Trojan.Agent

[igotpwn]

OTmoveit

Explorer killed successfully
C:\Documents and Settings\All Users\Application Data\TEMP moved successfully.
C:\FOUND.002 moved successfully.
C:\WINDOWS\system32\tmp.reg moved successfully.
C:\WINDOWS\system32\8E29CEBC0E.sys moved successfully.
C:\WINDOWS\system32\BB95227B4B.sys moved successfully.
C:\WINDOWS\system32\KGyGaAvL.sys moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03 moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02 moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01 moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00 moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint\Viewpoint Media Player\Resources moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint\Viewpoint Media Player moved successfully.
C:\Documents and Settings\User\Application Data\Viewpoint moved successfully.
C:\Program Files\Viewpoint\Common moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell\AOL9Plus moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell\AOL9 moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\UserShell moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player\Components moved successfully.
C:\Program Files\Viewpoint\Viewpoint Media Player moved successfully.
C:\Program Files\Viewpoint moved successfully.
C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT moved successfully.
C:\WINDOWS\IFinst27.exe moved successfully.
File/Folder H:\Recycler.exe not found.
File/Folder I:\RavMon.exe not found.
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I] not found.
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed73398-00ab-11dd-b53b-0013021ce48d}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed73398-00ab-11dd-b53b-0013021ce48d}] not found.
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b5b906-d35b-11da-b1ed-0013021ce48d}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b5b906-d35b-11da-b1ed-0013021ce48d}] not found.
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ccc07ee-9809-11dc-b4ca-0013021ce48d}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ccc07ee-9809-11dc-b4ca-0013021ce48d}] not found.
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ccc07ef-9809-11dc-b4ca-0013021ce48d}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ccc07ef-9809-11dc-b4ca-0013021ce48d}] not found.
< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98678a84-1c6b-11db-b27c-0013021ce48d}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98678a84-1c6b-11db-b27c-0013021ce48d}] not found.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06092008_231430

 

[techpro5238]

Making progress. Please refrain from using the computer until I can post up a fix when I get home.

 

[techpro5238]

Step1 | ComboFix CFScript

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16b5b906-d35b-11da-b1ed-0013021ce48d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ccc07ee-9809-11dc-b4ca-0013021ce48d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ccc07ef-9809-11dc-b4ca-0013021ce48d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561b6f8c-2982-11db-b286-0013021ce48d}]

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2 | Panda ActiveScan

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Step3 | Jotti Malware Scan

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\system32\drivers\OsaF sLoc.sys
• Click on the submit button
  
• Please post the results in your next reply.

Logs Required In Next Post
------------------------------

ComboFix (CFScript) Log
ActiveScan Log
Jotti Log

 

[igotpwn]

Combofix

ComboFix 08-06-08.8 - User 2008-06-10 10:47:09.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.640 [GMT 8:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-09 23:24 . 2008-06-09 23:24 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-09 23:24 . 2008-06-09 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 23:15 . 2008-06-09 23:15 <DIR> d-------- C:\Documents and Settings\User\Application Data\Viewpoint
2008-06-09 23:14 . 2008-06-09 23:14 <DIR> d-------- C:\_OTMoveIt
2008-06-09 17:34 . 2008-06-09 17:35 <DIR> d-------- C:\Program Files\Panda Security
2008-06-09 11:15 . 2008-06-09 11:15 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-09 10:42 . 2008-06-09 10:42 <DIR> d-------- C:\VundoFix Backups
2008-06-09 09:54 . 2008-06-09 09:54 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-09 09:54 . 2008-06-09 09:54 <DIR> d-------- C:\Program Files\AVG
2008-06-09 09:54 . 2008-06-09 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-09 09:54 . 2008-06-09 09:54 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-09 09:54 . 2008-06-09 09:54 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-09 09:54 . 2008-06-09 09:54 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-06-09 09:54 . 2008-06-09 09:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-09 09:46 . 2008-06-09 09:46 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-09 09:46 . 2008-06-09 09:46 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2008-06-09 09:46 . 2008-06-09 09:46 <DIR> d-------- C:\Program Files\CleanUp!
2008-06-09 09:46 . 2008-06-09 09:46 <DIR> d-------- C:\Program Files\CCleaner
2008-06-09 09:46 . 2008-06-09 09:46 <DIR> d-------- C:\Documents and Settings\User\Application Data\Simply Super Software
2008-06-09 09:46 . 2008-06-09 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-09 09:46 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-09 09:46 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-09 09:46 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-09 09:46 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-09 09:46 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-09 03:39 . 2008-06-09 03:39 <DIR> d-------- C:\Deckard
2008-06-09 00:01 . 2008-06-09 00:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-09 00:01 . 2008-06-09 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-08 23:15 . 2008-06-08 23:15 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-08 23:09 . 2008-06-08 02:23 <DIR> d-------- C:\SDFix
2008-06-08 20:57 . 2008-06-08 20:57 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-06-08 09:46 . 2008-06-08 09:46 244 ---h----- C:\sqmnoopt16.sqm
2008-06-08 09:46 . 2008-06-08 09:46 232 ---h----- C:\sqmdata16.sqm
2008-06-06 12:24 . 2008-06-06 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-06 12:23 . 2008-06-06 12:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-06 12:23 . 2008-06-06 12:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-06-05 16:10 . 2008-06-05 16:10 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-05 15:50 . 2008-06-05 15:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 15:50 . 2008-06-05 15:50 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-05 15:50 . 2008-06-05 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 15:50 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 15:50 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-05 07:37 . 2008-06-05 07:37 <DIR> d-------- C:\Documents and Settings\User\Application Data\HouseCall 6.6
2008-06-05 07:24 . 2008-06-05 07:24 <DIR> d-------- C:\Documents and Settings\User\Application Data\shcau0j0ejna
2008-06-04 19:05 . 2008-01-29 02:59 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-24 00:41 . 2008-05-24 00:41 <DIR> d-------- C:\Documents and Settings\User\Application Data\Corel
2008-05-24 00:41 . 2008-05-24 00:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-24 00:38 . 2008-05-24 00:38 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-05-24 00:29 . 2008-05-24 00:30 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield
2008-05-24 00:04 . 2008-05-24 00:05 <DIR> d-------- C:\Program Files\Sun
2008-05-10 14:49 . 2008-05-10 14:49 <DIR> d-------- C:\Documents and Settings\User\Application Data\acccore
2008-05-10 14:47 . 2008-05-10 14:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-10 14:46 . 2008-05-10 14:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-05-10 14:46 . 2008-05-10 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-10 14:46 . 2008-05-10 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-05-10 14:42 . 2008-05-10 14:42 <DIR> d-------- C:\Program Files\AIM6
2008-05-10 14:42 . 2008-05-10 14:47 365 ---h----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 06:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-06 05:17 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-02 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-02 03:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-02 03:51 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-02 03:50 278,728 ----a-w C:\WINDOWS\system32\drivers\atksgt.sys
2008-05-02 03:50 25,416 ----a-w C:\WINDOWS\system32\drivers\lirsgt.sys
2008-04-24 18:53 --------- d-----w C:\Program Files\Nero
2008-04-24 18:20 --------- d-----w C:\Program Files\AskTBar
2008-04-15 16:25 --------- d-----w C:\Documents and Settings\User\Application Data\Uniblue
2008-04-14 02:47 --------- d-----w C:\Program Files\NeroInstall.bak
2008-04-14 02:46 --------- d-----w C:\Documents and Settings\User\Application Data\Nero
2008-04-14 02:43 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-14 02:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-02 16:07 2,560 ----a-w C:\WINDOWS\system32\bitcometres.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2006-05-01 13:05 0 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-09_23.35.09.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-09 15:32:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 02:56:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2005-12-15 19:13 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"D:\\Warcraft III\\Warcraft III.exe"=
"D:\\Warcraft III\\War3.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*isabled:SolidNetworkManager
"10127:TCP"= 10127:TCP:BitComet 10127 TCP
"10127:UDP"= 10127:UDP:BitComet 10127 UDP

