Avast WEBforum

Other => Viruses and worms => Topic started by: Markwest on December 25, 2009, 06:11:14 AM

Title: new worm?, avast doesn' know it
Post by: Markwest on December 25, 2009, 06:11:14 AM

hi, at 1am this morning christmas day i got a worm on my computer after visiting a website (the page was down so throught nothing over it at first) i first noticed my avast mail protection was going crazy and saying it was scanning mail for 80% off for viagara, soon after my computer gave me a warning saying it is shutting down in 60 seconds
after it did this twice i pulled my internet cord out and avast told me a system32 driver file was infected with a worm, i have put the comp into a boot scan (2nd time now) but it doesn't seem to be removing it i also tried deleting it when the comp was active and it came back straight away

once my computer it off this bootscan i will try find out what the file name was for you and edit itinto this topic

Please if you have any suggestions i would like to hear them, i pretty much live on my computer so anything like this really puts my life to a halt, so any suggestions would be helpful

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 25, 2009, 07:33:48 AM

Hi, Markwest, welcome to the forum.
I'd try MBAM, get it (free version) from here. (http://www.malwarebytes.org/mbam.php) You will probably need to download the installer file using a good computer, then transfer it using a flash drive to the sick computer.
Install it and run a quick scan immediately. Tick everything it finds then click "remove selected". It may prompt to reboot to complete remval; do so immediately.
Please post the scan report.
If something was found and removed, reconnect your machine to the web, update MBAM and run another quick scan.

Later you will have to see what your email program was sending, and to who, and contact all of them and tell them to delete those mails unopened.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 25, 2009, 10:26:27 AM

I actully happen to have it on my computer already will run it as soon as avast gets out of the boot scan though i do have some further info, it seems to be copying or protecting itself some how , i found stuff from both temp and restore in the avast chest when i woke up and saw the boot scan had finished, incudling also another virus that avast did reconqize, , but once again avast yelped at me to restart and boot scan it before i could look here on the forum, i will try the program though and see if it can clear it, though i'm not sure how i'd move the scan report over here onto the laptop

Edit: found the file it's infecting. System32\drivers\kpgmh.sys

edit 2: The MbAM found nothing infected though it's probaby well out of date, any other suggestions , avast does see to find the bug in the boot scan but it's back as soon as my computer loads up properly

thanks for the input and help, hopefully we can get this virus locked down before it hurts more people

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 25, 2009, 10:46:15 AM

OK. I'm 13 hours ahead of you if you're in England, so will be going sleep in a (very) few hours.

No Google hits for that file. That's suspicious. It's probably a new malware variant, or if you're really unlucky, a trojan variant that keeps changing its name.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 25, 2009, 10:49:15 AM

well some good news i was able to grab the update really fast online and now mbam is getting infected count going up finding those files, will lock them as soon as the scan is finished, i've been suspcting it might be knew probably somone thought it would be fun to create it for christmas :'(

edit: it seems the file that was getting infected is still there after the malwarebytes removal, same file as last time, though malware bytes did pick up a few hits and logged them

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 25, 2009, 11:00:51 AM

Sounds promising. Fingers X'd.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 25, 2009, 11:09:15 AM

seems mbam picked up on a trojan called vundo.h, though i suspect the other ifection my have dragged that in, since the main infection i first reported is still at large on my computer, avast wanted to boot scan again so i did now that i've made some remobvals incase it helps with the problem

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:25:59 AM

well i've taken my computer off the power and hooked up my old machine, waiting for further suggestions and keeping my machine safe at least, i'm pretty much at my end of my rope
i hope you guys can help or keep me informed if avast gets a virus update that fixes it

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 12:44:33 AM

Can you please post the MBAM log.
If there is more than one, post them, in order.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:22:03 AM

Just updating my old computer with windows updates (it's been off for the best part of a year), once it has don that i'll grab the log from my main computer, sorry it's taking so long, just trying to get some access to my normal life again while repairing my main machine

Title: Re: new worm?, avast doesn' know it
Post by: polonus on December 26, 2009, 01:57:17 AM

Hi Markwest,

There is a cleansing routine for vundo.H described here:
http://forums.majorgeeks.com/showthread.php?t=161380
and here:
http://www.bleepingcomputer.com/forums/topic219912.html

polonus

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 02:13:44 AM

polo is it possible that is all i have on my machine, does what i wrote in my first post seem to be its behaviour?, it would be nice if that can just be sorted then and there with that stuff
my old comp is still installing windows updates so i will get to my main comp as soon as it is done and start working on it

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 02:40:47 AM

ok here's the mbam report at least, am working through the guide at the moment seeing if it'll lcear the problem

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

25/12/2009 09:51:55
mbam-log-2009-12-25 (09-51-52).txt

Scan type: Quick Scan
Objects scanned: 125472
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf4552-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv.sys (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: nmntrs2.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\nmntrs2.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Mark\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (Trojan.Agent) -> No action taken.

Title: Re: new worm?, avast doesn' know it
Post by: DavidR on December 26, 2009, 03:30:45 AM

Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 04:10:42 AM

Might be a good idea to update MBAM, too.
Your database is out of date, current version (as of yesterday) 3423. Yours indicates 3289.

If MBAM prompts for a reboot to complete removal (unlikely in this case, I believe, but possible) please reboot promptly.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 04:24:16 AM

currently following the guide posted on major geeks using superanti spyware first, then malwarebytes and finishing off with mgtools, i couldn't find a seprate update for malware bytes since i can't go on the net on my main computer without it doing stuff again and do not want to connect i up incase the virus gets worse

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 04:29:45 AM

Fair enough.
Here's a way to get MBAM updated.
Install it on a clean computer, then update it on that computer.
Go to the folder (in XP) C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware and locate rules.ref (~3.5Mb) and copy it to a flash drive.
Transfer it from the flash drive to the sick computer, to the same folder.
Windows should ask if you want to replace the same named file with this new one. If it doesn't, you're in the wrong folder. Click Yes.
Good to go.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 05:20:11 AM

my laptop seems to be crashing when i use my flash drive on it, hopefully it's just being temprmental, i did update my machine quickly through the net and is now rnning Mabm, though if the flash drive resumes to fail to work i dunno how i will be able to transfer the logs over to the laptop to post here, will keep you updated on what's happening

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 05:25:17 AM

looking at what mg tools does i'm kinda scared to use it and will not be using it after all, will still try and get the logs to this computer and will await furthrt ideas if avast says the file is s till infected

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 05:53:03 AM

Is this the tool you mean?

Quote from: majorgeeks

C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis...

If it is the same as HijackThis, the tool is safe to run.
It is not safe to remove items without guidance, if you don't know what you are doing.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 06:18:51 AM

here's the intructions from the site

* run the MGTools.exe program by double clicking on it.
o It will create a folder named MGTools in the root folder of the hard disk where Windows is installed ( typically C:\MGTools ).
o It will also automatically extract a bunch of files into this folder.
o It will the automatically start running three batch ( .bat files are batch programs ) programs in that folder.
o This will sequentially run all the tools/scans that are part of MGtools. Each of these scans will create logs in the MGtools folder. You will notice a command prompt window open and messages will appear in this window. This window will close when the scans are complete.
o You may see a popup window with a license agreement for TrendMicro HijackThis. Make sure you click the I Accept button. You need to click it twice to get it to accept.
o If you see HijackThis open and/or a log from HijackThis open in notepad, just close HijackThis and the notepad window.
o These log files while be placed in the root folder of your Windows drive. The log file will also automatically be put into a ZIP file named MGlogs.zip which you will be uploading as an attachment to your message in the forum. Unlike older versions of the programs, no popups of the logs will appear when they finish running during this initial installation. At a later time, running any of the individual batch files will still cause the logs to automatically pop up.
o Continue on to the General Information section below.

even if the program is safe i'm still rather nerved about using it and hopikng my comp wll be clean without use of it

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 06:39:29 AM

It's quite likely that contains other applications as well as HijackThis, and the batch files to automatically run them. I couldn't easily find info on what they consist of, and it is probably best not to run them in the absence of a helper that has asked you to, which you would probably only find on the MG forum.
Just stick with MBAM for now, don't forget (as DavidR posted) to have it "remove selected", and hopefully things might improve radically after that.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 09:57:14 AM

great news, mbam hit that system file and asked me to restart so it could delete it, i am going to run a standard avast to see if it's there or not and if not i will remove my system restores and that will be that ^^, though if it is still here then i will post logs here and wait for further advice

Edit: :'( it's still there even after Mbam said it was going to delete it after reboot :'( will post logs soon as i can get them on here

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 10:10:29 AM

ok here's the logs since my laptop accepted my gflash drive without crashing this time

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/26/2009 at 03:51 AM

Application Version : 4.32.1000

Core Rules Database Version : 4402
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 01:24:42

Memory items scanned : 518
Memory threats detected : 0
Registry items scanned : 4602
Registry threats detected : 8
File items scanned : 33296
File threats detected : 5

Adware.Vundo/Variant
   HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5BF4552-94F1-42BD-F434-3604812C807D}
   HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D5BF4552-94F1-42BD-F434-3604812C807D}

Rogue.Component/Trace
   HKLM\Software\Microsoft\70642062
   HKLM\Software\Microsoft\70642062#70648de2
   HKLM\Software\Microsoft\70642062#7064e407
   HKLM\Software\Microsoft\70642062#70642062
   HKLM\Software\Microsoft\70642062#Version

Trojan.Fake-Alert/Trace
   HKU\S-1-5-21-776561741-1563985344-839522115-1003\SOFTWARE\Microsoft\fias4013

Trojan.Agent/Gen
   C:\DOCUMENTS AND SETTINGS\MARK\START MENU\PROGRAMS\STARTUP\SISZYD32.EXE
   C:\WINDOWS\Prefetch\SISZYD32.EXE-02EC40F1.pf

Rootkit.TDSServ-Trace
   C:\WINDOWS\SYSTEM32\TDSSMTYE.DAT

Trojan.Agent/Gen-ImageDocFake
   E:\DOCUMENTS AND SETTINGS\MARK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8GCHHHH2\MAIN_IMG3[1].PNG
   E:\FOUND.000\DIR0068.CHK\MEDIA\YOHOHO\ICONS\CHANGE_ALERT.PNG

Malwarebytes' Anti-Malware 1.42
Database version: 3431
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

26/12/2009 08:52:05
mbam-log-2009-12-26 (08-52-05).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 561957
Time elapsed: 2 hour(s), 2 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Mark\Local Settings\Temp\sig9E.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\kpgmh.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\sig10.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Application Data\fvgqad.dat (Malware.Trace) -> Quarantined and deleted successfully.

As you can see it said it would delete it on reboot but avast found it still on the computer as soon as it reloaded itself :'(

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 11:22:07 AM

Bu@@er. It's a SISZYD32 -related infection.
Looking at other forum posts related to this one, it looks like a pain to try and kill.
Please use your good computer to download OTL.exe (http://oldtimer.geekstogo.com/OTL.exe) and transfer it using a flash drive to the desktop of the sick computer.
Open it by double clicking, and select "run scan".
Two logs will be created, OTL.txt and Extras.txt. Copy and paste both to the forum. (Use more than one post if the maximum size is exceeded.)

I'm going to just ask for a bit of help from the maker of this app, now. We'll see what can be done.

Title: Re: new worm?, avast doesn' know it
Post by: YoKenny on December 26, 2009, 11:24:08 AM

Vundo is polomophic malware and infects the whole system and the only way to remove it is a hard disk FORMAT and re install of the operaing system.

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Also you should enable Automatic Updates or at least be notified that Updates are available.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

IE8 is more secure than IE7 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 11:29:27 AM

One more thing: did you have SAS attempt to remove what it found? There is no indication of it attempting to.
You could try a scan again, but this time make sure you have the app try and quarantine all that it finds.

