trojanhorse.PSW.OnlineGames

Unknown

Hi there, recently about two days ago I ran a spyware scan with Spyware Doctor and noticed that I had been infected with a trojan called "trojanhorse.PSW.OnlineGames". It said that the trojan was caused by a Maxtor Hard Drive, but my Hard Drive's brand isn't Maxtor so I assumed maybe it was infected because of my brother's Hard Drive which was Maxtor connected to a router with mines.
I read the trojan's description and it said that what the trojan does is it key logs passwords, so I've tried to remove it with Ad-Aware, Spyware Doctor, Spybot Search and Destroy, AVG Anti-Virus Free Edition, and ended up re-formatting, however, the trojan still exists when I was running a scan with AVG. I'm not sure if it completely healed the file as the program stated so I wanted to make sure here.

This is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:12 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:\Program Files\Common Files\goskdl.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: Reboot.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 4463 bytes

---

This is my Online Scan, using Kaspersky:

---

KASPERSKY ONLINE SCANNER REPORT
Friday, November 30, 2007 7:06:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/12/2007
Kaspersky Anti-Virus database records: 469646

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 14825
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:12:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\history.dat Object is locked skipped
C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\key3.db Object is locked skipped
C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Peter\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Mozilla\Firefox\Profiles\9vr2ufqh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\History\History.IE5\MSHist012007113020071201\index.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Temp\818e.rra Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Temp\Perflib_Perfdata_7c4.dat Object is locked skipped
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Peter\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Peter\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{13E2C4C7-56E1-4D5D-9E04-8E59F076B288}\RP7\A0000101.dll Object is locked skipped
C:\System Volume Information\_restore{13E2C4C7-56E1-4D5D-9E04-8E59F076B288}\RP7\A0000102.dll Object is locked skipped
C:\System Volume Information\_restore{13E2C4C7-56E1-4D5D-9E04-8E59F076B288}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.




I'm not exactly sure what programs it targets but I hope to get rid of it all, please and thank you!

chryssi2001

Hello petersitu,

I will be assisting you with your malware issues.
As I am still a trainee, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

• Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
• Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
• Please bookmark or favourite this page. In case you need it as reference or etc.

---

RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.

petersitu

Alrighty, here it is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:11 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://google.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:\Program Files\Common Files\goskdl.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Turtle Beach Audio Advantage SRM] "C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 4811 bytes

chryssi2001

Hello petersitu,

FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:\Program Files\Common Files\goskdl.dll (file missing)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

---

Download and Run ComboFix

• Download this file from either of the two below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---

Post back:
Combofix report.
A new HijackThis log.

petersitu

ComboFix's log:

ComboFix 07-11-19.4C - Peter 2007-12-01 10:22:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1598 [GMT -8:00]
Running from: C:\Documents and Settings\Peter\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-01 to 2007-12-01 )))))))))))))))))))))))))))))))
.

2007-11-30 21:38 <DIR> d

---

C:\Program Files\Common Files\Voyetra
2007-11-30 21:35 <DIR> d

---

C:\Program Files\Turtle Beach
2007-11-30 21:35 1,334,272 --a

---

C:\WINDOWS\system32\drivers\cmudau.sys
2007-11-30 21:35 237,568

---

C:\WINDOWS\CmiUSB2Uninstall.exe
2007-11-30 21:35 229,376 --a

---

C:\WINDOWS\system\TBElite.cpl
2007-11-30 21:35 86,016

---

C:\WINDOWS\CMedia.dll
2007-11-30 21:35 21,504 --a

---

C:\WINDOWS\system32\hidserv.dll
2007-11-30 21:34 59,264 --a

---

C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-11-30 18:53 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\InstallShield
2007-11-30 18:49 <DIR> d

---

C:\Program Files\GALA-NET
2007-11-30 18:49 73,728 --a

---

C:\WINDOWS\system32\ISUSPM.cpl
2007-11-30 18:41 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2007-11-30 18:41 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-30 18:37 <DIR> d

---

C:\Program Files\Trend Micro
2007-11-30 18:26 <DIR> d

---

C:\Documents and Settings\Peter\Application Data\SiteAdvisor
2007-11-30 18:26 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-30 18:26 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-30 18:25 129,784

---

C:\WINDOWS\system32\pxafs.dll
2007-11-30 18:25 43,528

---

C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-30 18:25 9,464

---

C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-30 18:25 9,336

---

C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-30 18:24 <DIR> d

---

C:\Program Files\Winamp
2007-11-30 18:21 <DIR> d

---

C:\Documents and Settings\Peter\Application Data\AVG7
2007-11-30 18:21 <DIR> d

---

C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-30 18:20 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-30 18:20 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\avg7
2007-11-30 18:13 1,156 --a

---

C:\WINDOWS\mozver.dat
2007-11-30 18:12 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Creative
2007-11-30 18:10 <DIR> d

