# Trojan horse Generic 11.AV & Trojan horse Dropper.Generic.AAMD



## SKaVeN (Oct 19, 2007)

Hello everyone. I had a problem with my PC once in the past & someone here was really nice & showed me how to fix it so here I am again with another problem hoping that someone can help me again. 

I got a result in my AVG Anti-Virus scan that had 10 infected files that were not removed.


These are the files:

C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038541.exe 
Trojan horse Generic11.AV
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038541.exe:\IMKKZI~1.EXE 
Trojan horse Generic11.AV
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038544.exe 
Trojan horse Dropper.Generic.AAMD
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038544.exe:\setup.exe 
Trojan horse Dropper.Generic.AAMD 
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038549.exe 
Trojan horse Generic11.AV
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038549.exe:\IMKKZI~1.EXE 
Trojan horse Generic11.AV
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038551.exe 
Trojan horse Dropper.Generic.AAMD 
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A003851.exe:\setup.exe 
Trojan horse Dropper.Generic.AAMD 
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038556.exe 
Trojan horse Generic11.AV
C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038556.exe:\IMKKZI~1.EXE 
Trojan horse Generic11.AV


Whenever I click the "Remove all unhealed infections" button (in AVG) it always just says "Moved object is bigger than the archive size limit. C:\System Volume Information\_restore{6C78443-313E-4C28-8F15-6B7C41ECCE60}\RP43\A0038541.exe "


Can someone please help?


----------



## SKaVeN (Oct 19, 2007)

BTW, here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:50 PM, on 13/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Keith\Programs\AVG Anti-Spyware 7.5\guard.exe
C:\Keith\Programs\AVG\AVG8\avgwdsvc.exe
C:\Keith\Programs\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Keith\Programs\AVG\AVG8\avgrsx.exe
C:\Keith\Programs\AVG\AVG8\avgemc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\devldr32.exe
C:\Keith\Programs\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Keith\Programs\AVG\AVG8\avgtray.exe
C:\Keith\Programs\AVG Anti-Spyware 7.5\avgas.exe
C:\Keith\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Keith\Useful Programs\Adam ADSL Usage Meter.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Keith\Programs\IncrediMail\bin\IncMail.exe
C:\Keith\Programs\INCRED~1\bin\ImApp.exe
C:\Keith\Programs\Mozilla Firefox\firefox.exe
C:\Keith\Programs\eMule\emule.exe
C:\Keith\Programs\Thumbs7\Thumbs.exe
C:\Keith\Programs\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O1 - Hosts: 68.178.232.99 www.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Keith\Programs\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Keith\Programs\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Keith\Programs\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\Keith\Programs\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Keith\Programs\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Keith\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adam ADSL Usage Meter.lnk = C:\Keith\Useful Programs\Adam ADSL Usage Meter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Keith\Programs\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Keith\Programs\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Keith\Programs\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Keith\Programs\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Keith\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Keith\Programs\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135134665984
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Keith\Programs\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Keith\Programs\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Keith\Programs\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Keith\Programs\AVG\AVG8\avgwdsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Keith\Programs\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6435 bytes


----------



## SKaVeN (Oct 19, 2007)

I have also updated & run a full SUPERAntiSpy scan which didn't detect anything.

Could someone please help me with this as I am starting to get a little concerned.

Thank you.


----------



## SKaVeN (Oct 19, 2007)

I just ran a VundoFix scan & that didn't find anything either.


----------



## SKaVeN (Oct 19, 2007)

Okay, I just ran the ComboFix scan:

ComboFix 08-08-15.04 - AMD2500 2008-08-16 22:42:15.3 - NTFSx86
Running from: C:\Keith\Useful Programs\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-11 18:07 . 2008-08-11 18:07 d--------	C:\Documents and Settings\All Users\Application Data\Martau
2008-08-08 15:14 . 2008-08-12 23:59	464	--a------	C:\log.html
2008-08-08 00:25 . 2008-08-08 00:25 d--------	C:\Documents and Settings\AMD2500\Application Data\Malwarebytes
2008-08-08 00:25 . 2008-08-08 00:25 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-08 00:25 . 2008-07-30 20:14	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 00:25 . 2008-07-30 20:14	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 15:48 . 2008-08-07 15:48	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-08-07 15:48 . 2008-08-07 15:48	1,409	--a------	C:\WINDOWS\QTFont.for
2008-08-03 19:56 . 2008-08-03 19:56	38	--a------	C:\WINDOWS\avisplitter.INI
2008-07-22 01:49 . 2008-01-10 21:45	755,027	--a------	C:\WINDOWS\system32\xvidcore.dll
2008-07-22 01:49 . 2008-01-10 21:46	159,839	--a------	C:\WINDOWS\system32\xvidvfw.dll
2008-07-22 01:30 . 2008-07-04 16:04	860,160	--a------	C:\WINDOWS\system32\lameACM.acm
2008-07-22 01:30 . 2007-09-05 02:26	164,352	--a------	C:\WINDOWS\system32\unrar.dll
2008-07-22 01:30 . 2007-09-21 10:22	118,784	--a------	C:\WINDOWS\system32\ac3acm.acm
2008-07-22 01:30 . 2008-06-13 04:06	7,680	--a------	C:\WINDOWS\system32\ff_vfw.dll
2008-07-22 01:30 . 2007-07-11 01:40	547	--a------	C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-22 01:30 . 2007-10-04 00:33	414	--a------	C:\WINDOWS\system32\lame_acm.xml
2008-07-17 00:25 . 2008-07-17 00:25 d--------	C:\My Shared Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-15 05:05	---------	d-----w	C:\Documents and Settings\AMD2500\Application Data\Canon
2008-08-12 15:25	---------	d-----w	C:\Program Files\Common Files\Roxio Shared
2008-08-12 15:03	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-12 15:03	---------	d-----w	C:\Program Files\CyberLink
2008-08-12 14:52	---------	d-----w	C:\Program Files\Ulead Systems
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-07-04 00:12	96,520	----a-w	C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 00:12	76,040	----a-w	C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-04 00:12	10,520	----a-w	C:\WINDOWS\system32\avgrsstx.dll
2008-06-30 15:18	---------	d-----w	C:\Documents and Settings\AMD2500\Application Data\SUPERAntiSpyware.com
2008-06-30 15:16	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52	161,096	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-11 00:07	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:04	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2008-06-11 00:03	823,296	----a-w	C:\WINDOWS\system32\divx_xx0c.dll
2008-06-11 00:03	823,296	----a-w	C:\WINDOWS\system32\divx_xx07.dll
2008-06-11 00:03	815,104	----a-w	C:\WINDOWS\system32\divx_xx0a.dll
2008-06-11 00:03	802,816	----a-w	C:\WINDOWS\system32\divx_xx11.dll
2008-06-11 00:03	593,920	----a-w	C:\WINDOWS\system32\dpuGUI11.dll
2008-06-11 00:03	57,344	----a-w	C:\WINDOWS\system32\dpv11.dll
2008-06-11 00:03	53,248	-c--a-w	C:\WINDOWS\system32\dpuGUI10.dll
2008-06-11 00:03	344,064	----a-w	C:\WINDOWS\system32\dpus11.dll
2008-06-11 00:03	294,912	-c--a-w	C:\WINDOWS\system32\dpu10.dll
2008-06-11 00:03	294,912	----a-w	C:\WINDOWS\system32\dpu11.dll
2008-06-11 00:03	196,608	----a-w	C:\WINDOWS\system32\dtu100.dll
2008-05-30 23:22	683,520	----a-w	C:\WINDOWS\system32\divx.dll
2008-05-25 08:13	47,787,248	----a-w	C:\avg_free_stf_en_8_100a1295.exe
2008-05-22 22:22	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:19	81,920	----a-w	C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:18	12,288	----a-w	C:\WINDOWS\system32\DivXWMPExtType.dll
2007-01-23 16:24	63,080	-c--a-w	C:\Documents and Settings\AMD2500\Application Data\GDIPFONTCACHEV1.DAT
2007-01-01 12:56	10,878	-c--a-w	C:\Program Files\INSTALL.LOG
2006-02-16 06:57	2,983	-c--a-w	C:\Program Files\install_wizard.log
2006-05-03 09:06	163,328	--sh--r	C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47	31,232	--sh--r	C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43	27,648	--sh--w	C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Keith\Programs\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38 49152]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 16:07 617984]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"COMODO Firewall Pro"="C:\Keith\Programs\Comodo\Firewall\CPF.exe" [2008-01-30 21:43 1115728]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"AVG8_TRAY"="C:\Keith\Programs\AVG\AVG8\avgtray.exe" [2008-07-04 09:42 1232152]
"!AVG Anti-Spyware"="C:\Keith\Programs\AVG Anti-Spyware 7.5\avgas.exe" [2008-05-25 17:56 6731312]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05 69632]
"nForce Tray Options"="sstray.exe" [2002-11-13 17:04 73728 C:\WINDOWS\system32\sstray.exe]
"C-Media Mixer"="Mixer.exe" [2002-04-29 18:53 1433600 C:\WINDOWS\mixer.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:26 15360]