With MBAM, there is no need for a full scan. Just use the quick scan option, for future reference.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 11:43:17 AM

yes sas did remove some stuff, i guess it doesn't show it properly in the log,

kenny i've heard nothing but other problems with service pack 3 and i don't even use ie, and seeing as it seems now there is only a single file and no noticable trace of vundo left on my computer after the removal i'm not about to reformat my computer because quite frankly there is programs on there i do not have and i would have to send my comp away all the way up england to get it properly reformated

i did try another sas scan and it didn't find any new stuff or stuff that it missed the previous time it's stll just that 1 single file

i'm gonna use that program now to grab some logs for here

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:01:15 PM

From what i can see this is going to take ALOT of posts with only a 10 k characters limit, is there another option to get it up on here or get the txt file visible or am i gonna just have to work my way through it posting it over those many posts

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 26, 2009, 12:34:38 PM

You could break it into a series of attachments, but that would also take a few posts, not save that much time, and make it harder for the helper/s. So, even though it's a PITA, put them in multiple posts, please.
Seen them before, here. IIRC it takes about 6 posts. Depends on how many files there are.

Title: Re: new worm?, avast doesn' know it
Post by: YoKenny on December 26, 2009, 12:41:57 PM

As IE is the Windows major system display function for Windows XP then no matter what you see it is displayed by it.

When you get the problem resolved your system needs to be updated to SP3 to prevent infections like Vundo.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:54:27 PM

OTL logfile created on: 26/12/2009 10:44:30 - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.74 Gb Total Space | 143.33 Gb Free Space | 30.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 465.74 Gb Total Space | 322.75 Gb Free Space | 69.30% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEAST-3DDF91376
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
PRC - [2009/12/26 01:47:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/26 01:47:55 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/24 23:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/13 20:01:35 | 00,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/10/29 12:27:54 | 01,074,568 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2009/10/24 23:34:04 | 01,217,808 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
PRC - [2009/10/12 18:03:52 | 17,507,000 | ---- | M] (ooVoo LLC) -- C:\Program Files\ooVoo\ooVoo.exe
PRC - [2009/09/28 16:15:58 | 00,242,176 | ---- | M] () -- C:\Program Files\GNU\GnuPG\dirmngr.exe
PRC - [2009/09/03 21:17:14 | 03,342,336 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe
PRC - [2009/02/24 19:44:50 | 03,558,136 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PRC - [2009/02/06 16:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/10/15 00:04:34 | 00,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:55:22 PM

PRC - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/08/13 17:06:56 | 03,660,848 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
PRC - [2008/08/03 23:02:20 | 00,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/08/01 06:19:21 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2008/03/14 22:12:50 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/03/14 22:12:48 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/03/07 18:24:18 | 00,417,792 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/02/20 19:58:46 | 00,019,968 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\Ctxfihlp.exe
PRC - [2008/02/20 19:58:44 | 00,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2008/02/20 19:55:12 | 00,969,216 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTxfispi.exe
PRC - [2007/12/05 00:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/06/13 10:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/01/27 16:16:58 | 00,376,912 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe

========== Modules (SafeList) ==========

MOD - [2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
MOD - [2008/02/20 19:58:42 | 00,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2007/03/08 15:36:28 | 00,172,544 | ---- | M] () -- C:\WINDOWS\obipufic.dll
MOD - [2006/08/25 15:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/12/26 01:47:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/06 01:10:48 | 00,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- c:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/10/29 12:27:54 | 01,074,568 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2009/09/28 16:15:58 | 00,242,176 | ---- | M] () [Auto | Running] -- C:\Program Files\GNU\GnuPG\dirmngr.exe -- (DirMngr)
SRV - [2009/02/18 23:11:00 | 02,806,522 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/08/01 06:19:21 | 00,066,872 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008/03/07 18:24:18 | 00,417,792 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2007/12/05 00:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/24 23:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 23:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 23:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 23:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:56:18 PM

DRV - [2009/11/24 23:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 23:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/23 09:41:58 | 00,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/08/22 14:44:08 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsnmea.sys -- (zgwhsnmea)
DRV - [2008/08/22 14:43:44 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsmdm.sys -- (zgwhsmdm)
DRV - [2008/08/22 14:43:06 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsdiag.sys -- (zgwhsdiag)
DRV - [2008/04/25 11:26:32 | 00,002,397 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2008/04/13 10:21:50 | 00,017,920 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Ntaccess.sys -- (NTACCESS)
DRV - [2008/03/21 20:30:04 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/02/25 08:44:38 | 01,172,504 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008/02/25 08:44:22 | 00,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008/02/25 08:44:08 | 00,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008/02/25 08:44:00 | 00,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008/02/25 08:43:56 | 00,127,000 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008/02/25 08:43:30 | 00,346,856 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008/02/25 08:43:24 | 00,524,312 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008/02/25 08:43:16 | 00,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008/02/25 08:41:50 | 00,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2008/02/25 08:41:44 | 00,170,520 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2008/02/25 08:41:36 | 01,323,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2008/02/25 08:41:28 | 00,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2008/02/25 08:41:18 | 00,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2008/02/25 08:41:14 | 00,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2008/02/25 08:41:10 | 00,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2008/02/25 08:41:06 | 00,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2008/02/25 08:41:02 | 00,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2008/02/25 08:40:56 | 00,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2008/02/25 08:40:52 | 00,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2008/01/23 21:25:32 | 00,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2007/12/19 17:35:19 | 00,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/12/05 00:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/12 08:32:30 | 00,094,592 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/08/20 09:05:02 | 00,027,672 | R--- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH)
DRV - [2007/07/27 11:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/09/06 13:37:22 | 00,062,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2003/09/06 12:27:06 | 00,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/09/06 12:25:52 | 00,051,744 | ---- | M] (Protection Technology) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2003/09/06 12:22:08 | 00,006,944 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:58:53 PM

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: web@veoh.com:1.4
FF - prefs.js..extensions.enabledItems: {FFC6B7D5-902E-4EBD-9177-7C584223F0D8}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}: C:\Documents and Settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8} [2009/12/25 00:46:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 17:22:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/26 01:48:04 | 00,000,000 | ---D | M]

[2009/01/08 20:04:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions
[2009/10/29 19:37:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\extensions
[2009/12/26 01:48:05 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/29 03:08:04 | 00,132,528 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
[2008/09/10 07:39:42 | 00,075,184 | ---- | M] (NHN USA Inc. ) -- C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
[2008/04/28 20:46:51 | 00,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll

O1 HOSTS File: (765 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 0.0.0.0 rad.msn.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Asaxugesavadeb] C:\WINDOWS\obipufic.DLL ()
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKCU..\Run: [oovoo.exe] C:\Program Files\ooVoo\oovoo.exe (ooVoo LLC)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Veoh] C:\Program Files\Veoh Networks\Veoh\VeohClient.exe (Veoh Networks)
O4 - HKCU..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - Startup: C:\Documents and Settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 12:59:56 PM

O15 - HKCU\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/21 16:52:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/21 16:52:22 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/26 10:45:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
[2009/12/26 10:43:42 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2009/12/26 02:19:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/26 02:18:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\SUPERAntiSpyware.com
[2009/12/26 02:18:52 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/26 02:01:17 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/26 01:51:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/26 01:49:41 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Mark\Recent
[2009/12/26 01:48:04 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/26 01:48:04 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/26 01:48:04 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/26 01:48:04 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/26 01:48:04 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/26 01:47:50 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/12/26 01:47:18 | 16,672,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mark\Desktop\jre-6u17-windows-i586.exe
[2009/12/25 13:52:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\.kde
[2009/12/25 04:15:50 | 00,135,360 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe
[2009/12/25 00:46:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}
[2009/12/20 12:09:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\My Documents\NeocoreGames
[2009/12/16 21:46:07 | 01,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2009/12/16 21:46:07 | 00,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2009/12/16 21:46:07 | 00,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2009/12/16 21:46:06 | 05,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2009/12/16 21:46:05 | 00,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2009/12/16 21:45:51 | 00,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2009/12/16 21:44:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\My Documents\Sparkplay Media
[2009/12/16 21:44:26 | 00,573,584 | ---- | C] (SparkPlay Media, Inc) -- C:\Documents and Settings\Mark\Desktop\SparkPlayerInstall.exe
[2009/12/09 15:38:57 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/12/04 05:32:04 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:01:05 PM

[2009/12/04 05:32:04 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2009/12/02 23:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\Thunderbird
[2009/12/02 23:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Thunderbird
[2009/12/02 23:10:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Gpg4win Documentation
[2009/12/02 23:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\gnupg
[2009/12/02 23:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\GNU
[2009/12/02 23:09:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\gnupg
[2009/12/02 23:09:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GNU
[2009/12/02 23:09:24 | 00,000,000 | ---D | C] -- C:\Program Files\GNU
[2009/12/02 23:08:55 | 06,669,256 | ---- | C] (Mozilla) -- C:\Documents and Settings\Mark\Desktop\Thunderbird Setup 2.0.0.23.exe
[2009/12/02 22:46:46 | 36,557,658 | ---- | C] (g10 Code GmbH) -- C:\Documents and Settings\Mark\Desktop\gpg4win-2.0.1.exe
[2009/05/11 19:05:00 | 01,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\Documents and Settings\All Users\Application Data\DynuEncrypt.dll
[2008/08/04 14:55:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/25 11:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2008/04/21 16:55:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/04/21 16:52:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/21 16:52:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/02/20 19:59:14 | 00,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/26 10:46:33 | 00,714,752 | ---- | M] () -- C:\WINDOWS\System32\drivers\kpgmh.sys
[2009/12/26 10:38:48 | 00,000,021 | ---- | M] () -- C:\WINDOWS\S.dirmngr
[2009/12/26 10:38:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/26 10:38:33 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2009/12/26 09:48:34 | 00,054,160 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/26 09:48:34 | 00,054,160 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/26 09:48:34 | 00,000,788 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/26 09:43:42 | 05,242,880 | -H-- | M] () -- C:\Documents and Settings\Mark\NTUSER.DAT
[2009/12/26 09:43:36 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Mark\ntuser.ini
[2009/12/26 09:24:18 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\dvadaeqn.job
[2009/12/26 02:21:14 | 04,910,518 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SASDEFINITIONS.EXE
[2009/12/26 02:18:55 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 02:13:16 | 02,386,270 | ---- | M] () -- C:\MGtools.exe
[2009/12/26 02:09:14 | 07,451,168 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SUPERAntiSpyware.exe
[2009/12/26 01:52:05 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/26 01:52:05 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/26 01:52:05 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2009/12/26 01:50:10 | 00,002,052 | ---- | M] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_015006.reg
[2009/12/26 01:47:55 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/26 01:47:55 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/26 01:47:54 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/26 01:46:20 | 16,672,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mark\Desktop\jre-6u17-windows-i586.exe
[2009/12/26 01:37:09 | 00,112,292 | ---- | M] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_013623.reg
[2009/12/26 01:23:57 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Igaqofevinuyoz.bin
[2009/12/25 09:45:21 | 00,000,116 | ---- | M] () -- C:\WINDOWS\System32\fjhdyfhsn.bat

