Win32:Agent + Win32:Zhelatin + many outgoing smtp connections from svchost.exe

[Phoebe82]

-- Scheduled Tasks -------------------------------------------------------------

2008-03-21 17:16:19       388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-03-29 and 2008-04-29 -----------------------------

2008-04-29 14:37:59         0 d-------- C:\Documents and Settings\User\Application Data\OnlineArmor
2008-04-29 14:37:59         0 d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-04-29 14:20:05         0 d-------- C:\Documents and Settings\User\Application Data\MSNInstaller
2008-04-29 02:45:02     10240 --a------ C:\WINDOWS\system32\WinNt32.dll
2008-04-29 02:35:47     53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-29 02:31:56     68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 02:31:56     49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 02:31:56    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 02:31:56    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 02:31:56    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 02:31:56     98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 02:31:56     80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 02:31:56     73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 01:49:33         0 d-------- C:\OnlineArmor
2008-04-29 01:13:06         0 d-------- C:\Program Files\Common Files\Java
2008-04-29 01:06:48         0 d-------- C:\WINDOWS\SxsCaPendDel
2008-04-28 16:33:00         0 d-------- C:\Program Files\Tall Emu
2008-04-28 16:13:58    141312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-04-28 16:13:57         0 d-------- C:\Documents and Settings\User\Application Data\Spyware Terminator
2008-04-28 16:13:57         0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-04-28 16:13:54         0 d-------- C:\Program Files\Spyware Terminator
2008-04-26 21:58:10         0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-04-26 02:46:55         0 d-------- C:\Program Files\Trend Micro
2008-04-26 02:19:04         0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-26 02:18:59         0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 02:18:59         0 d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-04-26 01:04:51         0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-26 01:04:51         0 d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2008-04-26 01:04:51         0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-26 01:04:50         0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-04-26 01:04:50         0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-26 01:04:50         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-26 01:04:50         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-26 01:04:50         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-26 01:04:50         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-26 01:04:50         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-26 01:04:50         0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-26 01:04:50         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-26 01:04:50         0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-26 01:04:50         0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-26 01:04:50         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-26 01:04:50         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-26 01:04:50         0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-04-26 01:04:50         0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-04-26 01:04:50         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-26 01:04:50         0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-04-26 01:04:49   1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-26 00:20:57     14976 --a------ C:\WINDOWS\system32\drivers\Ovd75.sys
2008-04-25 14:10:24         0 d-------- C:\Program Files\Common Files\SWF Studio
2008-04-25 12:17:07     11776 --a------ C:\Documents and Settings\User\win.exe
2008-04-16 12:49:23         0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-04-16 12:42:17         0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-03-29 16:33:21         0 d-------- C:\Program Files\Project64 v1.5


-- Find3M Report ---------------------------------------------------------------

2008-04-29 01:13:47         0 d-------- C:\Program Files\Java
2008-04-29 01:13:06         0 d-------- C:\Program Files\Common Files
2008-04-29 01:06:05         0 d-------- C:\Program Files\Winamp
2008-04-29 00:56:46         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-29 00:55:45         0 d-------- C:\Program Files\Carrie The Caregiver
2008-04-29 00:55:18         0 d-------- C:\Documents and Settings\User\Application Data\Macromedia
2008-04-29 00:53:48         0 d-------- C:\Program Files\Common Files\ACD Systems
2008-04-26 02:18:24         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-25 22:47:19         0 d-------- C:\Program Files\Workrave
2008-04-20 18:39:42         0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-03-11 10:34:22         0 d-------- C:\Documents and Settings\User\Application Data\Workrave
2008-03-06 00:04:53      2828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-03 10:58:24       681 --a------ C:\WINDOWS\mozver.dat
2008-02-28 19:47:12    356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-02-18 23:47:11     48762 --a------ C:\barstyle.dat

[Phoebe82]

