Help with Trojan-Psw.onlinegames

[evilfantasy]

Please go to C:\Documents and Settings\Sieghart\My Documents\Softies\ComboFix.exe and right click on ComboFix.exe then Delete it.

It is very important for ComboFix to install directly to your desktop.

Now please download Combofix by sUBs from one of the below links.

Please be sure ComboFix is saved directly to the Desktop.

• Link #1
  
• Link #2

.
Let us know when you have done this.

[sieghart]

ok i've downloaded it and ran the program:

ComboFix 08-07-31.06 - Sieghart 2008-08-02 11:02:37.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1448 [GMT 8:00]
Running from: C:\Documents and Settings\Sieghart\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2008-07-02 to 2008-08-02  )))))))))))))))))))))))))))))))
.

2008-08-01 20:26 . 2008-08-01 20:27   <DIR>   d--hs----   C:\000FE3A0
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:31 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005627AA
2008-08-01 16:24 . 2008-08-01 16:24   <DIR>   d--hs----   C:\005622E7
2008-08-01 14:56 . 2008-08-01 14:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\SUPERAntiSpyware.com
2008-08-01 14:50 . 2008-08-01 20:54   <DIR>   d--hs----   C:\00008760
2008-08-01 13:49 . 2008-08-01 14:39   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-08-01 13:44 . 2008-08-01 20:55   <DIR>   d--hs----   C:\000077A1
2008-08-01 13:40 . 2008-08-01 13:40   <DIR>   d--hs----   C:\00006F63
2008-08-01 13:28 . 2008-08-01 13:28   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-01 13:20 . 2008-08-01 13:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-01 12:12 . 2008-08-01 12:12   <DIR>   d--------   C:\Program Files\Sun
2008-08-01 11:22 . 2008-08-01 11:23   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-08-01 11:22 . 2008-08-01 11:22   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\PC Tools
2008-08-01 11:22 . 2008-06-10 21:22   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 11:22 . 2008-06-02 15:19   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 11:22 . 2008-06-02 15:19   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 11:22 . 2008-06-02 15:19   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2008-08-01 11:11 . 2008-08-01 20:55   <DIR>   d--hs----   C:\0000700F
2008-07-31 22:35 . 2008-08-01 20:55   <DIR>   d--hs----   C:\00006D21
2008-07-22 08:56 . 2008-07-22 09:00   <DIR>   d--------   C:\Documents and Settings\huiting\Application Data\AVGTOOLBAR
2008-07-21 11:54 . 2008-07-31 14:12   520   --a------   C:\hpfr3420.xml
2008-07-21 11:35 . 2004-10-08 09:16   35,840   --a------   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-07-21 11:32 . 2008-07-21 11:36   20,724   --a------   C:\WINDOWS\hpoins01.dat
2008-07-21 11:32 . 2002-12-03 11:54   16,618   ---------   C:\WINDOWS\hpomdl01.dat
2008-07-21 11:30 . 2002-11-27 19:30   94,208   -ra------   C:\WINDOWS\system32\hpovst08.dll
2008-07-14 09:44 . 2008-08-01 17:58   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-13 10:16 . 2008-08-02 09:13   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-13 10:16 . 2008-07-16 02:12   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\AVGTOOLBAR
2008-07-13 10:16 . 2008-07-13 10:16   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 10:16 . 2008-07-13 10:16   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 10:16 . 2008-07-13 10:16   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Program Files\AVG
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-11 14:35 . 2008-07-11 14:36   <DIR>   d--------   C:\Program Files\iTunes
2008-07-11 14:35 . 2008-07-11 14:35   <DIR>   d--------   C:\Program Files\iPod
2008-07-11 14:34 . 2008-07-11 14:34   <DIR>   d--------   C:\Program Files\QuickTime

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 12:26   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-08-01 08:54   ---------   d-----w   C:\Program Files\Java
2008-08-01 06:53   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-21 03:35   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-07-16 16:42   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\dvdcss
2008-07-14 11:26   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\uTorrent
2008-07-04 06:15   ---------   d-----w   C:\Program Files\Safari
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:43   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\IGN_DLM
2008-06-16 13:28   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-06-16 06:15   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\Samsung
2008-06-16 06:10   5,632   ----a-w   C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-16 06:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-16 06:06   ---------   d-----w   C:\Program Files\Samsung
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:40   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\AdobeUM
2008-06-10 13:13   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
.

