I Want 2 Try And Remove This Trojan Manually.

Hello everybody. I have been a BD user for about 2 years now. I currently have a 2 yr subscription to Internet Security 08.

I have never had a problem with viruses because BD is amazing. I don't really have a problem right now as far as my computers functionality because BD has quarantined the trojan. However, I don't want it to be an issue later so I would like to manually remove this Trojan.

I have been searching around the internet (google) all morning and have not been able to find a removal tool or specific instructions on how to go about removing this specific Trojan.

I was hoping to find a post here about it, but I was unable to find a relevant post about my specific issue. So on to my issue then.

Overnight system scan picked up Trojan.Download.Delf.NMB

~BD Results~

Trojan.Download.Delf.NMB - "delete failed" on 2 issues(s).

infected: =>HKEY_LOCAL_MACHINE\SOFTWA...Setup=>C:\PROGRAM FILES\COMMON FILES\SETUP.EXE

infected: C:\Program Files\Common Files\setup.exe

In the Results Summary all of the actions available failed. And Now the only option to continue with is "No Action is possilbe" (yikes!)

All ideas are appreciated!

Find more posts tagged with

Comments

Niels

Hello haynest,

Can you please give the entire path where BitDefender found the infection in the registry? Click on start,my computer,program files,common files. Now search for setup.exe select it and delete it. The reason why BitDefender couldn't take any action could be because the infection was found inside the installer.

Please download Deckard's System Scanner. You need to save it on your desktop. Close all other applications and windows. First right click on dss(.exe) and choose for run as administrator. Now double click on dss(.exe) Confirm the warnings. It can take a while. Please copy the content of main and extra textfiles. Extra will be minimized and paste it at your next post. Because it will be large spread them about a few posts or attach the reports.

Kind regards,

Niels

haynest

Hello and thanks for your help.

I first went to the directory where the file was found to try and delete it. The file is not there. So I made sure that I could view system and hidden files from that folder. The option to view those files was already enabled.

I ran Deckards System Scanner as you suggested. However, just before it finishes is comes up with an error pop up window from microsoft. The classic "Windows encountered a problem and needs to close."

The error siggy says AppName dss.exe, ModName:ntdll.dll. I am sure these details are not needed at this point. So I cannot post a log for you Unless you have another suggestion.

Niels

Hello haynest,

Please download hijack this to download it and for the instructions take a look here. Post the output here or put it as an attachment.

After that download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections. Do not move your mouse pointer or click because it can cause a freeze.

Kind regards,

Niels

haynest

Here is the Hijack log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:49:35 PM, on 7/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\LMabcoms.exe

C:\Program Files\CCP Server 5\ccpsrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [Microsoft] schost.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"

O4 - HKLM\..\Run: [setup] C:\Program Files\Common Files\setup.exe -cleaning

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKLM\..\RunServices: [Microsoft] schost.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -clientconfig cas -clientapp caserver.exe -silent

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - https://www.ueclassroom.sprint.com/SiteRoot...raUpdaterAx.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197394718140

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6AB0F8C9-E5E9-47FD-9E9A-7AB3586F0BC8}: NameServer = 192.168.0.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

haynest

Ok, followed your instructions. Here is the combofix log.

ComboFix 08-07-09.5 - P 2008-07-10 15:04:48.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1432 [GMT -4:00]

Running from: C:\Documents and Settings\P\Desktop\Downloaded Files\ComboFix.exe

Command switches used :: C:\Documents and Settings\P\Desktop\Downloaded Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

* Resident AV is active

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bszip.dll

((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))

2008-07-10 10:54 . 2008-07-10 10:54 <DIR> d-------- C:\Program Files\Trend Micro

2008-07-10 10:06 . 2008-07-10 10:06 <DIR> d-------- C:\Deckard

2008-07-07 12:01 . 2008-07-10 15:11 81,984 --a------ C:\WINDOWS\system32\bdod.bin

2008-07-07 12:00 . 2008-07-07 12:00 <DIR> d-------- C:\Documents and Settings\P\Application Data\BitDefender

2008-07-07 11:59 . 2008-07-07 11:59 <DIR> d-------- C:\Program Files\BitDefender

2008-07-07 11:59 . 2008-07-07 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender

2008-07-07 11:58 . 2008-07-07 11:59 <DIR> d-------- C:\Program Files\Common Files\BitDefender

2008-07-06 14:22 . 2008-07-06 14:22 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-07-06 14:22 . 2008-07-06 14:22 <DIR> d-------- C:\WINDOWS\system32\en