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:02:11 PM

[2009/12/25 04:07:52 | 00,135,360 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe
[2009/12/25 00:46:39 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Avasub.dat
[2009/12/25 00:18:14 | 00,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2009/12/24 03:12:00 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/21 16:28:02 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/19 14:09:24 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/16 21:44:27 | 00,573,584 | ---- | M] (SparkPlay Media, Inc) -- C:\Documents and Settings\Mark\Desktop\SparkPlayerInstall.exe
[2009/12/16 17:41:34 | 00,021,504 | ---- | M] () -- C:\WINDOWS\jestertb.dll
[2009/12/10 23:54:58 | 01,058,225 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\DBM-4.32-r2645-Core-and-WotLK-Mods.zip
[2009/12/07 17:46:59 | 00,001,622 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Left 4 Dead 2.lnk
[2009/12/06 06:06:45 | 00,002,193 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2009/12/04 06:33:26 | 00,000,024 | ---- | M] () -- C:\url_history.xml
[2009/12/04 06:11:01 | 00,000,104 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 05:01:00 | 00,007,227 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\RogueFocus.zip
[2009/12/02 23:10:04 | 06,669,256 | ---- | M] (Mozilla) -- C:\Documents and Settings\Mark\Desktop\Thunderbird Setup 2.0.0.23.exe
[2009/12/02 23:10:04 | 00,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Kleopatra.lnk
[2009/12/02 23:10:04 | 00,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GPA.lnk
[2009/12/02 22:47:39 | 36,557,658 | ---- | M] (g10 Code GmbH) -- C:\Documents and Settings\Mark\Desktop\gpg4win-2.0.1.exe
[2009/11/30 03:11:10 | 00,000,760 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Fantasy Grounds.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/26 10:38:48 | 00,000,021 | ---- | C] () -- C:\WINDOWS\S.dirmngr
[2009/12/26 02:23:22 | 04,910,518 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SASDEFINITIONS.EXE
[2009/12/26 02:18:55 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 02:17:46 | 02,386,270 | ---- | C] () -- C:\MGtools.exe
[2009/12/26 02:17:37 | 07,451,168 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SUPERAntiSpyware.exe
[2009/12/26 01:50:08 | 00,002,052 | ---- | C] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_015006.reg
[2009/12/26 01:36:27 | 00,112,292 | ---- | C] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_013623.reg
[2009/12/25 00:46:39 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Avasub.dat
[2009/12/25 00:46:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Igaqofevinuyoz.bin
[2009/12/25 00:43:13 | 00,714,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\kpgmh.sys
[2009/12/25 00:43:01 | 00,000,116 | ---- | C] () -- C:\WINDOWS\System32\fjhdyfhsn.bat
[2009/12/16 17:41:34 | 00,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2009/12/10 23:54:58 | 01,058,225 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\DBM-4.32-r2645-Core-and-WotLK-Mods.zip
[2009/12/07 17:46:59 | 00,001,622 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Left 4 Dead 2.lnk
[2009/12/03 05:00:59 | 00,007,227 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\RogueFocus.zip
[2009/12/02 23:10:04 | 00,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Kleopatra.lnk
[2009/12/02 23:10:04 | 00,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GPA.lnk
[2009/11/30 03:11:10 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Fantasy Grounds.lnk
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/10/30 05:48:04 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/26 11:11:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/06/06 06:13:38 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\fusioncache.dat
[2009/02/20 09:52:15 | 00,069,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/02/20 00:26:19 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/05 13:24:45 | 00,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:04:20 PM

[2008/12/15 16:12:12 | 01,563,797 | -HS- | C] () -- C:\WINDOWS\System32\ekafelat.ini
[2008/12/15 02:04:56 | 00,058,151 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUInstall.LiveUpdate
[2008/12/14 12:03:56 | 01,563,737 | -HS- | C] () -- C:\WINDOWS\System32\ububimem.ini
[2008/12/13 23:12:31 | 01,563,737 | -HS- | C] () -- C:\WINDOWS\System32\iyanusuf.ini
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/30 12:57:07 | 00,136,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/07/30 12:57:07 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\PnkBstrK.sys
[2008/07/20 11:26:31 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/06/05 07:58:26 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/05/19 08:27:25 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/05/19 07:10:07 | 00,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2008/05/03 00:54:53 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/05/01 22:21:41 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/05/01 22:21:41 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/05/01 22:21:41 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2008/04/28 14:39:43 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 13:07:32 | 00,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/04/25 11:43:26 | 00,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2008/04/25 11:43:26 | 00,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2008/04/25 11:43:26 | 00,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2008/04/25 11:43:26 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2008/04/25 11:43:25 | 00,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2008/04/25 11:26:32 | 00,002,397 | ---- | C] () -- C:\WINDOWS\System32\drivers\symlcbrd.sys
[2008/04/22 11:28:21 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2008/04/22 11:20:09 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/03/31 21:25:46 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\divx_xx0a.dll
[2008/03/21 20:30:08 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/03/21 20:28:54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/03/21 20:28:54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/03/21 20:28:20 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/25 13:55:32 | 00,101,603 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/02/20 20:24:36 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/02/20 20:00:12 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008/01/31 16:18:14 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007/12/05 00:41:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 00:41:00 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 00:41:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 00:41:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 00:41:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/08/13 19:45:02 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2007/07/27 11:00:00 | 00,172,544 | ---- | C] () -- C:\WINDOWS\obipufic.dll
[2006/10/02 16:25:18 | 00,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
< End of report >

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:07:51 PM

OTL Extras logfile created on: 26/12/2009 10:44:30 - Run 1
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.74 Gb Total Space | 143.33 Gb Free Space | 30.78% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 465.74 Gb Total Space | 322.75 Gb Free Space | 69.30% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEAST-3DDF91376
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] --

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:09:37 PM

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"443:TCP" = 443:TCP:*:Enabled:ooVoo TCP port 443
"443:UDP" = 443:UDP:*:Enabled:ooVoo UDP port 443
"37674:TCP" = 37674:TCP:*:Enabled:ooVoo TCP port 37674
"37674:UDP" = 37674:UDP:*:Enabled:ooVoo UDP port 37674
"37675:UDP" = 37675:UDP:*:Enabled:ooVoo UDP port 37675
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"37676:TCP" = 37676:TCP:*:Enabled:ooVoo TCP port 37676
"37676:UDP" = 37676:UDP:*:Enabled:ooVoo UDP port 37676
"37677:UDP" = 37677:UDP:*:Enabled:ooVoo UDP port 37677

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe" = C:\Program Files\Firefly Studios\Stronghold 2\Stronghold2.exe:*:Enabled:Stronghold 2 -- (Firefly Studios)
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe" = C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts -- File not found
"C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe" = C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:*:Enabled:Unreal Tournament 3 -- ()
"C:\Program Files\Cyanide\GameCenter\GameCenter.exe" = C:\Program Files\Cyanide\GameCenter\GameCenter.exe:*:Enabled:GameCenter -- (Cyanide)
"C:\Program Files\Cyanide\Loki\Loki.exe" = C:\Program Files\Cyanide\Loki\Loki.exe:*:Enabled:Loki -- File not found
"C:\Program Files\Cyanide\Loki\Autorun\AutoRun.exe" = C:\Program Files\Cyanide\Loki\Autorun\AutoRun.exe:*:Enabled:Loki - AutoRun -- File not found
"C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe" = C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander -- File not found
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) -- ()
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"C:\Program Files\Namco Bandai Games\Warhammer Mark of Chaos\Warhammer.exe" = C:\Program Files\Namco Bandai Games\Warhammer Mark of Chaos\Warhammer.exe:*:Enabled:Warhammer® Mark of Chaos™ - Battle March™ GOLD -- (Black Hole Entertainment)
"C:\Program Files\Microsoft Games\Dungeon Siege 2\DungeonSiege2.exe" = C:\Program Files\Microsoft Games\Dungeon Siege 2\DungeonSiege2.exe:*:Enabled:Dungeon Siege 2 Game Executable -- (Gas Powered Games)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" = C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe:*:Enabled:AluSchedulerSvc -- File not found

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:10:44 PM

"C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" = C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe:*:Enabled:symlcsvc -- File not found
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" = C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client -- (Veoh Networks)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Ntreev\Grand Chase\main.exe" = C:\Ntreev\Grand Chase\main.exe:*:Enabled:GrandChase -- ()
"C:\Program Files\SecondLife\SLVoice.exe" = C:\Program Files\SecondLife\SLVoice.exe:*:Enabled:SLVoice -- ()
"C:\Program Files\Wizards of the Coast\Magic Online III\Renamer.exe" = C:\Program Files\Wizards of the Coast\Magic Online III\Renamer.exe:*:Enabled:Magic The Gathering Online -- (WotC)
"C:\Program Files\softnyx\GunboundWC\GunBound.gme" = C:\Program Files\softnyx\GunboundWC\GunBound.gme:*:Enabled:GunBound -- (Softnyx)
"C:\Documents and Settings\Mark\Local Settings\Temp\Blizzard Launcher Temporary - 092f8448\Launcher.exe" = C:\Documents and Settings\Mark\Local Settings\Temp\Blizzard Launcher Temporary - 092f8448\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\ooVoo\ooVoo.exe" = C:\Program Files\ooVoo\ooVoo.exe:*:Enabled:ooVoo -- (ooVoo LLC)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\Outspark\WindSlayer\WindSlayer.exe" = C:\Program Files\Outspark\WindSlayer\WindSlayer.exe:*:Enabled:WindSlayer -- ()
"C:\Documents and Settings\Mark\Local Settings\Temp\Blizzard Launcher Temporary - 248a9570\Launcher.exe" = C:\Documents and Settings\Mark\Local Settings\Temp\Blizzard Launcher Temporary - 248a9570\Launcher.exe:*:Enabled:Blizzard Launcher -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- (Obsidian Entertainment, Inc.)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
"C:\Program Files\Steam\SteamApps\common\dawn of war 2\DOW2.exe" = C:\Program Files\Steam\SteamApps\common\dawn of war 2\DOW2.exe:*:Enabled:DOW2 -- (THQ Canada Inc.)
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" = C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player -- (Veoh Networks)
"C:\Program Files\Apprentice\Appr.exe" = C:\Program Files\Apprentice\Appr.exe:*:Enabled:Appr -- ()
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe" = C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Enabled:Soulstorm -- (THQ Canada Inc.)
"C:\Program Files\EA Games\Mercenaries 2 World in Flames\Mercenaries2.exe" = C:\Program Files\EA Games\Mercenaries 2 World in Flames\Mercenaries2.exe:*:Enabled:Mercenaries 2: World in Flames -- File not found
"C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat" = C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\game.dat:*:Enabled:The Battle for Middle-earth(tm) II -- (Electronic Arts Inc.)
"C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\patchget.dat" = C:\Program Files\Electronic Arts\The Battle for Middle-earth (tm) II\patchget.dat:*:Enabled:patchgrabber -- (Electronic Arts)
"C:\WINDOWS\Downloaded Program Files\PurpleBean.exe" = C:\WINDOWS\Downloaded Program Files\PurpleBean.exe:*:Enabled:PurpleBean.exe -- ()
"C:\Program Files\World of Warcraft\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Steam\SteamApps\common\plants vs zombies\PlantsVsZombies.exe" = C:\Program Files\Steam\SteamApps\common\plants vs zombies\PlantsVsZombies.exe:*:Enabled:Plants Vs Zombies -- ()
"C:\Program Files\Steam\SteamApps\umbereternus\team fortress 2\hl2.exe" = C:\Program Files\Steam\SteamApps\umbereternus\team fortress 2\hl2.exe:*:Enabled:hl2 -- File not found
"C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Codemasters\The Lord of the Rings Online\lotroclient.exe" = C:\Program Files\Codemasters\The Lord of the Rings Online\lotroclient.exe:*:Enabled:lotroclient -- File not found
"C:\Program Files\Steam\SteamApps\common\overlord ii\Overlord2.exe" = C:\Program Files\Steam\SteamApps\common\overlord ii\Overlord2.exe:*:Enabled:Overlord II -- ()
"C:\Program Files\Steam\SteamApps\common\overlord ii\Config.exe" = C:\Program Files\Steam\SteamApps\common\overlord ii\Config.exe:*:Enabled:Overlord II -- ()
"C:\Program Files\Electronic Arts\BattleForge\Bootstrapper.exe" = C:\Program Files\Electronic Arts\BattleForge\Bootstrapper.exe:*:Enabled:BattleForge™ Launcher -- (EA Phenomic)
"C:\Program Files\Electronic Arts\BattleForge\BattleForge.exe" = C:\Program Files\Electronic Arts\BattleForge\BattleForge.exe:*:Enabled:BattleForge™ -- (EA Phenomic)
"C:\Program Files\Steam\SteamApps\common\bookworm adventures volume 2\BookwormAdventuresVol2.exe" = C:\Program Files\Steam\SteamApps\common\bookworm adventures volume 2\BookwormAdventuresVol2.exe:*:Enabled:Bookworm Adventures Volume 2 -- (PopCap Games, Inc.)
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Cyanide\Blood Bowl\Autorun\Exe\Autorun.exe" = C:\Program Files\Cyanide\Blood Bowl\Autorun\Exe\Autorun.exe:*:Enabled:Blood Bowl - AutoRun -- ()
"C:\Program Files\Cyanide\Blood Bowl\BB.exe" = C:\Program Files\Cyanide\Blood Bowl\BB.exe:*:Enabled:Blood Bowl -- (Cyanide)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Turbine\DDO Unlimited\dndclient.exe" = C:\Program Files\Turbine\DDO Unlimited\dndclient.exe:*:Enabled:dndclient -- (Turbine, Inc.)
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Dragon Age Origins Character Creator\bin_ship\DAOCharacterCreator.exe" = C:\Program Files\Dragon Age Origins Character Creator\bin_ship\DAOCharacterCreator.exe:*:Enabled:Dragon Age Origins Character Creator -- (BioWare)
"C:\Program Files\Dragon Age Origins Character Creator\DAOriginsLauncher.exe" = C:\Program Files\Dragon Age Origins Character Creator\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Character Creator Launcher -- (BioWare)
"C:\Program Files\Steam\SteamApps\common\command and conquer red alert 3 uprising\RA3EP1.exe" = C:\Program Files\Steam\SteamApps\common\command and conquer red alert 3 uprising\RA3EP1.exe:*:Enabled:Command and Conquer: Red Alert 3 - Uprising -- (Electronic Arts, Inc.)
"C:\Program Files\Steam\SteamApps\common\left 4 dead 2 demo\left4dead2.exe" = C:\Program Files\Steam\SteamApps\common\left 4 dead 2 demo\left4dead2.exe:*:Enabled:left4dead2 -- File not found
"C:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe" = C:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Updater -- (BioWare)