------- Sigcheck -------

2007-10-08 19:21  502272  6225f14b8ce08ccba8b25ad27843c674   C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-08-01_18.15.56.04   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 05:39:07   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
+ 2008-08-01 12:26:48   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:22 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 19:53 171464]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 17:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 15:17 296631]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 10:15 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 16261632 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Documents and Settings\\Sieghart\\My Documents\\Softies\\2448Script\\2448Script\\Mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:hamachi

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-13 10:16]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 10:15]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 10:15]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:16]
S3 FUCKALLGUARD;FUCKALLGUARD;C:\00E74EB8\00E74EC0 []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10dc5bb6-7ae4-11dc-b8ff-001a4d629181}]
\Shell\AutoRun\command - N:\Autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1216611367.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Sieghart\Application Data\Mozilla\Firefox\Profiles\qb4bolbx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 11:04:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FUCKALLGUARD]
"ImagePath"="\??\C:\00E74EB8\00E74EC0"
.
Completion time: 2008-08-02 11:05:15
ComboFix-quarantined-files.txt  2008-08-02 03:05:11
ComboFix2.txt  2008-08-01 10:16:11

Pre-Run: 61,563,199,488 bytes free
Post-Run: 61,557,268,480 bytes free

185   --- E O F ---   2008-07-22 01:11:08

[evilfantasy]

Do you know what these folders are?

C:\000FE3A0
C:\005627AA
C:\005622E7
C:\00008760
C:\000077A1
C:\00006F63
C:\0000700F
C:\00006D21

Also do you know why this registry key has this name?

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FUCKALLGUARD]

[sieghart]

as much as it puzzles me, i dont recall creating these files at all, especially the registry key. But i know that those numbered files in C：\ were coming up as threats in my AVG, as Trojan-PSW.onlinegames. And it seems everytime i deleted it with AVG, it would reappear on reboot.

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\000FE3A0
C:\005627AA
C:\005622E7
C:\00008760
C:\000077A1
C:\00006F63
C:\0000700F
C:\00006D21

Registry::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FUCKALLGUARD]
"ImagePath"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

[sieghart]

ComboFix 08-07-31.06 - Sieghart 2008-08-03 16:51:46.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1625 [GMT 8:00]
Running from: C:\Documents and Settings\Sieghart\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sieghart\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\00006D21
C:\00006F63
C:\00006F63\28523
C:\0000700F
C:\000077A1
C:\00008760
C:\000FE3A0
C:\005622E7
C:\005627AA
C:\005627AA\5646258

.
(((((((((((((((((((((((((   Files Created from 2008-07-03 to 2008-08-03  )))))))))))))))))))))))))))))))
.

2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-08-01 16:31   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 16:31 . 2008-07-30 20:07   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 16:31 . 2008-07-30 20:07   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 14:56 . 2008-08-01 14:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 14:55 . 2008-08-01 14:55   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\SUPERAntiSpyware.com
2008-08-01 13:49 . 2008-08-01 14:39   <DIR>   d--------   C:\Program Files\EsetOnlineScanner
2008-08-01 13:28 . 2008-08-01 13:28   <DIR>   d--------   C:\Program Files\Trend Micro
2008-08-01 13:20 . 2008-08-01 13:20   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-01 12:12 . 2008-08-01 12:12   <DIR>   d--------   C:\Program Files\Sun
2008-08-01 11:22 . 2008-08-01 11:23   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-08-01 11:22 . 2008-08-01 11:22   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\PC Tools
2008-08-01 11:22 . 2008-06-10 21:22   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-01 11:22 . 2008-06-02 15:19   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-01 11:22 . 2008-06-02 15:19   42,376   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-01 11:22 . 2008-06-02 15:19   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2008-07-22 08:56 . 2008-07-22 09:00   <DIR>   d--------   C:\Documents and Settings\huiting\Application Data\AVGTOOLBAR
2008-07-21 11:54 . 2008-07-31 14:12   520   --a------   C:\hpfr3420.xml
2008-07-21 11:35 . 2004-10-08 09:16   35,840   --a------   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-07-21 11:32 . 2008-07-21 11:36   20,724   --a------   C:\WINDOWS\hpoins01.dat
2008-07-21 11:32 . 2002-12-03 11:54   16,618   ---------   C:\WINDOWS\hpomdl01.dat
2008-07-21 11:30 . 2002-11-27 19:30   94,208   -ra------   C:\WINDOWS\system32\hpovst08.dll
2008-07-14 09:44 . 2008-08-01 17:58   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-13 10:16 . 2008-08-03 12:11   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-13 10:16 . 2008-07-16 02:12   <DIR>   d--------   C:\Documents and Settings\Sieghart\Application Data\AVGTOOLBAR
2008-07-13 10:16 . 2008-07-13 10:16   96,520   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-13 10:16 . 2008-07-13 10:16   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 10:16 . 2008-07-13 10:16   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Program Files\AVG
2008-07-13 10:15 . 2008-07-13 10:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-11 14:35 . 2008-07-11 14:36   <DIR>   d--------   C:\Program Files\iTunes
2008-07-11 14:35 . 2008-07-11 14:35   <DIR>   d--------   C:\Program Files\iPod
2008-07-11 14:34 . 2008-07-11 14:34   <DIR>   d--------   C:\Program Files\QuickTime

