Webuser Forums: Trjojan horse virus

Sorry about that

ComboFix 08-06-01.6 - Ian 2008-06-03 21:51:28.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1213 [GMT 1:00]
Running from: C:\Users\Ian\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Ian\AppData\Roaming\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-03 09:27 . 2008-06-03 09:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 08:57 . 2008-03-08 01:37 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-28 08:57 . 2008-03-08 05:30 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-05-28 08:38 . 2008-05-31 09:36 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-16 12:18 . 2008-05-16 12:18 <DIR> d-------- C:\Users\Ian\AppData\Roaming\TomTom
2008-05-16 12:18 . 2008-05-16 12:18 <DIR> d-------- C:\Users\All Users\TomTom
2008-05-16 12:18 . 2008-05-16 12:18 <DIR> d-------- C:\ProgramData\TomTom
2008-05-16 12:18 . 2008-05-16 12:18 <DIR> d-------- C:\Program Files\TomTom HOME 2
2008-05-16 12:12 . 2008-05-16 12:18 <DIR> d-------- C:\Program Files\TomTom HOME
2008-05-16 12:08 . 2008-05-16 12:08 <DIR> d-------- C:\Program Files\TomTom DesktopSuite
2008-05-04 14:12 . 2008-05-04 14:15 <DIR> d-------- C:\Windows\System32\Samsung_USB_Drivers
2008-05-04 14:12 . 2008-05-04 14:12 <DIR> d-------- C:\Program Files\Samsung
2008-05-04 14:12 . 2007-05-02 11:11 109,704 --a------ C:\Windows\System32\drivers\ss_mdm.sys
2008-05-04 14:12 . 2007-05-02 11:11 83,592 --a------ C:\Windows\System32\drivers\ss_bus.sys
2008-05-04 14:12 . 2007-05-02 11:11 15,112 --a------ C:\Windows\System32\drivers\ss_mdfl.sys
2008-05-04 14:12 . 2007-05-02 11:11 12,424 --a------ C:\Windows\System32\drivers\ss_whnt.sys
2008-05-04 14:12 . 2007-05-02 11:11 12,424 --a------ C:\Windows\System32\drivers\ss_wh.sys
2008-05-04 14:12 . 2007-05-02 11:11 12,424 --a------ C:\Windows\System32\drivers\ss_cmnt.sys
2008-05-04 14:12 . 2007-05-02 11:11 12,424 --a------ C:\Windows\System32\drivers\ss_cm.sys
2008-05-04 14:12 . 2005-08-28 20:51 766 --a------ C:\Windows\System32\Uninstall.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-03 20:43 --------- d-----w C:\Users\Ian\AppData\Roaming\uTorrent
2008-06-03 20:43 --------- d-----w C:\Users\Ian\AppData\Roaming\AVG7
2008-05-31 08:36 47,360 ----a-w C:\Users\Ian\AppData\Roaming\pcouffin.sys
2008-05-31 08:36 --------- d-----w C:\Users\Ian\AppData\Roaming\Vso
2008-05-17 07:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 16:48 --------- d-----w C:\Users\SPARE\AppData\Roaming\AVG7
2008-05-15 07:21 --------- d-----w C:\Program Files\Windows Mail
2008-04-27 20:19 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-27 19:35 --------- d-----w C:\Program Files\Common Files\Real
2008-04-16 13:41 --------- d-----w C:\Users\Ian\AppData\Roaming\DVDFab
2008-04-11 22:02 --------- d-----w C:\ProgramData\vsosdk
2008-04-09 17:19 --------- d-----w C:\ProgramData\DVD Shrink
2008-04-09 17:19 --------- d-----w C:\Program Files\DVD Shrink
2008-04-09 17:03 --------- d-----w C:\Program Files\Avi2Dvd
2008-04-09 16:52 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-09 16:00 --------- d-----w C:\Users\SPARE\AppData\Roaming\Nero
2008-04-07 03:16 --------- d-----w C:\Users\Ian\AppData\Roaming\Nero
2008-04-07 03:15 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-07 03:11 --------- d-----w C:\ProgramData\Nero
2008-04-07 03:11 --------- d-----w C:\Program Files\Nero
2008-04-06 15:37 --------- d-----w C:\Program Files\PowerISO
2008-04-06 14:29 --------- d-----w C:\Users\Ian\AppData\Roaming\NCH Software
2008-04-06 12:48 --------- d-----w C:\Program Files\EPSON Print CD
2008-04-06 10:31 --------- d-----w C:\Program Files\Elaborate Bytes
2008-04-05 18:20 --------- d-----w C:\Program Files\EPSON
2008-04-04 10:57 --------- d-----w C:\Program Files\UnderCoverXP
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-12-23 01:15 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-14 05:29 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2008-02-05 05:21 219952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 09:42 202088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 17:10 4468736 C:\Windows\RtHDVCpl.exe]