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:11:33 PM

"C:\Program Files\Steam\SteamApps\common\zuma's revenge\ZumasRevenge.exe" = C:\Program Files\Steam\SteamApps\common\zuma's revenge\ZumasRevenge.exe:*:Enabled:Zuma's Revenge! Demo -- (PopCap Games, Inc.)
"C:\Program Files\FantasyGrounds\FantasyGrounds.exe" = C:\Program Files\FantasyGrounds\FantasyGrounds.exe:*:Enabled:FantasyGrounds -- ()
"C:\Program Files\Steam\steam.exe" = C:\Program Files\Steam\steam.exe:*:Enabled:Steam 732897 -- (Valve Corporation)
"C:\Program Files\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe" = C:\Program Files\Steam\SteamApps\common\left 4 dead 2\left4dead2.exe:*:Enabled:Left 4 Dead 2 -- ()
"C:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\DAOrigins.exe" = C:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\DAOrigins.exe:*:Enabled:Dragon Age: Origins -- (BioWare)
"C:\Program Files\Steam\SteamApps\common\dragon age origins\DAOriginsLauncher.exe" = C:\Program Files\Steam\SteamApps\common\dragon age origins\DAOriginsLauncher.exe:*:Enabled:Dragon Age: Origins -- (BioWare)
"C:\Program Files\Steam\SteamApps\common\torchlight\Torchlight.exe" = C:\Program Files\Steam\SteamApps\common\torchlight\Torchlight.exe:*:Enabled:Torchlight -- (Runic Games, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{067EC517-9731-43FD-B4D5-296EE0027BBB}" = LogMeIn Hamachi
"{14C87AA7-08E6-419F-A165-998EBE5023D7}" = Oblivion - Knights of the Nine
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{16D2C649-CBA8-44EE-B730-12584667D487}" = Stronghold 2 Deluxe
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20071984-5EB1-4881-8EDB-082532ACEC6D}" = Heroes of Might and Magic V
"{20533183-D42D-4261-A125-956736FBEA8C}" = Dawn of War - Soulstorm
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{259A8A5E-2886-4BED-9EF1-D5485282CCC3}" = Overlord
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{296D8550-CB06-48E4-9A8B-E5034FB64715}" = Command & Conquer™ Red Alert™ 3
"{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}" = The Battle for Middle-earth (tm) II
"{2F2E3D62-8B8C-448F-8900-451325E50948}" = Oblivion - Wizard's Tower
"{30D1F3D2-54CF-481D-A005-F94B0E98FEEC}" = Sid Meier's Civilization 4 Complete
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35242997-4DA2-4DDF-9698-ED8219442B8F}" = Etherlords II
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3ABEBD00-299D-4DCA-967F-B912163AB5EA}" = Oblivion - Horse Armor Pack
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}" = Microsoft Games for Windows - LIVE
"{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}" = Oblivion - Vile Lair
"{5435FF3C-48CF-4B34-85E1-2C95673EB254}" = Dawn of War - Soulstorm
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{66FF4C48-0083-4E60-8556-B883AB200091}" = Heroes of Might & Magic V: Hammers of Fate
"{66FF4C48-0083-4E60-8556-B883AB200092}" = Heroes of Might and Magic V - Tribes of the East
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{72FD5F2E-1F7A-4E9B-8838-29E842E178CD}" = PC Suite
"{784D1110-7A5D-4BE9-8AAA-CC70FA2D1CBA}" = WindSlayer
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:12:20 PM

"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83F12F73-D52E-40C0-93B1-463C311C4E17}" = Warhammer 40,000: Dawn Of War - Gold Edition
"{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FDC1610-3FB5-4EF2-A0D0-CEDC3A525A25}" = THE SETTLERS - Heritage of Kings (all products)
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon 3
"{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A563C4F4-BE36-4956-BA0B-E02BDD9F70D5}" = Dungeon Siege 2 Broken World
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{ABC91C39-266D-4042-828E-4386E0F25218}" = Warhammer® Mark of Chaos™ - Battle March™ GOLD
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.5
"{AC76BA86-7AD7-1033-7B44-A81300000003}_814" = KB408682
"{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}" = Magic Online III
"{B0C30E93-D3D9-4F04-A2AC-54749B573275}" = Command & Conquer 3
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B6829D65-F5C5-47F0-00BC-F5906EA94F4C}" = Tiger Woods PGA TOUR 07
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C580908C-B3BA-4C19-BD60-16F02F272201}" = BattleForge™
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC2422C9-F7B5-4175-B295-5EC2283AA674}" = Command & Conquer™ 3: Kane's Wrath
"{CDADEF3D-B6F8-4530-A074-168FCF364DA2}" = WindSlayer
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CEA0BA90-DED4-169F-BA18-D9F57E43E6AD}" = Deal or No Deal
"{D4E5A687-797D-44B1-8F96-4FD7A24166A9}" = DEVIL MAY CRY 4
"{D8B5B7C3-47B1-40FA-8251-59C74A543880}" = Dragon Age: Origins Character Creator
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"{EB5F211D-85D5-44C4-BB15-1207C77EF430}" = Visual C++ 8.0 Runtime Setup Package
"{EC425CFC-EE78-4A91-AA25-3BFA65B75364}" = Oblivion - Orrery
"{EF295F5C-7B57-47AA-8889-6B3E8E214E89}" = Oblivion - Mehrunes Razor
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F87A8E11-02A4-4875-A3A5-5961081B0E4E}" = OpenOffice.org 2.4
"{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}" = ooVoo
"{FF39FC01-819B-42E4-AE49-1968AF12DDD4}" = Dawn of War - Dark Crusade
"{FFFFFD17-B460-41EB-93F1-C48ABAD63828}" = Oblivion - Thieves Den
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.09.03.800
"7-Zip" = 7-Zip 4.57
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Tools" = Advanced Tools
"Age of Wonders II" = Age of Wonders II
"AudioCS" = Creative Audio Console
"avast!" = avast! Antivirus
"Battle.net" = Battle.net
"BloodBowl_is1" = Blood Bowl 1.1.2.1
"Bookworm Adventures Vol. 2" = Bookworm Adventures Vol. 2
"BroadJump Client Foundation" = BroadJump Client Foundation
"Camera" = Digital Camera Manager
"Diablo" = Diablo
"Diablo II" = Diablo II
"Dragonica(EU)" = Dragonica(EU)
"Dungeon Keeper II" = Dungeon Keeper 2
"DungeonSiege2" = Dungeon Siege 2
"EADM" = EA Download Manager
"Fantasy Grounds" = Fantasy Grounds
"Feeding Frenzy Deluxe 5.7.18.1" = Feeding Frenzy Deluxe 5.7.18.1
"Fraps" = Fraps
"GameCenter" = GameCenter
"GPG4Win" = Gpg4win (2.0.1)
"Grand Chase" = Grand Chase
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"GunboundWC_is1" = GunboundWC
"HD Tune_is1" = HD Tune 2.55
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{0405E51E-9582-4207-8F38-AC44201D3808}" = VeohTV BETA
"InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
"InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}" = Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217}" = Call of Duty(R) 4 - Modern Warfare(TM)
"Launcher" = Outspark Launcher
"LogMeIn Hamachi" = LogMeIn Hamachi
"LUNA_US_090414" = LUNA Online v1.0.0
"Lunia" = Lunia
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"mIRC" = mIRC
"Mozilla Firefox (3.0.16)" = Mozilla Firefox (3.0.16)
"Nero - Burning Rom!UninstallKey" = Nero 6
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"Pangya" = Pangya (Ntreev USA)
"Peggle Deluxe 1.01" = Peggle Deluxe 1.01
"Pidgin" = Pidgin
"Plants vs. Zombies" = Plants vs. Zombies
"PopCap Browser Plugin" = PopCap Browser Plugin
"Puzzle Quest Galactrix1.00" = Puzzle Quest Galactrix

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:12:59 PM

"Red Alert 2" = Command & Conquer Red Alert 2
"RoboType_is1" = RoboType (PC Magazine)
"SecondLife" = SecondLife (remove only)
"Secret of the Solstice" = Secret of the Solstice
"Shockwave" = Shockwave
"Steam App 12810" = Overlord II
"Steam App 15620" = Warhammer 40,000: Dawn of War II
"Steam App 17450" = Dragon Age: Origins
"Steam App 220" = Half-Life 2
"Steam App 23380" = Gyromancer
"Steam App 24800" = Command and Conquer: Red Alert 3 - Uprising
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 3590" = Plants Vs Zombies
"Steam App 3622" = Zuma's Revenge! Demo
"Steam App 3630" = Bookworm Adventures Volume 2
"Steam App 380" = Half-Life 2: Episode One
"Steam App 400" = Portal
"Steam App 41500" = Torchlight
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 550" = Left 4 Dead 2
"SystemRequirementsLab" = System Requirements Lab
"Veoh Web Player Beta" = Veoh Web Player Beta
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinGrab 1.50_is1" = WinGrab 1.50.09
"WinLiveSuite_Wave3" = Windows Live Essentials
"WOLAPI" = Westwood Shared Internet Components
"World of Warcraft" = World of Warcraft
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yuri's Revenge" = Command && Conquer Red Alert 2 - Yuri's Revenge

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"ijji FireFox Launcher" = ijji FireFox Launcher 1.0
"InstallShield_{BFA90209-7AFF-4DB6-8E4B-E57305751AD7}" = Unreal Tournament 3
"Sparkplayer (Beta)" = Sparkplayer (Beta)

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 24/12/2009 23:53:14 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 25/12/2009 00:22:58 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 25/12/2009 09:24:45 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 25/12/2009 09:38:23 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

Error - 25/12/2009 09:57:04 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 25/12/2009 09:57:04 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 25/12/2009 09:57:16 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 25/12/2009 22:01:44 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 26/12/2009 00:03:36 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 26/12/2009 05:05:09 | Computer Name = BEAST-3DDF91376 | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

[ Application Events ]
Error - 24/12/2009 20:43:48 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application ctfmon.exe, version 5.1.2600.2180, faulting module
am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 24/12/2009 20:51:47 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 5.1.2600.2180, faulting
module am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 24/12/2009 20:51:47 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application ctfmon.exe, version 5.1.2600.2180, faulting module
am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 24/12/2009 20:52:06 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application reader_sl.exe, version 8.0.0.0, faulting module
am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 01:14:24 PM

Error - 24/12/2009 20:55:23 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x012158ad.