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 12:26   4,224   ----a-w   C:\WINDOWS\system32\drivers\beep.sys
2008-08-01 08:54   ---------   d-----w   C:\Program Files\Java
2008-08-01 06:53   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-21 03:35   ---------   d-----w   C:\Program Files\Hewlett-Packard
2008-07-16 16:42   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\dvdcss
2008-07-14 11:26   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\uTorrent
2008-07-04 06:15   ---------   d-----w   C:\Program Files\Safari
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 04:43   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\IGN_DLM
2008-06-16 13:28   ---------   d-----w   C:\Program Files\MSXML 4.0
2008-06-16 06:15   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\Samsung
2008-06-16 06:10   5,632   ----a-w   C:\WINDOWS\system32\drivers\StarOpen.sys
2008-06-16 06:06   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-06-16 06:06   ---------   d-----w   C:\Program Files\Samsung
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 13:40   ---------   d-----w   C:\Documents and Settings\Sieghart\Application Data\AdobeUM
2008-06-10 13:13   ---------   d-----w   C:\Program Files\Common Files\Adobe
.

------- Sigcheck -------

2007-10-08 19:21  502272  6225f14b8ce08ccba8b25ad27843c674   C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((((   snapshot@2008-08-01_18.15.56.04   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-31 05:39:07   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
+ 2008-08-01 12:26:48   4,224   -c--a-w   C:\WINDOWS\system32\dllcache\beep.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 20:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 21:22 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 19:53 171464]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 20:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 20:00 455168]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04 59392]
"GBB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-07-12 17:58 356352]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12 90112]
"StormCodec_Helper"="C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" [2006-04-08 15:17 296631]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 10:15 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16:56 16261632 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 20:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20:56:10 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax
"msacm.l3acm"= C:\Program Files\WIZET\MapleStory\l3codeca.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Documents and Settings\\Sieghart\\My Documents\\Softies\\2448Script\\2448Script\\Mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:hamachi

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-13 10:16]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 10:15]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 10:15]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-13 10:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10dc5bb6-7ae4-11dc-b8ff-001a4d629181}]
\Shell\AutoRun\command - N:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-07-21 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1216611367.job
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 20:38]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 16:56:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Mace.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-08-03 16:59:29 - machine was rebooted
ComboFix-quarantined-files.txt  2008-08-03 08:59:26
ComboFix2.txt  2008-08-02 03:05:16
ComboFix3.txt  2008-08-01 10:16:11

Pre-Run: 61,434,777,600 bytes free
Post-Run: 61,517,467,648 bytes free

202   --- E O F ---   2008-07-22 01:11:08

[evilfantasy]

Do you have two antivirus installed? Symantec and AVG.

Download the Norton Removal Tool (SymNRT) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.

.
----------

Uninstall ComboFix, we are done with it and it isn't a safe tool to keep on the PC.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
----------

Use the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
  
• Now, click on the Save Report as button.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save
  
• Save the file to your desktop.

.
Post the Kaspersky log in your next reply.

[sieghart]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Monday, August 4, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Monday, August 04, 2008 09:57:38
 Records in database: 1052395
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\
   F:\
   G:\
   H:\
   I:\
   J:\
   K:\
   L:\
   M:\

Scan statistics:
   Files scanned: 64710
   Threat name: 2
   Infected objects: 4
   Suspicious objects: 0
   Duration of the scan: 01:10:49


File name / Threat name / Threats count
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script\Mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script.zip   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C56X012D\laco1[1].exe   Infected: Trojan-GameThief.Win32.OnLineGames.siyn   1

The selected area was scanned.

[evilfantasy]

Download

OTMoveIt2 by OldTimer

• Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script\Mirc.exe   
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script.exe   
C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script.zip   
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C56X012D\laco1[1].exe
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

.
----------

How is everything now?

[sieghart]

can i not remove the mirc program? i know what it's for and kaspersky stated it's not a virus, just that i dont know why it's singled out as a threat.

[evilfantasy]

I'm pretty sure that's not the legitimate Mirc program.

http://www.bleepingcomputer.com/startups/mirc.exe-12046.html

http://www.threatexpert.com/files/mirc.exe.html

You can scan it at VirusTotal if you would like to be sure.

Scan Suspicious File(s)

Use the VirusTotal.com - Multi engine on-line virus scanner

• Copy the file path in the below Code box:

Code: [Select]

C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script\Mirc.exe

• At the upload site, click once inside the window next to Browse.
  
• Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
  
• Next click Send File
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Important: Wait for all of the scanning engines to complete.
  
• Copy and then Paste the link to the results in the next reply.

[sieghart]

Heres the link:
http://www.virustotal.com/analisis/ed666cd3fcf03018b248aa1637270b9e

[evilfantasy]

Is this folder where you have the mirc installed?

C:\Documents and Settings\Sieghart\My Documents\Softies\2448Script\2448Script

[sieghart]

yup.

[evilfantasy]

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Please keep these programs up-to-date and run them whenever you suspect a problem. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.