C:\Documents and Settings\AMD2500\Start Menu\Programs\Startup\
Adam ADSL Usage Meter.lnk - C:\Keith\Useful Programs\Adam ADSL Usage Meter.exe [2007-09-22 22:25:51 212774]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Keith\Programs\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Keith\Programs\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.I263"= I263_32.drv
"aux"= ctwdm32.dll
"VIDC.ACDV"= ACDV.dll
"aux1"= ctwdm32.dll
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Winter Fun Wallpaper Changer.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Australian Personal Dictionary.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\savenow
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Services Loader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows svchost

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Keith\Programs\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
--a------ 2007-11-20 10:38 208946 C:\Keith\Programs\INCRED~1\bin\IncMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]
--a------ 2006-10-10 11:01 315436 C:\PROGRA~1\Magentic\bin\Magentic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-07 09:35 200704 C:\Keith\Programs\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-04-27 09:41 282624 C:\Keith\Programs\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegEasy.exe]
--a------ 2007-09-01 22:50 4078592 C:\Keith\Programs\Registry Easy\RegEasy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-01-09 09:21 253952 C:\Keith\Programs\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-01-13 10:19 757760 C:\Keith\Programs\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 C:\Keith\Programs\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Keith\\Programs\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Keith\\Programs\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Keith\\Programs\\LimeWire\\LimeWire.exe"=
"C:\\Keith\\Programs\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Keith\\Programs\\AVG\\AVG8\\avgupd.exe"=
"C:\\Keith\\Programs\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23215:TCP"= 23215:TCP:BitComet 23215 TCP
"23215:UDP"= 23215:UDP:BitComet 23215 UDP
"21741:TCP"= 21741:TCP:BitComet 21741 TCP
"21741:UDP"= 21741:UDP:BitComet 21741 UDP

R0 PrecSim;PrecSim;C:\WINDOWS\system32\DRIVERS\precsim.sys [2002-05-22 00:00]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 11:36]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:42]
R2 avg8emc;AVG8 E-mail Scanner;C:\Keith\Programs\AVG\AVG8\avgemc.exe [2008-07-04 09:42]
R2 avg8wd;AVG8 WatchDog;C:\Keith\Programs\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:42]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 09:42]
S2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\system32\DRIVERS\nvtunep.sys [2002-06-27 15:32]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys [2002-06-27 15:32]
S3 WCPUID;WCPUID;D:\CPU ID\WCPUID.SYS []

*Newly Created Service* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7FDA5DA0-0C92-E780-F273-B9207984D491}]
C:\WINDOWS\system32:svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,260
.
Contents of the 'Scheduled Tasks' folder

2008-08-15 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - AMD2500.job
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe []
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.adam.com.au/

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 22:50:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-16 22:59:58
ComboFix-quarantined-files.txt 2008-08-16 13:29:00
ComboFix2.txt 2008-08-16 12:52:33
ComboFix3.txt 2007-10-20 09:44:35

Pre-Run: 27,658,752,000 bytes free
Post-Run: 27,641,368,576 bytes free

209	--- E O F ---	2008-08-14 15:03:45


----------



## SKaVeN (Oct 19, 2007)

Okay, now I just updated SUPERAntiSpyware, made sure that "close browsers before scanning", "scan for tracking cookies" & "terminate memory threats before quarantining", did a full scan & rebooted the PC. This is the log for that:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/17/2008 at 01:37 AM

Application Version : 4.15.1000

Core Rules Database Version : 3538
Trace Rules Database Version: 1527

Scan type : Complete Scan
Total Scan Time : 02:27:11

Memory items scanned : 368
Memory threats detected : 0
Registry items scanned : 7295
Registry threats detected : 0
File items scanned : 29100
File threats detected : 0

Adware.Tracking Cookie
.youporn.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.mediaspy.org [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
www.aussiesexposed.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.focalex.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.focalex.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensavers-free.co.uk [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensavers-free.co.uk [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensaverfree.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensaverfree.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.fullscreensavers.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.fullscreensavers.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
www1.addfreestats.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
www5.addfreestats.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.popularscreensavers.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.popularscreensavers.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensaver-network.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensaver-network.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.top100screensavers.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.top100screensavers.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensaver.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.screensaver.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.register.screensaver.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.register.screensaver.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
www8.addfreestats.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
adstats.cdfreaks.com [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\AMD2500\Application Data\Mozilla\Firefox\Profiles\ifi5xnu5.default\cookies.txt ]


----------



## SKaVeN (Oct 19, 2007)

Could someone please tell me what to do now? 

Should I KillBox something?


----------



## SKaVeN (Oct 19, 2007)

BUMP

Hello again,

Has anyone figured out a way to help me yet? I'm starting to get worried that this thing will develop into something more serious. 

Have I provided enough information?

I'd really appreciate it if someone could help me or perhaps suggest where I could get some assistance.

Thank you again.


----------