Error - 24/12/2009 20:55:29 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 24/12/2009 23:29:37 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application ctfmon.exe, version 5.1.2600.2180, faulting module
am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 24/12/2009 23:29:37 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 5.1.2600.2180, faulting
module am30400.dll, version 4.72.0.30400, fault address 0x000014d3.

Error - 26/12/2009 05:15:44 | Computer Name = BEAST-3DDF91376 | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.42.0.0, faulting module ntdll.dll,
version 5.1.2600.2180, fault address 0x00018fea.

Error - 26/12/2009 05:18:49 | Computer Name = BEAST-3DDF91376 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.42.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 26/12/2009 00:09:21 | Computer Name = BEAST-3DDF91376 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 30 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 26/12/2009 00:09:21 | Computer Name = BEAST-3DDF91376 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 30 minutes. NtpClient has no source of accurate
time.

Error - 26/12/2009 05:29:46 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 26/12/2009 05:29:50 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBT service which failed
to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 26/12/2009 05:31:08 | Computer Name = BEAST-3DDF91376 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT prodrv06 RasAcd Rdbss SASDIFSV
SASKUTIL
Tcpip

Error - 26/12/2009 05:32:51 | Computer Name = BEAST-3DDF91376 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 26, 2009, 07:47:31 PM

Hi there,

I've been asked to have a look at your logs. Please do not make any changes to your computer or download any other programs than I request.

Lot's of malware present and there may be a rootkit involved. Let's see how deep this is before we clean it.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

(http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif) (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

Please post back with the GMER log.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 08:27:01 PM

how far do i need to go do stop all the running programs will i ahve to use the ctrl alt del and stop most of the programs/running stuff in there, if so what are the few things i need to leave on to keep the comp running?

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 26, 2009, 08:30:09 PM

Hi

Just disable your antimalware scanners and make sure no windows are open or minimized on the try.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 26, 2009, 11:56:56 PM

i got a error msg saying a rootkit has changed a file, and then the scan stopped, posting the log (needing to restart the comp through since it crashed on me)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 22:33:57
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Mark\LOCALS~1\Temp\kgnyypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA528B6B8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA528B574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA528BA52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA528B14C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA528B64E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA528B08C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA528B0F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA528B76E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA528B72E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA528B8AE] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA53470B0] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8ACE0210

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\prodrv06 \Device\ProDrv06 E1DD26E8
Device \Driver\iaStor \Device\Ide\iaStor0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E1014770

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] kpgmh <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kpgmh@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kpgmh@Group Boot Bus Extender

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 12:01:53 AM

it started looking through my warcraft add ons at this point and made the log huge, will post them anyways
if you want me to, it started looking through them and that is when the thing said a rootkit has changed a file and i's why it stopped working, willpost after this post if you need me to

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 27, 2009, 12:21:30 AM

Hi MarkWest,

That's ok, we can see the rootkit. Let's se if we can get it before it changes.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://"http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html")
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RC1.png)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.[color="red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 12:30:00 AM

is ther eany way i can get the microsoft recovery console onto my computer via a flash drive, i am not connected to the net on that machine currently because every time i connect it starts messing up

from what i've seen so far the root kit has stayed in the same file i hope it stays that way :'(

other then that i may need to get some sleep soon so i may have to go to this latest thing to do after a nights sleep

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 27, 2009, 12:55:52 AM

Hi MarkWest,

Yes we can do that.

Depending on whether you have XP Home or XP Pro will indicate which file to download.

Home (http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en)

Pro (http://www.microsoft.com/downloads/details.aspx?FamilyId=535D248D-5E10-49B5-B80C-0A0205368124&displaylang=en)

To determine which file you need

Click your Start button
Right click on My Computer.
You will find the version on the General tab.

Once you have found which version you need, click the appropriate link above.

Download the file and transfer it to the infected computer's Desktop.

Make sure the copy of combofix you have is also located on the desktop.

With your left mouse button, drag the file onto the combofix icon as shown below. This will start combofix so don't do anything else. Also make sure your security programs have been disabled per the previous instructions.

note: If the attached image is not animated, click it.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:30:06 PM

can it take a while to create a system restore point, it doesn't sound like it's doing anything, after i accepted the agreement s i haven't touched my machine and it seems to still be on attempting to create a system restore point

if it shouldn't be taking a while to do this should i restart my computer and try again?

edit: of no worries it carried on like 1 min ater hehe

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:50:38 PM

ComboFix 09-12-26.01 - Mark 27/12/2009 14:30:13.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2930 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome.manifest
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\_cfg.js
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\overlay.xul
c:\documents and settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\install.rdf
c:\recycler\NPROTECT
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\jestertb.dll
c:\windows\obipufic.dll
c:\windows\system32\ekafelat.ini
c:\windows\system32\iyanusuf.ini
c:\windows\system32\SIntf16.dll
c:\windows\system32\ububimem.ini
c:\windows\Tasks\dvadaeqn.job
E:\install.exe

----- BITS: Possible infected sites -----

hxxp://download.xbox.com:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-25 00:46 . 2009-12-27 14:07   0   ----a-w-   c:\windows\Igaqofevinuyoz.bin
2009-12-25 00:46 . 2009-12-25 00:46   120   ----a-w-   c:\windows\Avasub.dat
2009-12-25 00:43 . 2009-12-27 14:35   714752   ----a-w-   c:\windows\system32\drivers\kpgmh.sys
2009-12-25 00:43 . 2009-12-25 09:45   116   ----a-w-   c:\windows\system32\fjhdyfhsn.bat
2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:51:45 PM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 14:35 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-12-27 14:35 . 2009-02-05 13:05   --------   d-----w-   c:\program files\DNA
2009-12-27 14:35 . 2009-02-05 13:05   --------   d-----w-   c:\documents and settings\Mark\Application Data\DNA
2009-12-27 14:35 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
2009-10-29 19:34 . 2009-10-29 04:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-28 14:45 . 2009-10-28 14:45   --------   d-----w-   c:\program files\PC Suite
2009-10-28 14:45 . 2008-04-22 11:19   --------   d--h--w-   c:\program files\InstallShield Installation Information
.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:52:27 PM

------- Sigcheck -------

[-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll

[7] 2007-07-27 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-07-27 53760]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:53:09 PM

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:53:54 PM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]

--- Other Services/Drivers In Memory ---

*Deregistered* - kpgmh
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
FF - plugin: c:\documents and settings\Mark\My Documents\Sparkplay Media\Sparkplayer (Beta)\npSparkPlayerNS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Asaxugesavadeb - c:\windows\obipufic.dll

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 03:54:35 PM

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kpgmh]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:dd,2f,b8,a0,ed,08,93,98,68,aa,98,88,25,98,8a,a9,04,f3,19,18,5a,6d,91,
2f,a4,33,79,3f,0b,3b,7e,32,64,d8,78,82,ac,11,57,ad,ae,40,c2,cd,1b,6d,96,52,\
"??"=hex:0e,65,6b,66,be,8d,88,91,f8,ed,7e,ad,e7,93,74,57

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f1,c5,45,e3,96,ce,70,1a,19,5b,29,ca,c2,83,4b,b8,15,6a,83,db,5f,
b0,36,32,21,a3,e6,13,b7,97,1e,4b,79,f4,84,44,8a,c4,6c,4a,cb,1d,06,d6,e5,b2,\
"rkeysecu"=hex:34,72,c9,c1,56,cb,ba,37,57,df,7e,31,d4,64,3d,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-12-27 14:41:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 14:41

Pre-Run: 153,819,316,224 bytes free
Post-Run: 156,370,591,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 19C7488F916CA0B7BBFE04BC72EDC125

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 27, 2009, 07:08:47 PM

Hi MakrWest,

BitTorrent DNA
You have BitTorrent DNA, P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself that is the problem, but what can be downloaded with it, usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx (http://www.microsoft.com/windows/ie/community/columns/protection.mspx)

http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm (http://www.internetworldstats.com/articles/art053.htm)

I would recommend that you uninstall BitTorrent DNAt, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it/them, please do not use it until we are done

We'll use comdofix again but run it differently. After combofix has finished please try going on line to get a tool we will use later.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code: [Select]

File::
c:\windows\Igaqofevinuyoz.bin
c:\windows\Avasub.dat
c:\windows\system32\fjhdyfhsn.bat

FCopy::
c:\windows\system32\dllcache\ctfmon.exe | c:\windows\System32\ctfmon.exe

RootKit::
c:\windows\system32\drivers\kpgmh.sys

Driver::
kpgmh

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

.
Next

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield
Do not copy the word CODE , please note the script starts with the :

Code: [Select]

:filefind
sfcfiles.*

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please post back with

combofix log
SystemLook log

How's the computer?

Thanks

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 08:05:00 PM

i didn't relize i had any bittorrent stuff on that computer and do not want it either, if i cannot find it in the add remove what else can be done to remove it, so far the computer is stillcoming up with the same errors from avast that is has found a malware file, i am generallyleaving the computer off until you post a thing for me to do on it, not wanting the infection to spread further, i am currently working on my old clean computer and will switch back to my sick machine soon to run the current plans you have to help it

edit: i will probably grab the systemlook fle on here and cpying it over via flashdrive i still do not want to put that computer online incase it infects it more

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 27, 2009, 10:07:05 PM

bad news my laptop has died on me, i'm down to one machine other then my sick machine now it may take alot longer to fix now since i'm having to switch wires to get between the sick and clean old machine constantly

Title: Re: new worm?, avast doesn' know it
Post by: emantoyaks on December 28, 2009, 01:39:38 AM

try Spyware Terminator hope they can help you....

Download links:
http://filehippo.com/download_spyware_terminator/download/f3711407582ea0bf0f62323b4502c9d4/ (http://filehippo.com/download_spyware_terminator/download/f3711407582ea0bf0f62323b4502c9d4/)

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 28, 2009, 02:00:54 AM

Hi MarkWest,

Run the combofix CFScript I posted and the infected computer should go on line just fine. Make sure you use copy and paste to create the CFScript, we don't need a typo when we are this close.

Thanks

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 03:51:12 PM

well avast did something really wierd, even though it was disabled it popped up saying it found an infected file (the same one as usual) during the combo fix scan, thought i'd mention that here comes the logs

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:30 on 28/12/2009 by Mark (Administrator - Elevation successful)

========== filefind ==========

Searching for "sfcfiles.*"
C:\WINDOWS\system32\sfcfiles.dll   --a--- 1589248 bytes   [17:35 19/12/2007]   [17:35 19/12/2007] 3702A9C76696A70323330FD3879A5408

-=End Of File=-

ComboFix 09-12-26.01 - Mark 28/12/2009 14:12:09.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2941 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\Avasub.dat"
"c:\windows\Igaqofevinuyoz.bin"
"c:\windows\system32\fjhdyfhsn.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Avasub.dat
c:\windows\Igaqofevinuyoz.bin
c:\windows\system32\fjhdyfhsn.bat

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\ctfmon.exe --> c:\windows\System32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KPGMH
-------\Service_kpgmh

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 14:12 . 2007-07-27 11:00   15360   -c--a-w-   c:\windows\system32\dllcache\ctfmon.exe
2009-12-28 14:12 . 2007-07-27 11:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe
2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\program files\GNU

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 03:51:44 PM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 14:25 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
2009-12-28 14:24 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
2009-10-29 19:34 . 2009-10-29 04:59   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
.