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-13 05:43]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 12:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 12:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 12:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 14:49 C:\WINDOWS\RTHDCPL.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-23 21:40]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-14 07:28]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-12-02 02:13]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 20:20]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-16 01:52]
"ZoomingHook"="ZoomingHook.exe" [2005-06-07 00:58 C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 07:13]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-02 04:45]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-12-01 03:25]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-02 04:45]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-12-06 05:50 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TDispVol"="TDispVol.exe" [2005-12-28 07:34 C:\WINDOWS\system32\TDispVol.exe]
"TPSMain"="TPSMain.exe" [2005-06-01 08:16 C:\WINDOWS\system32\TPSMain.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 05:29 C:\WINDOWS\agrsmmsg.exe]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2005-12-16 15:32]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 12:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-30 01:37]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-17 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 15:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 19:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - C:\Jts\WiseUpdt.exe [2007-07-29 17:09:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-09 14:19:13]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-12-07 14:01:32]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-12-22 09:00:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-16 15:46 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt32]
WinNt32.dll 2008-04-29 14:47 10240 C:\WINDOWS\system32\WinNt32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cjp85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mtb53.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ovc63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ovd75.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wel74.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\start_here.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0909d8a2-3a9e-11dc-9912-001302a7c7d6}]
AutoRun\command- F:\ntde1ect.com
explore\Command- F:\ntde1ect.com
open\Command- F:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7016ba4-71aa-11dc-999d-001302a7c7d6}]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-04-29 15:25:25 ------------

[Phoebe82]

here;s the extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU           T2400  @ 1.83GHz
CPU 1: Genuine Intel(R) CPU           T2400  @ 1.83GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1022.04 MiB / 568.32 MiB
Pagefile Memory (total/avail): 1694.61 MiB / 1254.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.14 MiB

C: is Fixed (NTFS) - 92.97 GiB total, 71.78 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541010G9SA00 - 92.97 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 92.97 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

FW: Online Armor Firewall v2.1.0.131 (Tall Emu) Disabled
AV: avast! antivirus 4.8.1169 [VPS 080429-0] v4.8.1169 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-4BA80FE486
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\YOUR-4BA80FE486
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=YOUR-4BA80FE486
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS

[Phoebe82]

-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 7.0 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{F81A6380-255D-41F9-B04A-FE40DC392FBF}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BitComet 0.70 --> C:\Program Files\BitComet\uninst.exe
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Cake Mania Deluxe --> "C:\Program Files\eGames\Cake Mania Deluxe\unins000.exe"
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
CorelDRAW Graphics Suite X3 --> MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
DVD-RAM Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}\setup.exe" -l0x9 DVD-RAM Driver
EN --> MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FontNav --> MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Football Manager 2007 --> C:\Program Files\Sports Interactive\Football Manager 2007\uninstall\Uninstall FM 2007.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) PRO Network Connections Drivers --> Prounstl.exe
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD Creator 2 --> "C:\Program Files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
K-Lite Codec Pack 2.63 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LINDO 6.1 --> C:\WINDOWS\uninst.exe -fC:\LINDO61\DeIsL1.isu  -cC:\LINDO61\_ISREG32.DLL
Macromedia FreeHand 9 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Macromedia\FreeHand 9\Uninst.isu"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{90A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.7) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN Money Investment Toolbox --> "C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:5
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Online Armor 2.1 --> "C:\Program Files\Tall Emu\Online Armor\unins000.exe"
Options Simulator 1.0 --> "C:\Program Files\Options Simulator\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pizza Frenzy --> C:\Program Files\Pizza Frenzy\UNWISE.EXE C:\Program Files\Pizza Frenzy\INSTALL.LOG
PL-2303 USB-to-Serial --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9  -removeonly
Sandlot Games Client Services --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
SD Secure Module --> MsiExec.exe /X{C45F4811-31D5-4786-801D-F79CD06EDD85}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
SmartCapture V1.11 --> C:\Program Files\SmartCapture\SCSetup.exe Uninstall
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Spyware Terminator --> "C:\Program Files\Spyware Terminator\unins000.exe"
Sterling's Gift --> "C:\Program Files\Sterling's Gift\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4497AFF6-98C4-4F49-B073-F48F42BCBF9E} /l1033
The DecisionTools Suite --> C:\WINDOWS\system32\unwise32.EXE C:\DTOOLS\Install.log  The DecisionTools Suite
The Options Toolbox v5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{302BF4A9-0AEB-41A6-8838-A9497F07B508}\Setup.exe"  -uninst
T

