About Wmp11 Found Worm.vb.ngm

vinlinn1987
edited June 2008 in Malware talk

when i open my window media player my bitdefender will come out a message said bitdefender block a virus


name is worm.VB.NGM location at File B:\autorun.inf. how i remove tis worm? thx anyone help


crysty2k5's EDIT: Topic moved

Comments

  • rootkit
    rootkit ✭✭✭
    edited May 2008

    Post here a HijackThis log.


    Instructions: http://forum.bitdefender.com/index.php?showtopic=5668

  • Post here a HijackThis log.


    Instructions: http://forum.bitdefender.com/index.php?showtopic=5668


    hi i m sleepyhead sorry i forgot my password the sleepyhead id so i register a new id for reply


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:51:39 AM, on 30/05/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.5730.0011)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\LEXBCES.EXE


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\LEXPPS.EXE


    C:\WINDOWS\system32\agrsmsvc.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\WINDOWS\system32\fxssvc.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\RTHDCPL.EXE


    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe


    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe


    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


    C:\Program Files\Messenger\msmsgs.exe


    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll


    O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll


    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll


    O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


    O4 - HKLM\..\Run: [skyTel] SkyTel.EXE


    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"


    O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe


    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 6197 bytes


    tis is my logfile can u help me to settle it. thx

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    Check and press Fix checked for:


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    Empty value !


    The log is clean !


    Not all malware are visible in the log !


    Pack the suspicious files in a zip or a rar arhive with the password infected and attach it here !


    Nevertheless, your PC may contain viruses, so I suggest you to run ComboFix that will investigate and eliminate all infections it may found (if it has them in its database).


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end, ComboFix will generate a log file. Save it and post it here.

  • Check and press Fix checked for:


    Empty value !


    The log is clean !


    Not all malware are visible in the log !


    Pack the suspicious files in a zip or a rar arhive with the password infected and attach it here !


    Nevertheless, your PC may contain viruses, so I suggest you to run ComboFix that will investigate and eliminate all infections it may found (if it has them in its database).


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end, ComboFix will generate a log file. Save it and post it here.


    ComboFix 08-06-08.5 - Admin 2008-06-09 11:41:52.1 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1505 [GMT 8:00]


    Running from: D:\ComboFix.exe


    * Created a new restore point


    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((( Files Created from 2008-05-09 to 2008-06-09 )))))))))))))))))))))))))))))))


    .


    2008-06-05 13:29 . 2008-06-05 13:30 <DIR> d-------- C:\Program Files\GameHouse


    2008-06-05 13:29 . 2008-06-05 13:29 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\GameHouse


    2008-06-05 12:43 . 2008-06-05 12:43 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Oberon Media


    2008-06-02 13:43 . 2008-06-02 13:43 244 --ah----- C:\sqmnoopt13.sqm


    2008-06-02 13:43 . 2008-06-02 13:43 232 --ah----- C:\sqmdata13.sqm


    2008-05-30 11:38 . 2008-05-30 11:38 <DIR> d-------- C:\Program Files\Trend Micro


    2008-05-28 17:48 . 2008-05-28 17:48 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Meridian93


    2008-05-28 17:47 . 2008-05-28 17:47 <DIR> d-------- C:\Program Files\ReflexiveArcade


    2008-05-28 17:47 . 2008-05-29 11:40 <DIR> d-------- C:\Program Files\Magic Farm


    2008-05-28 11:33 . 2008-05-28 11:38 13,030 --a------ C:\PDOXUSRS.NET


    2008-05-28 11:28 . 2008-06-02 14:03 <DIR> d-------- C:\Program Files\EdotWin


    2008-05-22 18:43 . 2008-05-23 10:28 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Moyea


    2008-05-22 18:43 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll


    2008-05-22 18:43 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll


    2008-05-22 18:42 . 2008-05-22 18:43 <DIR> d-------- C:\Program Files\Moyea


    2008-05-22 16:07 . 2008-06-04 13:02 <DIR> d-------- C:\Program Files\Free FLV Converter


    2008-05-22 16:07 . 2007-06-19 01:22 364,544 --a------ C:\WINDOWS\system32\PropertyGrid.ocx