---

C:\Program Files\Realtek Sound Manager
2007-11-30 18:10 <DIR> d

---

C:\Program Files\AvRack
2007-11-30 18:10 765,952 --a

---

C:\WINDOWS\system\crlds3d.dll
2007-11-30 18:10 626,204 --a

---

C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-11-30 18:10 400,384 --a

---

C:\WINDOWS\system32\drivers\ALCXSENS.SYS
2007-11-30 18:10 67,584 --a

---

C:\WINDOWS\SOUNDMAN.EXE
2007-11-30 18:09 <DIR> d

---

C:\Program Files\VIA
2007-11-30 18:09 208,896

---

C:\WINDOWS\alcupd.exe
2007-11-30 18:09 139,264

---

C:\WINDOWS\alcrmv.exe
2007-11-30 18:09 73,600 -ra

---

C:\WINDOWS\system32\drivers\viamraid.sys
2007-11-30 18:09 40,960 -ra

---

C:\WINDOWS\system32\drivers\fetnd5b.sys
2007-11-30 18:09 584

---

C:\WINDOWS\system32\drivers\alcxinit.dat
2007-11-30 18:08 <DIR> d

---

C:\Documents and Settings\Peter\WINDOWS
2007-11-30 18:08 306,688 --a

---

C:\WINDOWS\IsUninst.exe
2007-11-30 18:08 27,904 --a

---

C:\WINDOWS\system32\drivers\VIAAGP1.SYS
2007-11-30 18:07 <DIR> d

---

C:\WINDOWS\system32\Tools
2007-11-30 18:06 <DIR> d

---

C:\Program Files\Common Files\CyberLink
2007-11-30 18:06 <DIR> d

---

C:\Program Files\Common Files\ATI
2007-11-30 18:06 <DIR> d

---

C:\Program Files\ATI Technologies
2007-11-30 18:03 647,872

---

C:\WINDOWS\system32\Mscomct2.ocx
2007-11-30 18:03 53,248

---

C:\WINDOWS\Ctregrun.exe
2007-11-30 18:02 <DIR> d

---

C:\WINDOWS\system32\Data
2007-11-30 18:02 133,632 -ra

---

C:\WINDOWS\system32\CtDvInst.dll
2007-11-30 18:02 130,048 --a

---

C:\WINDOWS\system32\ksproxy.ax
2007-11-30 18:02 90,112

---

C:\WINDOWS\Updreg.EXE
2007-11-30 18:02 52,864 --a

---

C:\WINDOWS\system32\drivers\DMusic.sys
2007-11-30 18:02 52,864 --a--c--- C:\WINDOWS\system32\dllcache\dmusic.sys
2007-11-30 18:02 11,264 --a

---

C:\WINDOWS\INRES.DLL
2007-11-30 18:02 7,552 --a

---

C:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-11-30 18:02 6,400 --a

---

C:\WINDOWS\system32\drivers\splitter.sys
2007-11-30 18:02 5,627 -ra

---

C:\WINDOWS\system32\Ludap17.ini
2007-11-30 18:02 5,376 --a

---

C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-11-30 18:02 4,992 --a

---

C:\WINDOWS\system32\drivers\MSPQM.sys
2007-11-30 18:02 4,096 --a

---

C:\WINDOWS\system32\ksuser.dll
2007-11-30 18:02 39 -ra

---

C:\WINDOWS\system32\ctzapxx.ini
2007-11-30 18:01 <DIR> d

---

C:\Documents and Settings\Peter\Application Data\Talkback
2007-11-30 18:00 <DIR> d--h

---

C:\Program Files\InstallShield Installation Information
2007-11-30 18:00 <DIR> d

---

C:\Program Files\Creative
2007-11-30 18:00 <DIR> d

---

C:\Program Files\Common Files\InstallShield
2007-11-30 18:00 0 --a

---

C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 18:16

---

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-01 03:08

---

d

---

w C:\Program Files\Spyware Doctor
2007-12-01 01:30 51,072 ----a-w C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-12-01 01:30 30,592 ----a-w C:\WINDOWS\system32\drivers\ikhfile.sys
2007-12-01 01:28

---

d

---

w C:\Documents and Settings\Peter\Application Data\PC Tools
2007-12-01 01:22

---

d

---

w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-30 17:30]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:00]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 10:51]
"P17Helper"="Rundll32 P17.dll" []
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 00:31 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-30 18:20]
"Turtle Beach Audio Advantage SRM"="C:\Program Files\Turtle Beach\AudioAdvantageSRM\TBAA.exe" [2007-05-08 17:51]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-11-30 17:30]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-30 18:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2007-11-30 18:09:34]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D}"= C:\Program Files\Internet Explorer\rksldk.dll [ ]

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
S3 cmudau;Audio Advantage SRM Interface;C:\WINDOWS\system32\drivers\cmudau.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-01 10:25:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-01 10:26:54
.
--- E O F ---







Also, in C:\$VAULT$.AVG, there are 3 files named:
00713140.FIL
00757187.FIL
01392406.FIL

Should I delete them or leave them in there?

chryssi2001

Hello petersitu,

Also, in C:\$VAULT$.AVG, there are 3 files named:
00713140.FIL
00757187.FIL
01392406.FIL
Should I delete them or leave them in there?

You can empty AVG Vault.
Right-click on AVG Icon at your task bar.
Click on Launch AVG Free Control Center.
Click on Virus Vault and Open.
Right-click on all items found in there to delete them.

---

You have an older version of Combofix.

Please remove Combofix and re-download it from one of the links below:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---

Run HijackThis again.

---

Post back:
Combofix report.
A new HijackThis log.

chryssi2001

Hello petersitu,

Are you still with me?

Trogan

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you. This topic is now closed.

Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead (grin)