[Phoebe82]

OSHIBA Accessibility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3A57482F-BEBC-47E4-ADA1-6302403C7E50} /l1033
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\Setup.exe" -l0x9
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Controls --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5BCA8D15-BCB6-421E-9654-238B43456A4F} /l1033
TOSHIBA Fn-esse --> C:\WINDOWS\UnInst32.exe Fn-esse.UNI
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Hotkey Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7900D3A6-A9E8-4954-ACCB-AB15867978BF} /l1033
TOSHIBA PC Diagnostic Tool --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\PCDiag\Uninst.isu"
TOSHIBA Power Saver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A38D57D1-5F29-4691-B3DD-FE4B3A7B3AFE} /l1033
TOSHIBA SD Memory Card Format --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48CF9A66-5F03-4025-ABD0-B3A3FA095A59}\Setup.exe"
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Virtual Sound --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B12BA86-ADAC-4BA6-B441-FFC591087252}\Setup.exe"  /uninstall
TOSHIBA Zooming Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{02EED746-8C5A-43C8-BB3D-D29C8B363A4D} /l1033
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe"
TouchPad On/Off Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{80977342-27E8-4FF7-8B6A-D8D89461DA7F} /l1033
Trader Workstation 4.0 --> C:\Jts\UNWISE.EXE C:\Jts\INSTALL.LOG
TuneUp Utilities 2006 --> MsiExec.exe /I{868D7896-99D4-4513-BC62-2B3AD3E24926}
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
VBA --> MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type21098 / Warning
Event Submitted/Written: 04/29/2008 01:01:57 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{0D80391C-0A72-43BB-9BC2-143F63CC111D}', feature 'PCCS' failed during request for component '{68C941D7-B284-4317-B304-5F389BFDB05D}'

Event Record #/Type21097 / Warning
Event Submitted/Written: 04/29/2008 01:01:57 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{0D80391C-0A72-43BB-9BC2-143F63CC111D}', feature 'PCCS', component '{3AC4AA25-A28A-4F09-826A-30CA0A620F35}' failed.  The resource 'C:\WINDOWS\system32\mfc71u.dll' does not exist.

Event Record #/Type21086 / Error
Event Submitted/Written: 04/28/2008 10:39:55 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type21069 / Warning
Event Submitted/Written: 04/26/2008 03:13:46 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type21063 / Error
Event Submitted/Written: 04/26/2008 03:04:30 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SUPERAntiSpyware.exe, version 4.0.0.1154, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type28844 / Warning
Event Submitted/Written: 04/29/2008 03:18:07 PM
Event ID/Source: 1006 / Dhcp
Event Description:
Your computer was unable to automatically configure the IP parameters for
the Network Card with the network address 001302A7C7D6.  The following error occurred
during configuration: %%10013.

Event Record #/Type28840 / Warning
Event Submitted/Written: 04/29/2008 03:15:08 PM
Event ID/Source: 1006 / Dhcp
Event Description:
Your computer was unable to automatically configure the IP parameters for
the Network Card with the network address 001302A7C7D6.  The following error occurred
during configuration: %%10013.

Event Record #/Type28833 / Warning
Event Submitted/Written: 04/29/2008 03:08:04 PM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10038.

Event Record #/Type28831 / Warning
Event Submitted/Written: 04/29/2008 03:08:02 PM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10038.

Event Record #/Type28697 / Warning
Event Submitted/Written: 04/29/2008 01:50:28 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-04-29 15:25:25 ------------

[Phoebe82]

dear Oldman,

one interesting finding from Online Armor firewall status activity is that:
there;s a file activity, c:windows/system32/winlogon.exe
(i've send the file to alwi software too).

I block it, but still do mass mailing. (there's an icon show up at the startup tray)
I put it in chest, and the mass mailing stop. (no icon anymore or background mass mailing?)

but the winlogon.exe analyze through virustotal.com didn't found anything.

and one more thing,

svchost.exe is it OK if allowed to access the internet?
if I block it, I cannot connect to the internet. but if I allowed it, there's some svchost.exe activity.

pls advice.