    2008-05-22 16:07 . 2008-05-15 11:30 208,896 --a------ C:\WINDOWS\system32\TubeFinder.exe


    2008-05-22 16:07 . 2005-10-13 15:42 208,500 --a------ C:\WINDOWS\system32\ReyXpBasics.tlb


    2008-05-22 16:07 . 1998-07-13 01:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL


    2008-05-22 16:07 . 2000-10-01 21:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL


    2008-05-22 16:07 . 2000-07-15 07:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL


    2008-05-22 16:07 . 2004-03-09 02:00 84,512 --a------ C:\WINDOWS\system32\PICCLP32.OCX


    2008-05-22 16:07 . 1998-07-12 21:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL


    2008-05-22 16:07 . 2005-09-28 03:31 24,576 --a------ C:\WINDOWS\system32\ControlSubX.ocx


    2008-05-22 16:07 . 1998-07-13 02:00 9,728 --a------ C:\WINDOWS\system32\PCCLPFR.DLL


    2008-05-22 16:06 . 2008-05-22 16:06 <DIR> d-------- C:\Program Files\YouTube Downloader


    2008-05-19 17:48 . 2008-05-19 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames


    2008-05-19 17:48 . 2008-05-19 17:48 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\FloodLightGames


    2008-05-19 12:09 . 2008-05-19 17:48 <DIR> d-------- C:\Documents and Settings\Admin\Saved Games


    2008-05-19 11:11 . 2008-05-19 11:11 244 --ah----- C:\sqmnoopt12.sqm


    2008-05-19 11:11 . 2008-05-19 11:11 232 --ah----- C:\sqmdata12.sqm


    2008-05-19 11:03 . 2008-05-19 11:03 244 --ah----- C:\sqmnoopt11.sqm


    2008-05-19 11:03 . 2008-05-19 11:03 232 --ah----- C:\sqmdata11.sqm


    2008-05-19 11:02 . 2008-05-19 11:02 244 --ah----- C:\sqmnoopt10.sqm


    2008-05-19 11:02 . 2008-05-19 11:02 232 --ah----- C:\sqmdata10.sqm


    2008-05-19 10:46 . 2008-05-19 10:46 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Kingsoft


    2008-05-16 17:42 . 2008-05-16 17:42 <DIR> d-------- C:\Program Files\Common Files\Kingsoft


    2008-05-16 17:40 . 2008-05-16 17:40 <DIR> d-------- C:\Program Files\Kingsoft


    2008-05-16 17:25 . 2008-05-16 17:25 244 --ah----- C:\sqmnoopt09.sqm


    2008-05-16 17:25 . 2008-05-16 17:25 232 --ah----- C:\sqmdata09.sqm


    2008-05-16 17:24 . 2008-05-16 17:24 244 --ah----- C:\sqmnoopt08.sqm


    2008-05-16 17:24 . 2008-05-16 17:24 232 --ah----- C:\sqmdata08.sqm


    2008-05-13 11:02 . 2008-05-13 11:02 <DIR> d-------- C:\Program Files\Common Files\Borland Shared


    2008-05-13 11:02 . 1999-11-12 05:11 183,808 --a------ C:\WINDOWS\system32\BDEADMIN.CPL


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-06-09 03:48 81,984 ----a-w C:\WINDOWS\system32\bdod.bin


    2008-06-05 04:51 --------- d-----w C:\Program Files\Oberon Media


    2008-06-05 04:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP


    2008-06-05 04:42 --------- d-----w C:\Program Files\Common Files\Oberon Media


    2008-04-30 02:21 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint


    2008-04-30 02:16 --------- d-----w C:\Program Files\Lexmark X74-X75


    2008-04-23 07:23 --------- d-----w C:\Program Files\Microsoft Silverlight


    2008-04-22 06:34 --------- d-----w C:\Documents and Settings\Admin\Application Data\Talkback


    2008-04-16 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help


    2008-04-15 07:28 --------- d-----w C:\Documents and Settings\Admin\Application Data\Apple Computer


