Recently my anti virus program detected that i had a virus called tr/monder.51200. This virus slowed my computer down and closed some of the applications i was running. I had combofix scan my computer and here is the log sheet.
ComboFix 08-06-16.5 - Sendi 2008-06-19 21:02:20.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.2634 [GMT 10:00]
Running from: C:\Users\Sendi\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\dupseomr.ini
C:\Windows\system32\FD28794B5C.dll
C:\Windows\system32\jfmamlkr.dll
C:\Windows\system32\khfGWQGV.dll
C:\Windows\system32\kodopwkq.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\System32\qkwpodok.ini
C:\Windows\system32\swpcyxct.dll
C:\Windows\System32\tcxycpws.ini
C:\Windows\system32\thmjoivc.dll
C:\Windows\system32\txaqlobd.dll
C:\Windows\system32\VGQWGfhk.ini
C:\Windows\System32\VGQWGfhk.ini2
.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.
2008-06-18 20:02 . 2008-06-18 20:02 <DIR> d-------- C:\Users\Sendi\AppData\Roaming\ErrorSmart
2008-06-18 20:02 . 2008-06-18 20:02 <DIR> d-------- C:\Program Files\ErrorSmart
2008-06-17 20:51 . 2008-06-17 20:51 <DIR> d-------- C:\Users\Sendi\AppData\Roaming\PeerNetworking
2008-06-17 15:48 . 2008-06-17 15:48 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-06-17 15:48 . 2008-06-17 15:48 <DIR> d-------- C:\ProgramData\Apple Computer
2008-06-17 15:47 . 2008-06-17 15:47 <DIR> d-------- C:\Users\All Users\Apple
2008-06-17 15:47 . 2008-06-17 15:47 <DIR> d-------- C:\ProgramData\Apple
2008-06-17 15:47 . 2008-06-17 15:47 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-17 15:18 . 2008-06-17 15:18 <DIR> d-------- C:\Users\All Users\Adobe Systems
2008-06-17 15:18 . 2008-06-17 15:18 <DIR> d-------- C:\ProgramData\Adobe Systems
2008-06-17 15:16 . 2008-06-17 15:16 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-17 15:15 . 2008-06-17 15:15 <DIR> d-------- C:\Windows\System32\Adobe
2008-06-17 15:15 . 2004-08-17 10:40 16,384 --a------ C:\Windows\System32\FileOps.exe
2008-06-14 12:58 . 2008-06-14 13:00 <DIR> d-------- C:\Users\All Users\Autodesk
2008-06-14 12:58 . 2008-06-14 13:00 <DIR> d-------- C:\ProgramData\Autodesk
2008-06-14 12:57 . 2008-06-14 13:25 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-06-14 12:57 . 2008-06-14 12:59 <DIR> d-------- C:\Program Files\Autodesk
2008-06-14 12:57 . 2005-05-26 15:34 2,297,552 --a------ C:\Windows\System32\d3dx9_26.dll
2008-06-14 12:49 . 2008-06-14 12:49 <DIR> d-------- C:\Program Files\PowerISO
2008-06-14 12:46 . 2008-06-14 12:46 <DIR> d-------- C:\Program Files\MagicDisc
2008-06-14 12:46 . 2008-05-27 12:11 96,896 --a------ C:\Windows\System32\drivers\mcdbus.sys
2008-05-29 20:56 . 2008-05-29 20:56 <DIR> d-------- C:\Users\All Users\Macrovision
2008-05-29 20:56 . 2008-05-29 20:56 <DIR> d-------- C:\ProgramData\Macrovision
2008-05-29 20:55 . 2008-05-29 20:55 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-05-29 19:59 . 2008-06-17 15:49 <DIR> d-------- C:\Program Files\QuickTime
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-05-23 16:08 . 2008-05-23 16:08 <DIR> d-------- C:\Users\Sendi\AppData\Roaming\vlc
2008-05-23 16:07 . 2008-05-23 16:07 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-22 13:57 . 2008-05-22 13:57 <DIR> d-------- C:\Program Files\RADVideo
2008-05-20 16:40 . 2008-05-20 16:40 1,460,814 --a------ C:\Windows\System32\Anfield.scr
2008-05-20 16:35 . 2008-05-20 16:35 935,816 --a------ C:\Windows\System32\Steven Gerrard.scr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 10:07 --------- d---a-w C:\ProgramData\TEMP
2008-06-19 07:23 --------- d-----w C:\Users\Sendi\AppData\Roaming\Publish Providers
2008-06-17 12:56 --------- d-----w C:\Users\Sendi\AppData\Roaming\Metacafe
2008-06-17 12:56 --------- d-----w C:\ProgramData\Metacafe
2008-06-17 05:58 --------- d-----w C:\Users\Sendi\AppData\Roaming\uTorrent
2008-06-17 05:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-14 03:17 --------- d-----w C:\Program Files\The Eagle
2008-06-14 03:15 --------- d-----w C:\Users\Sendi\AppData\Roaming\Hamachi
2008-06-14 03:15 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-06-14 03:13 --------- d-----w C:\Program Files\World of Warcraft