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-09 09:54]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-09 09:54]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-09 09:54]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-09 09:54]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-09 09:54]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2005-04-22 16:57]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-22 16:57]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
S3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]
S3 SI15CI;SI15CI;C:\Elements\1stboot\Blueth\SI15CI.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 02:12:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-06-07 09:23:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-02 19:25:18 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- D:\Uniblue Power Suite\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 10:56:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-06-10 10:59:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 02:59:12
ComboFix2.txt 2008-06-09 15:35:34

Pre-Run: 4,633,427,968 bytes free
Post-Run: 4,624,154,624 bytes free

196 --- E O F --- 2008-06-09 13:01:36


Panda Activescan

the steps kind of differ from the one u posted i clicked on the link went to ''Scan Your PC now'' followed by clicking on the ''Try'' button, registered for an account and ''Scan now''

there werent any options for me to click log. but i did the scan
Congratulations!

Today you are not infected.

Jotti

Service load:
0% 100%
File: OsaFsLoc.sys
Status:
OK
MD5: 26c4a4b64d1dd8e6fdfb2f4897be029c
Packers detected:
-
Scan taken on 10 Jun 2008 06:57:15 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

[igotpwn]

got a question, isit advisable to disable the internet connection while refraining usage of computer?

 

[techpro5238]

Nah, just don't use the computer while we work on it. Most of our tools are online

Please make sure all your Removal Drives are inserted into the computer, and run the below scan:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

[techpro5238]

1. Please open a new notepad (not wordpad) document

2. In the new open document, copy/paste all of the following text in the code box:

@echo off
(echo ===========================
IF EXIST C:\RavMon.exe (
echo Computer Needs Cleaning!
) ELSE (
echo C:\RavMon.exe has been cleaned.
)
echo ===========================)>> Output.txt
start notepad Output.txt

(EVERYONE NOTE: The above script was created specifically for this user, and will cause damage to your computer if you run it on your system)

3. Click File => Save As and change "Save As Type:" to All Files

4. After doing the above step, save this new script as "Script.bat" to your Desktop

5. When you browse to your desktop your file should look somewhat like the below image:

6. Please run the new file by double-clicking on it. It should open a resulting notepad document almost instantly after running it. Please post that text in your next reply.

 

[igotpwn]

Script.bat
===========================
C:\RavMon.exe has been cleaned.
===========================

MBAM

MBAM

Malwarebytes' Anti-Malware 1.16
Database version: 845

2:05:12 AM 6/11/2008
mbam-log-6-11-2008 (02-05-12).txt

Scan type: Quick Scan
Objects scanned: 41205
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[techpro5238]

Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares.

+ If users states they already have it +

I know you said you have already ran Spybot S&D and AdAware, but just to be sure, please make sure you have the latest versions here: Spybot Search & Destroy and AdAware.

Also please be sure you follow the instructions and settings on this website to run a scan with both of these softwares.

After doing full scans and removing spyware, please run MBAM in a Full Scan and post that log up here.

-------------------------

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

 

[igotpwn]

i encountered a problem. ive uninstalled kaspersky and ran this scan but couldnt proceed with the steps.

Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level.