23:25 . 02-03-15 10:35 299,008 --a------ C:\WINNT\system32\S3Disply.dll
2008-07-08 23:25 . 02-07-02 16:52 286,720 --a------ C:\WINNT\system32\S3Gamma2.dll
2008-07-08 23:25 . 02-09-24 10:50 152,986 --a------ C:\WINNT\system32\drivers\trid3dm.sys
2008-07-08 23:25 . 02-03-15 10:32 45,056 --a------ C:\WINNT\system32\S3appdll.dll
2008-07-08 21:15 . 08-07-08 21:15 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\Comodo
2008-07-08 21:15 . 08-07-08 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-07-08 20:41 . 08-07-21 23:28 <DIR> d-------- C:\Program Files\Comodo
2008-07-08 20:11 . 08-07-08 23:25 <DIR> d-------- C:\trident graphics card
2008-07-08 17:37 . 08-07-08 17:37 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\Malwarebytes
2008-07-08 17:36 . 08-07-13 19:15 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 17:36 . 08-07-08 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 17:36 . 08-07-07 17:35 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-07-08 17:36 . 08-07-07 17:35 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-08 13:58 . 08-07-17 14:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 13:58 . 08-07-08 13:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-08 13:57 . 08-07-08 13:57 <DIR> d-------- C:\Program Files\**** NFO Viewer
2008-07-08 13:08 . 08-07-15 22:21 <DIR> d-------- C:\Program Files\VSO
2008-07-08 13:08 . 08-07-15 22:21 <DIR> d-------- C:\Documents and Settings\larry f\Application Data\Vso
2008-07-08 13:08 . 04-05-04 11:53 1,645,320 --a------ C:\WINNT\gdiplus.dll
2008-07-08 13:08 . 06-05-20 16:16 1,184,984 --a------ C:\WINNT\system32\wvc1dmod.dll
2008-07-08 13:08 . 06-05-11 19:21 626,688 --a------ C:\WINNT\system32\vp7vfw.dll
2008-07-08 13:08 . 06-09-29 12:24 217,127 --a------ C:\WINNT\system32\drv43260.dll
2008-07-08 13:08 . 06-09-29 12:25 208,935 --a------ C:\WINNT\system32\drv33260.dll
2008-07-08 13:08 . 06-09-29 12:26 176,165 --a------ C:\WINNT\system32\drv23260.dll
2008-07-08 13:08 . 07-03-18 20:37 65,602 --a------ C:\WINNT\system32\cook3260.dll
2008-07-08 13:08 . 08-07-08 13:08 47,360 --a------ C:\WINNT\system32\drivers\pcouffin.sys
2008-07-08 13:08 . 08-07-08 13:08 47,360 --a------ C:\Documents and Settings\larry f\Application Data\pcouffin.sys
2008-07-08 12:57 . 08-07-08 12:58 <DIR> d-------- C:\Program Files\directx
2008-07-07 21:08 . 08-07-07 21:08 <DIR> d-a------ C:\WUTemp
2008-07-07 21:08 . 08-07-25 21:37 555,314 ---h----- C:\WINNT\ShellIconCache
2008-07-07 21:08 . 03-08-25 18:06 182,880 --a------ C:\WINNT\system32\iuengine.dll
2008-07-07 20:59 . 99-12-07 16:43 551,536 --a------ C:\WINNT\system32\mga64d.dll
2008-07-07 20:59 . 99-12-07 16:43 551,536 --a--c--- C:\WINNT\system32\dllcache\mga64d.dll
2008-07-07 20:59 . 99-11-29 17:47 150,960 --a------ C:\WINNT\system32\drivers\mga64m.sys
2008-07-07 20:59 . 99-11-29 17:47 150,960 --a--c--- C:\WINNT\system32\dllcache\mga64m.sys
2008-07-07 19:28 . 08-07-07 19:28 <DIR> d-------- C:\Program Files\MWSnap
2008-07-07 19:22 . 08-07-07 19:22 0 --a------ C:\WINNT\nsreg.dat
2008-07-07 18:58 . 08-07-07 18:58 <DIR> d-a------ C:\WINNT\system32\Macromed
2008-07-07 11:08 . 08-07-07 11:08 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-07-07 11:07 . 08-07-07 11:07 <DIR> d-------- C:\Program Files\D-Link
2008-07-07 11:07 . 08-07-07 11:07 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-07-07 10:47 . 08-07-07 10:47 <DIR> d-------- C:\Program Files\Belarc
2008-07-07 10:47 . 08-02-27 13:49 3,840 --a------ C:\WINNT\system32\drivers\BANTExt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 06:39 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 06:36 271 ---h--w C:\Program Files\desktop.ini
2008-07-07 06:36 21,952 ---h--w C:\Program Files\folder.htt
2008-07-07 06:33 --------- d-----w C:\Program Files\Accessories
2008-05-30 21:11 467,984 ----a-w C:\WINNT\system32\d3dx10_38.dll
2008-05-30 21:11 3,850,760 ----a-w C:\WINNT\system32\D3DX9_38.dll
2008-05-30 21:11 1,491,992 ----a-w C:\WINNT\system32\D3DCompiler_38.dll
2008-05-30 21:01 80,896 ----a-w C:\WINNT\system32\dxdllreg.exe
1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D187A56B-A33F-4CBE-9D77-459FC0BAE012}]
08-07-23 19:39 806912 --a------ C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [08-07-23 19:39 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4F11ACBB-393F-4C86-A214-FF3D0D155CC3}"= "C:\Program Files\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll" [08-07-23 19:39 806912]

[HKEY_CLASSES_ROOT\clsid\{4f11acbb-393f-4c86-a214-ff3d0d155cc3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [07-12-13 19:10 1688872]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-07-13 19:28 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [07-03-01 14:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [07-12-03 14:21 2213160]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [08-07-25 18:43 909392]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [08-03-01 04:54 1443072]
"Synchronization Manager"="mobsync.exe" [03-06-19 09:05 111376 C:\WINNT\system32\mobsync.exe]
"S3apphk"="S3apphk.exe" [01-12-04 16:02 28672 C:\WINNT\system32\S3apphk.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 09:05 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R1 epfwndhk;epfwndhk;C:\WINNT\system32\DRIVERS\EPFWNDHK.sys [08-03-01 04:56 ]
R3 trid3d;trid3d;C:\WINNT\system32\DRIVERS\trid3dm.sys [02-09-24 10:50 ]
S3 mga64;mga64;C:\WINNT\system32\DRIVERS\mga64m.sys [99-11-29 17:47 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9281A4FC-C581-3449-5FA6-456C6F7B9079}]
C:\WINNT\system32:winsock32.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ad-Watch - C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
ShellExecuteHooks-{9B904910-78A4-489D-A825-5111B883A5B2} - (no file)
Notify-byXNfEvW - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:21:02
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINNT\system32:winsock32.exe 480770 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-07-25 23:25:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 06:24:52

Pre-Run: 6,337,376,256 bytes free
Post-Run: 7,250,055,168 bytes free

202


cheers

 

[mossy1881]

bump....

 

[KSoD]

Mossy,

I told you i would get to it sometime today. If you are that impatient then do as follows:

I suggest you take your log to the malware doctors found in this forum.
Please make sure that you read this before posting anything in the malware forum.

If you're still having problems after the malware doctors declare your log clean feel free to post back here and we'll help you to the best of our knowledge!

Cheers,
Mak

 

[mossy1881]

Nevermind. It takes a couple of hours to re-install the OS which is quicker than getting help. Thanks anyway. I appreciate the help given.