2008-07-06 14:22 . 2008-07-06 14:22 <DIR> d-------- C:\WINDOWS\l2schemas

2008-07-06 14:20 . 2008-07-10 03:00 1,374 --a------ C:\WINDOWS\imsins.BAK

2008-07-06 14:16 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll

2008-07-06 14:16 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\system32\windowscodec###t.dll

2008-07-06 14:16 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll

2008-07-06 14:16 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll

2008-07-06 14:16 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll

2008-07-06 14:16 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll

2008-07-06 14:16 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\system32\setupn.exe

2008-07-06 14:16 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys

2008-07-01 13:00 . 2008-07-01 13:00 <DIR> d-------- C:\WINDOWS\Migo Recover Lost Data

2008-07-01 13:00 . 2008-07-01 13:00 <DIR> d-------- C:\Program Files\Migo Software

2008-06-29 11:35 . 2008-07-02 11:04 <DIR> d-------- C:\Program Files\Pixel Mine

2008-06-26 10:03 . 2008-06-26 10:03 <DIR> d-------- C:\WINDOWS\system32\NtmsData

2008-06-25 15:56 . 2008-06-25 15:56 <DIR> d-------- C:\Program Files\gBurner

2008-06-23 17:48 . 2008-06-23 17:48 <DIR> d-------- C:\Program Files\Acclaim

2008-06-20 13:46 . 2008-06-20 13:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 13:46 . 2008-06-20 13:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 07:51 . 2008-06-20 07:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 07:40 . 2008-06-20 07:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 07:08 . 2008-06-20 07:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-19 14:53 . 2008-06-19 14:53 <DIR> d-------- C:\Program Files\OGPlanet

2008-06-18 11:42 . 2008-06-18 11:42 <DIR> d-------- C:\Program Files\Common Files\INCA Shared

2008-06-18 11:42 . 2003-07-20 23:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd

2008-06-18 11:42 . 2005-01-04 14:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2008-06-17 11:09 . 2008-06-17 11:09 <DIR> d-------- C:\Program Files\PlayComet

2008-06-11 10:56 . 2006-11-19 19:57 505,344 --a------ C:\WINDOWS\system32\DDSystemIO.dll

2008-06-11 10:56 . 2006-09-03 13:17 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL

2008-06-11 10:55 . 2008-06-11 10:58 <DIR> d-------- C:\Program Files\NetAnalysis

2008-06-11 10:55 . 2006-09-03 13:17 1,836,128 --a------ C:\WINDOWS\system32\arpro2.dll

2008-06-11 10:55 . 2006-09-03 13:17 1,064,960 --a------ C:\WINDOWS\system32\tdbg8.ocx

2008-06-11 10:55 . 2006-09-03 13:17 507,904 --a------ C:\WINDOWS\system32\tdbgpp8.dll

2008-06-11 10:55 . 2006-09-03 13:17 374,368 --a------ C:\WINDOWS\system32\pdfexpt.dll

2008-06-11 10:55 . 2006-09-03 13:17 340,768 --a------ C:\WINDOWS\system32\ssa3d30.ocx

2008-06-11 10:55 . 2006-06-09 01:24 227,328 --a------ C:\WINDOWS\system32\tssOfficeMenu1d.ocx

2008-06-11 10:55 . 2006-09-03 13:17 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX

2008-06-11 10:55 . 2006-09-03 13:17 86,016 --a------ C:\WINDOWS\system32\ddprogbar.ocx

2008-06-11 04:58 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-11 04:58 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

2008-06-10 17:34 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS

2008-06-10 17:34 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-07-10 19:10 --------- d-----w C:\Program Files\Steam

2008-07-10 18:33 1,768 ----a-w C:\STAT.DAT

2008-07-10 16:48 --------- d-----w C:\Documents and Settings\P\Application Data\SolidDocuments

2008-07-10 16:45 --------- d-----w C:\Program Files\Warcraft III

2008-07-10 05:13 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments

2008-07-07 18:28 --------- d-----w C:\Program Files\Google

2008-07-07 15:57 --------- d-----w C:\Documents and Settings\P\Application Data\Hamachi

2008-06-29 15:29 --------- d-----w C:\Program Files\PokerStars.NET

2008-06-20 18:18 --------- d-----w C:\Documents and Settings\P\Application Data\U3

2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-18 15:50 --------- d-----w C:\Program Files\CCP Server 5

2008-06-13 15:32 --------- d-----w C:\Documents and Settings\P\Application Data\FileZilla

2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-03 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer

2008-06-03 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-06-03 22:22 --------- d-----w C:\Program Files\Common Files\Adobe

2008-06-03 22:22 --------- d-----w C:\Program Files\Bonjour

2008-06-03 22:16 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-06-02 20:16 86,792 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys

2008-06-02 17:25 --------- d-----w C:\Documents and Settings\P\Application Data\dvdcss

2008-06-02 17:24 --------- d-----w C:\Program Files\QuickTime

2008-06-02 17:24 --------- d-----w C:\Program Files\ImTOO

2008-06-02 16:52 --------- d-----w C:\Program Files\eRightSoft

2008-06-02 16:27 --------- d-----w C:\Program Files\AviSynth 2.5

2008-06-02 16:26 --------- d-----w C:\Program Files\Gabest

2008-05-31 00:32 --------- d-----w C:\Program Files\SolidDocuments

2008-05-06 17:29 2,829 ----a-w C:\WINDOWS\War3Unin.pif

2008-05-06 17:29 139,264 ----a-w C:\WINDOWS\War3Unin.exe

2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll

2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll

2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msinfo.dll

2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll

2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll

2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll

2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll

2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll

2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll

2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 06:27 219520]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 19:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]

"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 03:52 2595480]

"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 04:02 905056]

"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 03:55 140568]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 18:54 127022]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]

"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]

"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-05-23 19:16 368640]

"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-06 20:40:54 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.I420"= i420vfw.dll

"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]

--a------ 2004-01-16 06:04 57344 C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]

--a------ 2002-12-10 19:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]

--a------ 2002-12-10 19:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\LMabcoms.exe"=

"C:\\Program Files\\CCP Server 5\\ccpsrv.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25842:TCP"= 25842:TCP:BitCometBeta 25842 TCP

"25842:UDP"= 25842:UDP:BitCometBeta 25842 UDP

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-12-11 16:29]

R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-09-14 05:01]

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-06-02 16:16]

R3 EUCR;ENE USB Mass Storage;C:\WINDOWS\system32\DRIVERS\EUCR6SK.SYS [2005-02-21 06:22]

S3 axvbusx;axvbusx;C:\WINDOWS\system32\DRIVERS\axvbusx.sys [2002-12-27 21:14]

S3 axvscsi;axvscsi;C:\WINDOWS\system32\DRIVERS\axvscsi.sys [2002-12-27 21:14]

S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []

S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []

S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3854e4aa-d9bd-11dc-b095-001731e5f384}]

\Shell\AutoRun\command - ek.com

\Shell\explore\Command - ek.com

\Shell\open\Command - ek.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{614f22b6-f10c-11dc-b0aa-001731e5f384}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82a5ddbc-2db7-11dd-b0b8-001731e5f384}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3d7451c-af0d-11dc-b070-001731e5f384}]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9edb5fc-e70d-11dc-b09c-001731e5f384}]

\Shell\AutoRun\command - I:\LaunchU3.exe -a

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Steam - C:\Program Files\Steam\Steam.exe -clientconfig cas -clientapp caserver.exe

HKCU-Run-Sonic RecordNow! Deluxe - (no file)

HKLM-Run-RAMDrive - C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe

MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-10 15:10:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

------------------------ Other Running Processes ------------------------

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Steam\steam.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Steam\caserver.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

**************************************************************************

Completion time: 2008-07-10 15:14:54 - machine was rebooted [P]

ComboFix-quarantined-files.txt 2008-07-10 19:14:38

Pre-Run: 45,080,006,656 bytes free

Post-Run: 44,991,864,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

239 --- E O F --- 2008-07-10 07:00:42

Niels

Hello haynest,

The infection might have been spread trough an infected external drive (usb hard disk,memory stick,...)

Please press the windows button together with r now type regedit press enter. Expand HKEY_CURRENT_USER by clicking on the +-sign,open the following folders and subfolders: software,microsoft,windows,currentversion,explorer,mountpoints2 Now right click on {3854e4aa-d9bd-11dc-b095-001731e5f384} choose export and save it. Expand 3854e4aa-d9bd-11dc-b095-001731e5f384 also and open shell and open autorun and click on command do that also for explore and open. What is the location off ek.com? Please post it. Attach your memory stick,external hard disk,flash disk,etc be sure that hidden files and folders are being visible see if you can see a file called autorun.inf (it could be that you will not see .inf) Right click on it by open with select wordpad and post the content here. See if you find ek.com. Try to catch all files that are mentionned in the autorun.inf file.

Kind regards,

Niels