[polonus]

Hi Phoebe82,

This is info about the malware file:
http://virscan.org/report/33612dc52ef7113cc2a28b6aa53847de.html

Look for mentioned file:
G:\WINDOWS\system32\WLCtrl32.dll
Right click the file and choose "Change Name".
change the name of the file.

Download IceSword and unzip to your desktop into a folder.
- Open that folder, doubleclick the "Sword icon" to be able to start IceSword.
- Left click file.
- Choose This computer in icesword and navigate to this driver files:

 DeleteFile('C:\WINDOWS\System32\Drivers\Ipw75.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Bip20.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Bip64.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Dkr18.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Dlr52.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ems30.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Exe20.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Fmt20.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Fmt86.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ipv42.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ipv74.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ipw86.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Jqw17.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Jrx30.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Jrx63.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Lsa07.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Lsy28.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Mta85.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ovd75.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Owd85.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Pwd28.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Pwd52.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Qxe74.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Qxf17.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ryg86.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Sag30.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Sag63.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ucj75.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Vdj17.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Vqx17.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Wek63.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Wfl52.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Wfl85.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Xfm07.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Xgm07.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\Ygn86.sys');
 G:\WINDOWS\System32\Drivers\Yiu73.sys


- Right click and choose delete if any found.
For cleansing routine consider this: http://virusinfo.info/showthread.php?p=201144

Now restart your PC and post a new ComboFix log

Download Malwarebytes' Anti-Malware unto your desktop from here:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Doubleclick mbam-setup.exe and choose for "Next" to install this tool.
When the installation is complete, put a tag at "Update MalwareBytes' Anti-Malware" and at bij "Launch MalwareBytes' Anti-Malware".
Then click "Finish".
Choose in mainfarme for tab "Scanner" then select "Perform full scan".
Click "Scan" and make sure all hard disks/partitions are selected.
Then click "Start Scan".
When the scan has finished, you click OK, then "Show Results" to see the scan results.
Make sure all are being selected, then click "Remove Selected".
Whenever the program asks for a restart, allow!.
Then a log will open(mbam-log-XX-XX-XXXX(xx-xx-xx).txt)
Attach this log next to your Combofix log ito your next posting

polonus

[Phoebe82]

hi Polonus,

I'm a bit confused with your feedback.
I've download the icesword, but few things that I want to confirm first before running the program:
1. I only have 1 hard drive slave, C: and DVD rom D:. I couldn't find the G: as you mentioned. is it hidden??
    at my explorer (with show all hidden files option), still cannot find the G:
2. The WinNT32.dll and WlCtrl32.dll founded but in the C:Qoobox/Quarantine/C/Windows/System32 with name WinNT32.dll.vir and  WlCtrl32.dll.vir
    what is Qoobox? is it OK to leave it there? can I delete the Qoobox entire folder? it also contain C:Qoobox/Quarantine/C/Windows/MSNImport.exe.vir
3. some drivers that you recommend to delete, I couldn't found in the C:\WINDOWS\System32\Drivers\
   search the entire local drive also not give a result.
4. I couldn't found this too G:\WINDOWS\System32\Drivers\Yiu73.sys  both through explorer and search.

pls advice what to do.

thx in advance for the help,
BR,
Phoebe.

[polonus]

Hi Phoebe82,

I based the details on other findings of this malware, yours may not be identical and therefore can be omitted. Forget about the G: dribe, you may not have it. See what IceSword finds and then post the logfile, not aal of its findings should be malicious, see what you get. The MalwareBytes routine you can follow that one up. Also wait what oldman may be recommending further,

polonus

[Phoebe82]

hi polonus,

I've run the icesword, but I really not familiar with the program.
what things that I should do (clicks) to get what icesword find? and how to create the log file?

thx

[polonus]

Hi Phoebe28,

just get Icesword and look in the process list for items in RED. those are items that are not visible to the OS directly(aka possible rootkits). Instructions: http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html

polonus

[oldman]

Hi, I'm kinda getting in the middle here.