    2008-04-11 09:42 --------- d-----w C:\Program Files\Common Files\Adobe


    2008-04-11 01:23 --------- d-----w C:\Program Files\Google


    2008-04-09 04:00 --------- d-----w C:\Documents and Settings\Admin\Application Data\Autodesk


    2008-04-09 03:55 --------- d-----w C:\Program Files\Common Files\Autodesk Shared


    2008-04-09 03:55 --------- d-----w C:\Program Files\AutoCAD 2007


    2008-04-09 03:55 --------- d-----w C:\Program Files\AnswerWorks 4.0


    2008-04-09 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk


    2008-04-09 03:52 --------- d-----w C:\Program Files\Autodesk


    2008-04-09 03:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-04-09 03:06 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bitdefender


    2008-04-09 03:05 --------- d-----w C:\Program Files\Softwin


    2008-04-09 03:05 --------- d-----w C:\Program Files\Common Files\Softwin


    2008-04-09 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira


    2008-04-07 14:46 15,600 ----a-w C:\WINDOWS\gdrv.sys


    2008-04-07 14:44 315,392 ----a-w C:\WINDOWS\HideWin.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 10:21 153136]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 20:00 15360]


    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 12:30 68856]


    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-02-28 20:00 208952]


    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 20:00 455168]


    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-02-28 20:00 455168]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-31 14:35 7634944]


    "nwiz"="nwiz.exe" [2006-10-31 14:35 1622016 C:\WINDOWS\system32\nwiz.exe]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-31 14:35 86016]


    "RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 16380416 C:\WINDOWS\RTHDCPL.exe]


    "SkyTel"="SkyTel.EXE" [2007-06-15 16:45 1826816 C:\WINDOWS\SkyTel.exe]


    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]


    "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2008-04-09 11:12 290816]


    "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]


    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]


    "Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-15 04:09 57344]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 10:43:54 11000]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=sockspy.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusDisableNotify"=dword:00000001


    "UpdatesDisableNotify"=dword:00000001


    "AntiVirusOverride"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=


    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


    "C:\\Program Files\\MSN Messenger\\livecall.exe"=


    "C:\\WINDOWS\\system32\\fxsclnt.exe"=


    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=


    "C:\\Program Files\\Kingsoft\\Powerword 2007\\xdict.exe"=


    "C:\\Program Files\\Kingsoft\\Powerword 2007\\update.exe"=


    S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-04-07 22:46]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d9918042-04eb-11dd-9eb0-806d6172696f}]


    \Shell\AutoRun\command - E:\Run.exe


    *Newly Created Service* - CATCHME


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-06-09 11:49:51


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-06-09 11:51:11


    ComboFix-quarantined-files.txt 2008-06-09 03:50:26


    Pre-Run: 68,036,165,632 bytes free


    Post-Run: 68,540,981,248 bytes free


    145


    pls check the log, thx q very much

  • rootkit
    rootkit ✭✭✭

    Combo didn't deleted anyting !


    That's good !


    The log is clean !

  • Hello crysty2k5,


    The log is not clean. You must always look at the newly created files,hidden files,etc. If combox fix


    doesn't delete anything that doesn't mean that there aren't any infections present.


    Best regards,


    Niels


    Hello wiltechjb


    Please download avenger that you can download here and save it on your desktop.


    Unzip it and double click on avenger.exe


    WARNING: Be sure that there are not any lines in the input ****** here section before typing the ******.


    In the input ****** here section please type this:


    Files to delete:


    C:\sqmnoopt13.sqm


    C:\sqmdata13.sqm


    C:\sqmnoopt12.sqm


    C:\sqmdata12.sqm


    C:\sqmnoopt11.sqm


    C:\sqmdata11.sqm


    C:\sqmnoopt10.sqm


    C:\sqmdata10.sqm


    C:\sqmnoopt09.sqm


    C:\sqmdata09.sqm


    C:\sqmnoopt08.sqm


    C:\sqmdata08.sqm


    Now click on the execute button. Choose yes to proceed and to reboot your pc. If your pc doesn't reboot, reboot it yourself.


    Can you please post a new combox fix log afterwards?


    Best regards


    Niels