------- Sigcheck -------

[-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-12-27_14.35.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-27 19:47 . 2009-12-27 19:47   16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2009-12-28 14:23 . 2009-12-28 14:23   16384 c:\windows\Temp\Perflib_Perfdata_654.dat
+ 2009-12-28 14:23 . 2009-12-28 14:23   16384 c:\windows\Temp\Perflib_Perfdata_52c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-07-27 15360]

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 03:52:19 PM

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-07-27 53760]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 03:52:44 PM

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 03:53:08 PM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 14:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 03:53:34 PM

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:dd,2f,b8,a0,ed,08,93,98,68,aa,98,88,25,98,8a,a9,04,f3,19,18,5a,6d,91,
2f,a4,33,79,3f,0b,3b,7e,32,64,d8,78,82,ac,11,57,ad,ae,40,c2,cd,1b,6d,96,52,\
"??"=hex:0e,65,6b,66,be,8d,88,91,f8,ed,7e,ad,e7,93,74,57

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f1,c5,45,e3,96,ce,70,1a,19,5b,29,ca,c2,83,4b,b8,15,6a,83,db,5f,
b0,36,32,21,a3,e6,13,b7,97,1e,4b,79,f4,84,44,8a,c4,6c,4a,cb,1d,06,d6,e5,b2,\
"rkeysecu"=hex:34,72,c9,c1,56,cb,ba,37,57,df,7e,31,d4,64,3d,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3908)
c:\windows\system32\ctagent.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-28 14:28:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 14:28
ComboFix2.txt 2009-12-27 14:41

Pre-Run: 156,365,512,704 bytes free
Post-Run: 156,329,406,464 bytes free

- - End Of File - - 0C9B4409138C4B5D432B859B7649F647

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 28, 2009, 08:27:39 PM

Hi MarkWest,

When avast detected the file, you moved it to the chest? Combofix removed the driver so there shouldn't be any more detections now.

Do you have an XP cd?

Have you tried going on line with this computer yet?

Quote

i didn't relize i had any bittorrent stuff on that computer and do not want it either,

Go to add/remove programs and uninstall this program

DNA

We'll take care of it's left overs after you have uninstalled it.

.
We'll use comdofix again.

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code: [Select]

SRPeek::
c:\windows\system32\sfcfiles.dll

SkipFix::

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

.
You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with

combofix log
MBAM log

How is the computer?

Thanks

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 28, 2009, 09:00:03 PM

yes orignally i did move it to the chest, no i currently don't have a xp cd here but i can get one here by tommorow, and no i'm still not going online with my sick computer yet, i think i got rid of bittorrent though ^^ used add remove to drop dna off it,

How close are we do you think, it's alot harder on me now i'm getting pretty sick irl at the moment from it probably only able to do 1 thing a day at this time cause i think a winter bug has got my body too heh ^_^

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 28, 2009, 09:30:41 PM

Hi Markwest,

You can go online with the "sick" computer. We have removed everything visible. It is now time to deal directly with the computer and we need to know how it is when used normally.

We have the last instruction I posted to do and one more scan.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 12:22:50 AM

Nothing bad seems to be happening on the 'sick' computer, i am online on it posting this message and about to post the logs too, thank you thank you i think it's clean ^^ but i'll let the expert confirm that hehe ^^

Malwarebytes' Anti-Malware 1.42
Database version: 3431
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

28/12/2009 23:14:19
mbam-log-2009-12-28 (23-14-19).txt

Scan type: Quick Scan
Objects scanned: 108481
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 09-12-26.01 - Mark 28/12/2009 23:06:48.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2868 [GMT 0:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 091225-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 14:12 . 2007-07-27 11:00   15360   -c--a-w-   c:\windows\system32\dllcache\ctfmon.exe
2009-12-28 14:12 . 2007-07-27 11:00   15360   ------w-   c:\windows\system32\ctfmon.exe
2009-12-26 09:30 . 2009-12-26 09:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-26 02:24 . 2009-12-26 02:24   52224   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 02:20 . 2009-12-26 02:24   117760   ----a-w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-26 02:19 . 2009-12-26 02:19   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-26 02:18 . 2009-12-26 02:18   --------   d-----w-   c:\documents and settings\Mark\Application Data\SUPERAntiSpyware.com
2009-12-26 02:17 . 2009-12-26 02:13   2386270   ----a-w-   C:\MGtools.exe
2009-12-26 01:48 . 2009-12-26 01:47   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-26 01:47 . 2009-12-26 01:47   --------   d-----w-   c:\program files\Java
2009-12-25 13:52 . 2009-12-25 13:52   --------   d-----w-   c:\documents and settings\Mark\.kde
2009-12-25 09:45 . 2009-12-25 09:45   4844295   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-16 21:46 . 2009-09-04 17:44   515416   ----a-w-   c:\windows\system32\XAudio2_5.dll
2009-12-16 21:46 . 2009-09-04 17:44   238936   ----a-w-   c:\windows\system32\xactengine3_5.dll
2009-12-16 21:46 . 2009-09-04 17:29   1974616   ----a-w-   c:\windows\system32\D3DCompiler_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   5501792   ----a-w-   c:\windows\system32\d3dcsx_42.dll
2009-12-16 21:46 . 2009-09-04 17:29   235344   ----a-w-   c:\windows\system32\d3dx11_42.dll
2009-12-16 21:45 . 2009-12-16 21:46   --------   d--h--w-   c:\windows\msdownld.tmp
2009-12-09 15:38 . 2009-12-09 15:38   --------   d-----w-   c:\program files\Microsoft
2009-12-04 05:32 . 2009-09-04 17:29   453456   ----a-w-   c:\windows\system32\d3dx10_42.dll
2009-12-04 05:32 . 2009-09-04 17:29   1892184   ----a-w-   c:\windows\system32\D3DX9_42.dll
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Local Settings\Application Data\Thunderbird
2009-12-02 23:21 . 2009-12-02 23:21   --------   d-----w-   c:\documents and settings\Mark\Application Data\Thunderbird
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\LocalService\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\Mark\Application Data\gnupg
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\GNU
2009-12-02 23:09 . 2009-12-02 23:09   --------   d-----w-   c:\program files\GNU

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 12:23:25 AM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 23:04 . 2009-02-20 09:52   --------   d-----w-   c:\program files\Steam
2009-12-28 23:04 . 2008-05-07 16:19   --------   d-----w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2
2009-12-26 02:18 . 2008-05-18 11:04   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-26 02:05 . 2008-08-04 05:26   --------   d-----w-   c:\program files\EA Games
2009-12-26 02:03 . 2009-02-20 04:33   --------   d-----w-   c:\program files\Konami
2009-12-26 02:00 . 2008-04-26 03:44   --------   d-----w-   c:\program files\THQ
2009-12-26 02:00 . 2008-09-04 13:02   --------   d-----w-   c:\program files\Three Rings Design
2009-12-25 09:45 . 2008-12-15 23:26   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-25 03:34 . 2009-09-24 02:54   --------   d-----w-   c:\program files\Pando Networks
2009-12-24 17:13 . 2008-06-11 16:29   --------   d-----w-   c:\program files\mIRC
2009-12-21 04:14 . 2008-05-07 16:20   1   ----a-w-   c:\documents and settings\Mark\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-20 11:52 . 2008-05-18 11:04   --------   d-----w-   c:\program files\AGEIA Technologies
2009-12-18 23:13 . 2008-12-09 03:13   --------   d-----w-   c:\program files\World of Warcraft
2009-12-10 10:33 . 2008-04-25 13:50   --------   d-----w-   c:\documents and settings\Mark\Application Data\.purple
2009-12-04 06:11 . 2008-10-29 11:04   104   ----a-w-   c:\windows\popcinfot.dat
2009-12-03 16:14 . 2008-12-15 23:26   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2008-12-15 23:26   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-11-30 03:11 . 2009-11-22 21:06   --------   d-----w-   c:\program files\FantasyGrounds
2009-11-27 14:16 . 2008-04-25 15:47   --------   d-----w-   c:\documents and settings\Mark\Application Data\gtk-2.0
2009-11-24 23:54 . 2008-12-15 02:08   1280480   ----a-w-   c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-12-15 02:08   93424   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-12-15 02:08   94160   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-12-15 02:08   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-12-15 02:08   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-12-15 02:08   48560   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-12-15 02:08   23120   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-12-15 02:08   27408   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-12-15 02:08   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-11-22 21:12 . 2009-11-22 21:12   --------   d-----w-   c:\program files\LogMeIn Hamachi
2009-11-22 21:12 . 2009-04-29 23:42   --------   d-----w-   c:\documents and settings\Mark\Application Data\Hamachi
2009-11-19 22:36 . 2008-11-19 16:41   --------   d-----w-   c:\program files\ooVoo
2009-11-06 10:59 . 2009-11-06 10:59   15406728   ----a-w-   c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59   13642888   ----a-w-   c:\windows\system32\xlivefnt.dll
2009-11-06 04:09 . 2009-11-06 04:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 10:28 . 2009-11-03 10:28   --------   d-----w-   c:\documents and settings\Mark\Application Data\runic games
2009-11-01 16:51 . 2009-11-01 16:48   --------   d-----w-   c:\documents and settings\Mark\Application Data\Red Alert 3 Uprising
2009-10-29 04:59 . 2009-10-29 04:59   1925024   ----a-w-   c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2007-12-19 . 3702A9C76696A70323330FD3879A5408 . 1589248 . . [5.1.2600.3186] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-12-27_14.35.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-28 23:02 . 2009-12-28 23:02   16384 c:\windows\Temp\Perflib_Perfdata_660.dat
+ 2009-12-28 23:03 . 2009-12-28 23:03   16384 c:\windows\Temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-13 3660848]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-10-12 17507000]
"Steam"="c:\program files\steam\steam.exe" [2009-10-24 1217808]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-24 3558136]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"CTHelper"="CTHELPER.EXE" [2008-02-20 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 19968]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-07-27 53760]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 12:23:50 AM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Cyanide\\GameCenter\\GameCenter.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Namco Bandai Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Wizards of the Coast\\Magic Online III\\Renamer.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Outspark\\WindSlayer\\WindSlayer.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\patchget.dat"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Overlord2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\overlord ii\\Config.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\Bootstrapper.exe"=
"c:\\Program Files\\Electronic Arts\\BattleForge\\BattleForge.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bookworm adventures volume 2\\BookwormAdventuresVol2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\Autorun\\Exe\\Autorun.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\command and conquer red alert 3 uprising\\RA3EP1.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\zuma's revenge\\ZumasRevenge.exe"=
"c:\\Program Files\\FantasyGrounds\\FantasyGrounds.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\torchlight\\Torchlight.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP port 443
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"37676:TCP"= 37676:TCP:ooVoo TCP port 37676
"37676:UDP"= 37676:UDP:ooVoo UDP port 37676
"37677:UDP"= 37677:UDP:ooVoo UDP port 37677

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [15/12/2008 02:08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [15/12/2008 02:08 20560]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [29/10/2009 12:27 1074568]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]
S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [28/09/2009 16:15 242176]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [06/11/2009 01:10 25832]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10633.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [28/10/2009 14:45 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [28/10/2009 14:45 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [28/10/2009 14:45 105216]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 23:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 12:24:51 AM

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:dd,2f,b8,a0,ed,08,93,98,68,aa,98,88,25,98,8a,a9,04,f3,19,18,5a,6d,91,
2f,a4,33,79,3f,0b,3b,7e,32,64,d8,78,82,ac,11,57,ad,ae,40,c2,cd,1b,6d,96,52,\
"??"=hex:0e,65,6b,66,be,8d,88,91,f8,ed,7e,ad,e7,93,74,57

[HKEY_USERS\S-1-5-21-776561741-1563985344-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:f1,c5,45,e3,96,ce,70,1a,19,5b,29,ca,c2,83,4b,b8,15,6a,83,db,5f,
b0,36,32,21,a3,e6,13,b7,97,1e,4b,79,f4,84,44,8a,c4,6c,4a,cb,1d,06,d6,e5,b2,\
"rkeysecu"=hex:34,72,c9,c1,56,cb,ba,37,57,df,7e,31,d4,64,3d,47
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-12-28 23:09:37
ComboFix-quarantined-files.txt 2009-12-28 23:09
ComboFix2.txt 2009-12-27 14:41

Pre-Run: 156,330,991,616 bytes free
Post-Run: 156,298,125,312 bytes free

- - End Of File - - AAFBEE1CF97049301E537C10445AE84D

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 29, 2009, 03:04:58 AM

Hi MarkWest,

So far so good. If you can get a hold of an XP disk we can see if there is a file on it that will pass the signature check.