The files you found in qoobox are files removed by combofix. Leave them there.

I found another one to test at virustotal

C:\Documents and Settings\User\win.exe
C:\WINDOWS\system32\drivers\Ovd75.sys

The icon does it look like the image below?

What did you move to the chest?

Go ahead with the malwarebytes scan.

[polonus]

Hi oldman,

You know you'd never turn up in the wrong moment . Let us wait for the results of the virustotal scan and the results of the malwarebytes scan, then we can evaluate these results together and plan a further cleansing scheme ,

pol

[Phoebe82]

Hi Oldman, here's the feedback

I found another one to test at virustotal
C:\Documents and Settings\User\win.exe

result:
http://www.virustotal.com/analisis/b6ec081165f50e25ef3aca33f01f8707
18 scanner found virus, as follow:
===============================================
Antivirus     Version     Last Update     Result
AhnLab-V3   2008.4.30.0   2008.04.30   Win-Trojan/Xema.variant
AntiVir   7.8.0.10   2008.04.30   TR/Dropper.Gen
Authentium   4.93.8   2008.04.27   -
Avast   4.8.1169.0   2008.04.30   -
AVG   7.5.0.516   2008.04.30   Win32/Agent
BitDefender   7.2   2008.04.30   Trojan.Kobcka.DP
CAT-QuickHeal   9.50   2008.04.29   TrojanDownloader.Mutant.ob
ClamAV   0.92.1   2008.04.30   Trojan.Kobcka-11
DrWeb   4.44.0.09170   2008.04.29   Trojan.DownLoader.59056
eSafe   7.0.15.0   2008.04.28   -
eTrust-Vet   31.3.5746   2008.04.30   -
Ewido   4.0   2008.04.29   -
F-Prot   4.4.2.54   2008.04.30   -
F-Secure   6.70.13260.0   2008.04.30   Trojan-Downloader.Win32.Mutant.ob
Fortinet   3.14.0.0   2008.04.29   W32/Mutant.OB!tr.dldr
Ikarus   T3.1.1.26   2008.04.30   Trojan-Dropper.Win32.Agent.qsb
Kaspersky   7.0.0.125   2008.04.30   Trojan-Downloader.Win32.Mutant.ob
McAfee   5284   2008.04.29   -
Microsoft   1.3408   2008.04.22   -
NOD32v2   3064   2008.04.29   Win32/TrojanDownloader.Wigon.N
Norman   5.80.02   2008.04.29   W32/Smalldrp.VWE
Panda   9.0.0.4   2008.04.30   -
Prevx1   V2   2008.04.30   TROJAN.PANDEX
Rising   20.42.20.00   2008.04.30   -
Sophos   4.28.0   2008.04.30   Mal/Generic-A
Sunbelt   3.0.1056.0   2008.04.17   -
Symantec   10   2008.04.30   -
TheHacker   6.2.92.297   2008.04.29   Trojan/Downloader.Mutant.ob
VBA32   3.12.6.5   2008.04.29   Trojan-Downloader.Win32.Mutant.ob
VirusBuster   4.3.26:9   2008.04.29   -
Webwasher-Gateway   6.6.2   2008.04.30   Trojan.Dropper.Gen
===============================================
and from VirScan.org result:
http://virscan.org/report/0fb5ec35d978ca3f356683ee177f24be.html

C:\WINDOWS\system32\drivers\Ovd75.sys[/b]

I cannot upload the Ovd75.sys to virustotal.com...
any clue?
I try with virSCAN.org, it said cant find upload file.
I try to zip the file, but it error report the file cannot read.

The icon does it look like the image below?

Absolutely correct! that's the icon that appear. but it link to one of avast program, ashmaisv.exe..

What did you move to the chest?

BN17.tmp => C:windows/temp
winlogon.exe => C:windows/system32
WinNt32.dll => C:windows/system32

[Phoebe82]

Hi Oldman,

I try to put to chest the win.exe (successful) and Ovd75.sys (still cannot)

the report at chest as follow:
Program cannot Add to chest the following file: C:\WINDOWS\system32\drivers\Ovd75.sys
--->Description: Access is denied