"NMSSupport"="C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-04-06 14:07 439768]
"CCUTRAYICON"="C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-04-06 14:11 215512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-21 11:52 220160]
"toolbar_eula_launcher"="C:\Program Files\GoogleEULA\EULALauncher.exe" [2007-02-09 15:54 16896]
"Skytel"="Skytel.exe" [2007-05-07 18:51 1826816 C:\Windows\SkyTel.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-15 04:03 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-15 04:03 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-15 04:03 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 07:38 579584]
"snpstd3"="C:\Windows\vsnpstd3.exe" [2005-09-06 11:55 339968]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 14:21 94208]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-22 02:13 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-12-22 02:13 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{466B9FD4-75C5-4F67-9170-509AEA03C375}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{0C116A5F-6FFE-47C7-8145-1599CEF9CAD5}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{8DAA9876-E537-40AC-8D9D-4097E44BD4EF}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{FC104377-27F3-451F-A933-D8D4D463E689}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel(R) Remoting Service
"{B822D6ED-943B-4CFC-A211-CA784D56CDD5}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{4919C88F-1FFA-4EF3-AFE2-C7E22A7F2DA8}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel(R) Viiv(TM) Media Server
"{9BB5027C-7328-41D6-8ECC-2827A1CFBDFC}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel(R) Viiv(TM) Media Server Discovery
"{46D166AC-5B9C-4E40-820D-24196754A6D1}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel(R) Viiv(TM) Media Server UPnP Discovery
"{C9040F56-C570-4CB6-8098-9BF903389EBE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F8467473-23BB-49FF-9E2C-15F245434263}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{BBD57F2D-08E1-483E-882B-F9502F03F46A}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 nmsunidr;UniDriver for NMS;C:\Windows\system32\DRIVERS\nmsunidr.sys [2007-02-18 20:34]
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-14 09:59]
R3 IntelDH;IntelDH Driver;C:\Windows\system32\Drivers\IntelDH.sys [2007-06-21 11:44]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;C:\Windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 10:43]
R3 X10Hid;X10 Hid Device;C:\Windows\system32\Drivers\x10hid.sys [2006-11-17 10:31]
S3 3xHybrid;Philips SAA713x PCI Card;C:\Windows\system32\DRIVERS\3xHybrid.sys [2007-01-08 18:43]
S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrusb.sys [2006-12-22 20:05]
S3 DHTRACE;Intel(R) DHTrace Controller;C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [2007-04-06 14:08]
S3 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe" [2007-02-12 10:46]
S3 NMSCore;Intel(R) NMSCore;"C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe" [2007-04-06 14:07]
S3 QualityManager;Intel(R) Quality Manager;"C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe" [2007-04-06 14:10]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 08:36]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\Windows\system32\DRIVERS\ss_bus.sys [2007-05-02 11:11]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\Windows\system32\DRIVERS\ss_mdfl.sys [2007-05-02 11:11]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\Windows\system32\DRIVERS\ss_mdm.sys [2007-05-02 11:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af434285-231a-11dd-83bf-0019dbc07679}]
\shell\AutoRun\command - M:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-03 20:50:13 C:\Windows\Tasks\User_Feed_Synchronization-{46C837DE-2959-4B2A-B4A1-C6A0C42D8527}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 21:53:17
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-03 21:54:04
ComboFix-quarantined-files.txt 2008-06-03 20:53:58

Pre-Run: 200,685,330,432 bytes free
Post-Run: 202,665,541,632 bytes free

162 --- E O F --- 2008-06-03 17:31:07

Post Extras