In the meantime we'll check our handiwork. Please be patient, this scan can be quite lengthy but worth it.

Please go to Kaspersky (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1259887545421) website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions.
You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases
Click on My Computerr under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Change the Files of type to Text file (.txt)
Set the Save In to Desktop
click the Save button.
Please post this log in your next reply.

Please post back with theKaspersky log and a new OTL scan log taken after the Kaspersky scan.

Thanks

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 04:56:48 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, December 29, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, December 29, 2009 09:05:42
Records in database: 3415603
--------------------------------------------------------------------------------

Scan settings:
   scan using the following database: extended
   Scan archives: yes
   Scan e-mail databases: yes

Scan area - My Computer:
   C:\
   D:\
   E:\

Scan statistics:
   Objects scanned: 451781
   Threats found: 6
   Infected objects found: 11
   Suspicious objects found: 0
   Scan duration: 05:31:21

File name / Threat / Threats count
C:\Documents and Settings\Mark\Desktop\installed stuff\mirc62.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Documents and Settings\Mark\Desktop\mirc632.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1
C:\MGtools.exe   Infected: Trojan-Dropper.Win32.Agent.bjzb   1
C:\Program Files\mIRC\mirc.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.62   1
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Local Settings\Application Data\{FFC6B7D5-902E-4EBD-9177-7C584223F0D8}\chrome\content\overlay.xul.vir   Infected: Trojan.JS.Gord.a   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kpgmh.sys.vir   Infected: Rootkit.Win32.Agent.aago   1
C:\Stuff that needs to be sorted into proper place\New Folder\mirc616.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.616   1
C:\System Volume Information\_restore{9E4F74B7-17B2-42E8-BBE8-11AEB188B254}\RP497\A0071234.sys   Infected: Rootkit.Win32.Agent.aago   1
E:\Documents and Settings\Mark\Desktop\mirc632.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1
E:\Documents and Settings\Mark\Local Settings\Temp\mirc632.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.632   1
E:\Stuff that needs to be sorted into proper place\New Folder\mirc616.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.616   1

Selected area has been scanned.

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 04:58:01 PM

OTL logfile created on: 29/12/2009 15:51:57 - Run 2
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.74 Gb Total Space | 145.38 Gb Free Space | 31.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 465.74 Gb Total Space | 322.75 Gb Free Space | 69.30% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEAST-3DDF91376
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/29 10:17:22 | 00,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Documents and Settings\Mark\Local Settings\temp\jkos-Mark\binaries\ScanningProcess.exe
PRC - [2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
PRC - [2009/12/26 01:47:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/12/26 01:47:55 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2009/12/16 17:22:50 | 00,307,672 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/24 23:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/29 12:27:54 | 01,074,568 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2009/10/24 23:34:04 | 01,217,808 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
PRC - [2009/10/12 18:03:52 | 17,507,000 | ---- | M] (ooVoo LLC) -- C:\Program Files\ooVoo\ooVoo.exe
PRC - [2009/09/28 16:15:58 | 00,242,176 | ---- | M] () -- C:\Program Files\GNU\GnuPG\dirmngr.exe
PRC - [2009/09/03 21:17:14 | 03,342,336 | ---- | M] (Electronic Arts) -- C:\Program Files\Electronic Arts\EADM\Core.exe
PRC - [2009/02/06 16:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/08/13 17:06:56 | 03,660,848 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
PRC - [2008/08/03 23:02:20 | 00,036,352 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/08/01 06:19:21 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
PRC - [2008/03/14 22:12:50 | 02,580,480 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
PRC - [2008/03/14 22:12:48 | 02,363,392 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
PRC - [2008/03/07 18:24:18 | 00,417,792 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/02/20 19:58:46 | 00,019,968 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\Ctxfihlp.exe
PRC - [2008/02/20 19:58:44 | 00,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2008/02/20 19:55:12 | 00,969,216 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTxfispi.exe
PRC - [2007/12/05 00:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/07/27 11:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2007/06/13 10:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/07/28 20:11:12 | 02,109,440 | ---- | M] (mIRC Co. Ltd.) -- C:\Program Files\mIRC\mirc.exe
PRC - [2003/01/27 16:16:58 | 00,376,912 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe

========== Modules (SafeList) ==========

MOD - [2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
MOD - [2008/02/20 19:58:42 | 00,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2006/08/25 15:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/12/26 01:47:55 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/11/06 01:10:48 | 00,025,832 | ---- | M] (BioWare) [On_Demand | Stopped] -- c:\Program Files\Steam\SteamApps\common\dragon age origins\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/10/29 12:27:54 | 01,074,568 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2009/09/28 16:15:58 | 00,242,176 | ---- | M] () [Auto | Running] -- C:\Program Files\GNU\GnuPG\dirmngr.exe -- (DirMngr)
SRV - [2009/02/18 23:11:00 | 02,806,522 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2008/09/10 13:01:28 | 00,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/08/01 06:19:21 | 00,066,872 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008/03/07 18:24:18 | 00,417,792 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2007/12/05 00:41:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 04:58:22 PM

========== Driver Services (SafeList) ==========

DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/24 23:50:59 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 23:50:12 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 23:50:00 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 23:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 23:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 23:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/23 09:41:58 | 00,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/08/22 14:44:08 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsnmea.sys -- (zgwhsnmea)
DRV - [2008/08/22 14:43:44 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsmdm.sys -- (zgwhsmdm)
DRV - [2008/08/22 14:43:06 | 00,105,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsdiag.sys -- (zgwhsdiag)
DRV - [2008/04/25 11:26:32 | 00,002,397 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2008/04/13 10:21:50 | 00,017,920 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Ntaccess.sys -- (NTACCESS)
DRV - [2008/03/21 20:30:04 | 00,043,528 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/02/25 08:44:38 | 01,172,504 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2008/02/25 08:44:22 | 00,092,696 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2008/02/25 08:44:08 | 00,157,208 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2008/02/25 08:44:00 | 00,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2008/02/25 08:43:56 | 00,127,000 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2008/02/25 08:43:30 | 00,346,856 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2008/02/25 08:43:24 | 00,524,312 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2008/02/25 08:43:16 | 00,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2008/02/25 08:41:50 | 00,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2008/02/25 08:41:44 | 00,170,520 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2008/02/25 08:41:36 | 01,323,544 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2008/02/25 08:41:28 | 00,329,240 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL)
DRV - [2008/02/25 08:41:18 | 00,134,680 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL)
DRV - [2008/02/25 08:41:14 | 00,100,888 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTERFXFX.DLL -- (CTERFXFX.DLL)
DRV - [2008/02/25 08:41:10 | 00,286,232 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL)
DRV - [2008/02/25 08:41:06 | 00,174,104 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTEAPSFX.DLL -- (CTEAPSFX.DLL)
DRV - [2008/02/25 08:41:02 | 00,566,296 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTSBLFX.DLL -- (CTSBLFX.DLL)
DRV - [2008/02/25 08:40:56 | 00,551,960 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CTAUDFX.DLL -- (CTAUDFX.DLL)
DRV - [2008/02/25 08:40:52 | 00,098,328 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\COMMONFX.DLL -- (COMMONFX.DLL)
DRV - [2008/01/23 21:25:32 | 00,027,136 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tapvpn.sys -- (tapvpn)
DRV - [2007/12/19 17:35:19 | 00,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2007/12/05 00:41:00 | 07,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/10/12 08:32:30 | 00,094,592 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/08/20 09:05:02 | 00,027,672 | R--- | M] (EnTech Taiwan) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH)
DRV - [2007/07/27 11:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/09/06 13:37:22 | 00,062,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2003/09/06 12:27:06 | 00,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp01.sys -- (sfhlp01)
DRV - [2003/09/06 12:25:52 | 00,051,744 | ---- | M] (Protection Technology) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2003/09/06 12:22:08 | 00,006,944 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\prosync1.sys -- (prosync1)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: web@veoh.com:1.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/16 17:22:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/26 01:48:04 | 00,000,000 | ---D | M]

[2009/01/08 20:04:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions
[2009/10/29 19:37:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\tz9chjai.default\extensions
[2009/12/28 23:16:07 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/29 03:08:04 | 00,132,528 | ---- | M] (NHN USA Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
[2008/09/10 07:39:42 | 00,075,184 | ---- | M] (NHN USA Inc. ) -- C:\Program Files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
[2008/04/28 20:46:51 | 00,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 04:58:49 PM

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Veoh Web Player Video Finder) - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\Ctxfihlp.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKCU..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKCU..\Run: [oovoo.exe] C:\Program Files\ooVoo\oovoo.exe (ooVoo LLC)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [Veoh] C:\Program Files\Veoh Networks\Veoh\VeohClient.exe (Veoh Networks)
O4 - HKCU..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - Startup: C:\Documents and Settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/21 16:52:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/21 16:52:22 | 00,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 04:59:39 PM

========== Files/Folders - Created Within 30 Days ==========

[2009/12/29 10:16:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/12/29 10:13:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi
[2009/12/28 14:12:09 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2009/12/27 14:24:17 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/27 14:23:55 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/27 14:23:55 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/27 14:23:55 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/27 14:23:55 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/27 14:23:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/27 14:23:31 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/27 14:18:10 | 04,608,744 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2009/12/26 10:43:42 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2009/12/26 02:19:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/12/26 02:18:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\SUPERAntiSpyware.com
[2009/12/26 02:18:52 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/26 02:01:17 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/12/26 01:51:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/12/26 01:49:41 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Mark\Recent
[2009/12/26 01:48:04 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/26 01:48:04 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/26 01:48:04 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/26 01:48:04 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/26 01:48:04 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/26 01:47:50 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/12/26 01:47:18 | 16,672,544 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mark\Desktop\jre-6u17-windows-i586.exe
[2009/12/25 13:52:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\.kde
[2009/12/25 04:15:50 | 00,135,360 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe
[2009/12/20 12:09:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\My Documents\NeocoreGames
[2009/12/16 21:46:07 | 01,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2009/12/16 21:46:07 | 00,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2009/12/16 21:46:07 | 00,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2009/12/16 21:46:06 | 05,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2009/12/16 21:46:05 | 00,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2009/12/16 21:45:51 | 00,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2009/12/16 21:44:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\My Documents\Sparkplay Media
[2009/12/16 21:44:26 | 00,573,584 | ---- | C] (SparkPlay Media, Inc) -- C:\Documents and Settings\Mark\Desktop\SparkPlayerInstall.exe
[2009/12/09 15:38:57 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/12/04 05:32:04 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_42.dll
[2009/12/04 05:32:04 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2009/12/02 23:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Local Settings\Application Data\Thunderbird
[2009/12/02 23:21:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Thunderbird
[2009/12/02 23:10:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Gpg4win Documentation
[2009/12/02 23:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\gnupg
[2009/12/02 23:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\GNU
[2009/12/02 23:09:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\gnupg
[2009/12/02 23:09:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GNU
[2009/12/02 23:09:24 | 00,000,000 | ---D | C] -- C:\Program Files\GNU
[2009/12/02 23:08:55 | 06,669,256 | ---- | C] (Mozilla) -- C:\Documents and Settings\Mark\Desktop\Thunderbird Setup 2.0.0.23.exe
[2009/12/02 22:46:46 | 36,557,658 | ---- | C] (g10 Code GmbH) -- C:\Documents and Settings\Mark\Desktop\gpg4win-2.0.1.exe
[2009/05/11 19:05:00 | 01,654,869 | ---- | C] (Dynu Systems Inc.) -- C:\Documents and Settings\All Users\Application Data\DynuEncrypt.dll
[2008/08/04 14:55:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/04/25 11:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Symantec
[2008/04/21 16:55:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/04/21 16:52:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/04/21 16:52:21 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/02/20 19:59:14 | 00,034,816 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 05:00:47 PM

========== Files - Modified Within 30 Days ==========

[2009/12/29 10:13:40 | 00,000,021 | ---- | M] () -- C:\WINDOWS\S.dirmngr
[2009/12/29 10:13:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/29 10:13:11 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/29 03:05:44 | 00,054,160 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/29 03:05:44 | 00,054,160 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/29 03:05:44 | 00,000,788 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000005-00000000-00000001-00001102-00000005-00291102}.rfx
[2009/12/29 03:05:32 | 05,242,880 | -H-- | M] () -- C:\Documents and Settings\Mark\NTUSER.DAT
[2009/12/29 03:05:32 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Mark\ntuser.ini
[2009/12/28 23:28:59 | 00,000,757 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft.lnk
[2009/12/28 23:08:07 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/28 14:23:49 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/27 20:45:36 | 00,102,660 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SystemLook.exe
[2009/12/27 14:24:23 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/12/27 14:11:14 | 04,608,744 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Mark\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2009/12/26 23:31:44 | 03,866,444 | R--- | M] () -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2009/12/26 19:03:46 | 00,284,915 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\gmer.zip
[2009/12/26 10:24:12 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2009/12/26 02:21:14 | 04,910,518 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SASDEFINITIONS.EXE
[2009/12/26 02:18:55 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 02:13:16 | 02,386,270 | ---- | M] () -- C:\MGtools.exe
[2009/12/26 02:09:14 | 07,451,168 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\SUPERAntiSpyware.exe
[2009/12/26 01:52:05 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/26 01:52:05 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/12/26 01:50:10 | 00,002,052 | ---- | M] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_015006.reg
[2009/12/26 01:47:55 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/12/26 01:47:55 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/12/26 01:47:55 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/12/26 01:47:54 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/12/26 01:46:20 | 16,672,544 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Mark\Desktop\jre-6u17-windows-i586.exe
[2009/12/26 01:37:09 | 00,112,292 | ---- | M] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_013623.reg
[2009/12/25 04:07:52 | 00,135,360 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe
[2009/12/24 03:12:00 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/21 16:28:02 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/19 14:09:24 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/12/16 21:44:27 | 00,573,584 | ---- | M] (SparkPlay Media, Inc) -- C:\Documents and Settings\Mark\Desktop\SparkPlayerInstall.exe
[2009/12/15 11:24:48 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\gmer.exe
[2009/12/10 23:54:58 | 01,058,225 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\DBM-4.32-r2645-Core-and-WotLK-Mods.zip
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/12/07 17:46:59 | 00,001,622 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Left 4 Dead 2.lnk
[2009/12/06 06:06:45 | 00,002,193 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2009/12/04 06:33:26 | 00,000,024 | ---- | M] () -- C:\url_history.xml
[2009/12/04 06:11:01 | 00,000,104 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 05:01:00 | 00,007,227 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\RogueFocus.zip
[2009/12/02 23:10:04 | 06,669,256 | ---- | M] (Mozilla) -- C:\Documents and Settings\Mark\Desktop\Thunderbird Setup 2.0.0.23.exe
[2009/12/02 23:10:04 | 00,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Kleopatra.lnk
[2009/12/02 23:10:04 | 00,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GPA.lnk
[2009/12/02 22:47:39 | 36,557,658 | ---- | M] (g10 Code GmbH) -- C:\Documents and Settings\Mark\Desktop\gpg4win-2.0.1.exe
[2009/11/30 03:11:10 | 00,000,760 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Fantasy Grounds.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 05:01:14 PM

========== Files Created - No Company Name ==========

[2009/12/28 23:03:00 | 00,000,021 | ---- | C] () -- C:\WINDOWS\S.dirmngr
[2009/12/28 14:10:35 | 00,102,660 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SystemLook.exe
[2009/12/27 14:24:23 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/12/27 14:24:19 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/27 14:23:55 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/27 14:23:55 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/27 14:23:55 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/27 14:23:55 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/27 14:23:55 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/27 14:18:02 | 03,866,444 | R--- | C] () -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2009/12/26 19:56:11 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\gmer.exe
[2009/12/26 19:54:55 | 00,284,915 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\gmer.zip
[2009/12/26 02:23:22 | 04,910,518 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SASDEFINITIONS.EXE
[2009/12/26 02:18:55 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/26 02:17:46 | 02,386,270 | ---- | C] () -- C:\MGtools.exe
[2009/12/26 02:17:37 | 07,451,168 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\SUPERAntiSpyware.exe
[2009/12/26 01:50:08 | 00,002,052 | ---- | C] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_015006.reg
[2009/12/26 01:36:27 | 00,112,292 | ---- | C] () -- C:\Documents and Settings\Mark\My Documents\cc_20091226_013623.reg
[2009/12/10 23:54:58 | 01,058,225 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\DBM-4.32-r2645-Core-and-WotLK-Mods.zip
[2009/12/07 17:46:59 | 00,001,622 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Left 4 Dead 2.lnk
[2009/12/03 05:00:59 | 00,007,227 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\RogueFocus.zip
[2009/12/02 23:10:04 | 00,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Kleopatra.lnk
[2009/12/02 23:10:04 | 00,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GPA.lnk
[2009/11/30 03:11:10 | 00,000,760 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Fantasy Grounds.lnk
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/10/30 05:48:04 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/26 11:11:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2009/06/06 06:13:38 | 00,000,127 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\fusioncache.dat
[2009/02/20 09:52:15 | 00,069,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/02/20 00:26:19 | 00,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/05 13:24:45 | 00,118,176 | ---- | C] () -- C:\WINDOWS\patchw.dll
[2008/12/15 02:04:56 | 00,058,151 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUInstall.LiveUpdate
[2008/10/07 08:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 08:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/30 12:57:07 | 00,136,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/07/30 12:57:07 | 00,022,328 | ---- | C] () -- C:\Documents and Settings\Mark\Application Data\PnkBstrK.sys
[2008/07/20 11:26:31 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/06/05 07:58:26 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/05/19 08:27:25 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/05/19 07:10:07 | 00,230,752 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2008/05/03 00:54:53 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/05/01 22:21:41 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/05/01 22:21:41 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/04/28 14:39:43 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 13:07:32 | 00,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/04/25 11:43:26 | 00,663,552 | ---- | C] () -- C:\WINDOWS\System32\libeay32_1-1-0_DDR.dll
[2008/04/25 11:43:26 | 00,532,594 | ---- | C] () -- C:\WINDOWS\System32\xerces-c_1_40_0_DDR.dll
[2008/04/25 11:43:26 | 00,307,329 | ---- | C] () -- C:\WINDOWS\System32\BJBase_2-2-2_DDR.dll
[2008/04/25 11:43:26 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32_1-1-0_DDR.dll
[2008/04/25 11:43:25 | 00,524,377 | ---- | C] () -- C:\WINDOWS\System32\stlport_4_0_0_DDR.dll
[2008/04/25 11:26:32 | 00,002,397 | ---- | C] () -- C:\WINDOWS\System32\drivers\symlcbrd.sys
[2008/04/22 11:28:21 | 00,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2008/04/22 11:20:09 | 00,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2008/03/31 21:25:46 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\divx_xx0a.dll
[2008/03/21 20:30:08 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/03/21 20:28:54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/03/21 20:28:54 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/03/21 20:28:20 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/25 13:55:32 | 00,101,603 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2008/02/20 20:24:36 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/02/20 20:00:12 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2008/01/31 16:18:14 | 00,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007/12/05 00:41:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 00:41:00 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 00:41:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 00:41:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 00:41:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/08/13 19:45:02 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2006/10/02 16:25:18 | 00,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
< End of report >

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 29, 2009, 06:41:25 PM

Hi MarkWest,

Kaspersky detections are either files we have quarantined or old Restore points. These will be taken care of when we clean up the tools.

Kaspersky also found an Internet chat program, mIRC . It only flagged it as a risk.

Run this little fix. If everytthing seems fine, we'll clean up the tools when you post back.

Next, Double click on OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following
Do Not copy the word CODE
please note the fix starts with the :

Code: [Select]

:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
[2009/12/25 04:15:50 | 00,135,360 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Mark\Desktop\FixBlast.exe

:Services

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe" =-
"C:\Program Files\DNA\btdna.exe"=-

:Files
C:\MGtools.exe
C:\Program Files\DNA

:Commands

Then click the Run Fix button at the top

Let the program run unhindered

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 06:54:36 PM

Ya i use mirc and i realize it's there, i do not accept files on it, and all potentially dangerous files are on auto ignore, about to run the otl custom scan/fix

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 29, 2009, 06:55:57 PM

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
C:\Documents and Settings\Mark\Desktop\FixBlast.exe moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\DNA\btdna.exe not found.
========== FILES ==========
C:\MGtools.exe moved successfully.
File\Folder C:\Program Files\DNA not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.1.20.1 log created on 12292009_175455

Here's the log of the fix oh and i removed dna myself with add/remove eariler so that might be why it cannot find it

Title: Re: new worm?, avast doesn' know it
Post by: oldman on December 29, 2009, 08:08:16 PM

Hi MarkWest,

From your desktop, please delete

any notepads/logs that we created
GMER.exe
GMER.zip
SystemLook.exe

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates and upgrades

You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 8.1.5 first. Be sure to move any PDF documents to another folder first though.

Some Recommendations and prevention tips[/b]

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall and a resident antispyware program.

I suggest these or ask in the General Forum.

Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
OR
Winpatrol (http://www.winpatrol.com/)

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL (http://www.firewallguide.com/software.htm) for tips, reviews and links to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware, imo)

You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us)(using Internet Explorer) and download and install all critical updates on a regular basis

- Ensure that Automatic Update is turned on so you get all the latest patches.
Click start, control panel, click Security Center.

- Keep your antivirus program updated, as well as any other security programs you have.

- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879 (http://www.freedomlist.com/forum/viewtopic.php?t=22879)

Take care

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 30, 2009, 12:09:55 AM

Sorry for estimating earlier that you'd need about 6 posts to post the log.
Turned out to be 15. ;D

How does it feel to have gone through that fix procedure?
Pretty awesome, I'd think (from one who did it, once, a few years back.)

Title: Re: new worm?, avast doesn' know it
Post by: Markwest on December 30, 2009, 12:43:28 AM

was quite a procedure, felt good to have my computer clean though, still i was so panicked, my computer's my life you know, i'm just glad it's clean once again ^^

Thanks for all the help from all of you ^^ will keep you guys in mind for the next time some one wants to infect me, maybe next christmas lol

Title: Re: new worm?, avast doesn' know it
Post by: Tarq57 on December 30, 2009, 12:53:13 AM

Follow those ideas posted above (by Oldman and others) regarding keeping things up to date and having good security, and if your experience is anything like mine, you won't be needing malware removal advice very often, if at all.
Security is a multi-layered strategy. You need to have something covering all layers.
Most of those "somethings" are mentioned 2 posts up.
If you have any questions about any of that, please do ask.

PS, one of the real important "somethings" is making regular backups of important data, perhaps imaging the entire disk, from time to time.