2008-06-14 03:13 --------- d-----w C:\Program Files\MagicISO
2008-06-14 03:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 03:11 --------- d-----w C:\Program Files\Mini Golf Mayhem demo
2008-06-14 03:09 --------- d-----w C:\Program Files\Cheat Engine
2008-06-05 07:22 671 ---ha-w C:\os604495.bin
2008-05-29 10:54 --------- d-----w C:\Program Files\Macromedia
2008-05-29 10:54 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-05-24 09:35 --------- d-----w C:\Program Files\SopCast
2008-05-17 08:03 --------- d-----w C:\Program Files\Passware
2008-05-06 09:13 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-05 12:02 --------- d-----w C:\Program Files\Metacafe
2008-05-03 09:39 --------- d-----w C:\Program Files\TVUPlayer
2008-05-03 06:12 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-04-29 05:47 --------- d-----w C:\Users\Sendi\AppData\Roaming\Ubisoft
2008-04-29 05:47 --------- d-----w C:\ProgramData\Ubisoft
2008-04-27 22:55 --------- d-----w C:\Program Files\EA Sports
2008-04-27 22:07 --------- d-----w C:\Program Files\Fifa Master
2008-03-23 05:47 3,120 ----a-w C:\Windows\System32\106c9aad-626d-444d-8ae2-ea706d4f42c6.dll
2008-02-26 05:23 174 --sha-w C:\Program Files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376892AE-1825-4E5F-9F85-23F9640051CC}]
2007-11-09 02:36 130048 --a------ C:\Windows\xmljacodec.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
2007-12-06 10:58 1198432 --a------ C:\Program Files\Search Settings\kb125\SearchSettings.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B1B0B-C305-414E-A4FF-AC93A08DE0AC}]
C:\Windows\system32\mlJCsQhG.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speech Recognition"="C:\Windows\Speech\Common\sapisvr.exe" [2006-11-02 19:45 49664]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 23:54 486856]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 22:34 125440]
"Google Update"="C:\Users\Sendi\AppData\Local\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-03-19 14:33 51184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 22:33 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-16 13:03 262401]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 17:53 153136]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 16:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 16:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-11 16:06 81920]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-03-21 05:43 331776]
"SearchSettings"="C:\Program Files\Search Settings\SearchSettings.exe" [2007-12-06 10:58 1069920]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 09:50 233472]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2008-06-17 13:32 16094456]
C:\Users\Sendi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-06-14 12:46:00 547840]
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe [2007-09-05 01:04:34 149256]
YouTube Uploader.lnk - C:\Users\Sendi\AppData\Local\YouTube\Uploader\youtubeuploader.exe [2007-11-09 12:33:08 71152]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe [2007-09-05 01:04:34 149256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F30B1B0B-C305-414E-A4FF-AC93A08DE0AC}"= C:\Windows\system32\mlJCsQhG.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1384650692-4120266385-33886233-1000]
"EnableNotificationsRef"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D55CC143-5868-4529-ABFD-D2859878BA59}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{1FB806D6-AECC-41CD-BBBB-49AAB19BDA8C}C:\\program files\\bitlord2\\bitlord.exe"= UDP:C:\program files\bitlord2\bitlord.exe:
"UDP Query User{191FE02D-780D-4E72-85BE-273B9603297B}C:\\program files\\bitlord2\\bitlord.exe"= TCP:C:\program files\bitlord2\bitlord.exe:
"TCP Query User{4069B1BD-80FA-4D35-B161-4C2C2F8AB26C}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{21FE7AAE-DB8A-4230-B985-F778C0FDAA8A}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{B1AB4FCD-0148-4465-95C9-74F44FCF3F6A}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz
"UDP Query User{10703308-9F2E-42E5-9AE4-0DE127417F0E}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz
"TCP Query User{581050DD-4173-4675-B5F8-EE2E7F5C87FC}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{10D58EB7-4FD6-43AF-9BBA-750D62740DFD}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{B370F449-7011-45C8-ABF9-ABF67F680CA1}C:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{91823DFD-EA36-4BEA-899B-8874377F768E}C:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"{38AD081C-5C7A-41D2-A9AF-17A3665A2261}"= UDP:C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{55C10569-D99C-4421-B62A-B0F795AB9B52}"= TCP:C:\Program Files\KONAMI\Pro Evolution Soccer 2008\PES2008.exe:Pro Evolution Soccer 2008
"{84C851D0-815F-43D1-81F0-98F8E02A1A0D}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{96AFF3E8-9A32-4277-A939-87D105D6DA90}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{CFD745DB-0E62-471C-9C6E-325A0810EB4C}C:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= UDP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"UDP Query User{9F7981C3-E07C-4432-A0B6-5A46433E2C42}C:\\program files\\ubisoft\\ghost recon advanced warfighter\\graw.exe"= TCP:C:\program files\ubisoft\ghost recon advanced warfighter\graw.exe:GRAW
"TCP Query User{FFA2E0FE-BC81-45C7-B87A-107F65B3FC76}C:\\program files\\ea sports\\fifa 08\\fifa08.exe"= UDP:C:\program files\ea sports\fifa 08\fifa08.exe:FIFA08
"UDP Query User{23260117-3BC7-4E56-A99E-52635B7EDEDE}C:\\program files\\ea sports\\fifa 08\\fifa08.exe"= TCP:C:\program files\ea sports\fifa 08\fifa08.exe:FIFA08
"{5C6A8488-2E94-4385-83AB-ECC57BA60118}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{10EE3EC9-A0FB-46E8-9694-ABEE4960DD2F}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"TCP Query User{00E08B27-70A9-4962-B576-CBEF655665DE}C:\\program files\\microsoft games\\microsoft flight simulator x\\fsx.exe"= UDP:C:\program files\microsoft games\microsoft flight simulator x\fsx.exe:Microsoft Flight Simulator®
"UDP Query User{2B12B423-B1C8-4030-9EEB-1EC6B117D86C}C:\\program files\\microsoft games\\microsoft flight simulator x\\fsx.exe"= TCP:C:\program files\microsoft games\microsoft flight simulator x\fsx.exe:Microsoft Flight Simulator®
"{1DA62642-C6ED-4401-8508-AD937ACCD925}"= UDP:C:\Program Files\Autodesk\3ds Max 9\3dsmax.exe:Autodesk 3ds Max 9 32-bit
"{6139CBE1-7E2F-4C75-A81C-6DE3C8F979FE}"= TCP:C:\Program Files\Autodesk\3ds Max 9\3dsmax.exe:Autodesk 3ds Max 9 32-bit
"{956D0D39-854F-4AB1-B703-914D7C2E2409}"= UDP:C:\Program Files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{8960F03D-8AFB-405C-B8DE-58DE143DE166}"= TCP:C:\Program Files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{4B229B83-3C09-4D8E-9681-E48491AF10BC}"= UDP:C:\Program Files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{1872FE01-343E-4E2F-B297-F46B237E0BF6}"= TCP:C:\Program Files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{63963D44-5E63-4CD1-A622-A49F4A620DC1}"= UDP:C:\Program Files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{1A06D5E8-F9B2-4107-A7BF-FC8CE3902C10}"= TCP:C:\Program Files\Autodesk\Backburner\server.exe:backburner 2.3 server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2007-12-23 16:33]
S3 MRV6X32P;Vista 32-bits Native WiFi Driver;C:\Windows\system32\DRIVERS\MRVW13B.sys [2007-05-03 07:11]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a38bf3a7-b11f-11dc-91c2-806e6f6e6963}]
\shell\AutoRun\command - D:\autorun_PES2008.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a38bf3a8-b11f-11dc-91c2-806e6f6e6963}]
\shell\AutoRun\command - E:\AUTORUN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e64f5bd0-bb5c-11dc-8fca-001a4d5c648b}]
\shell\AutoRun\command - G:\Autorun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 11:07:19 C:\Windows\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 21:06:11
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-19 21:09:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-19 11:09:22
Pre-Run: 328,644,968,448 bytes free
Post-Run: 329,564,581,888 bytes free
211 --- E O F --- 2008-02-26 05:15:21
My computer has been running a little bit better since i ran combofix but i still believe that i have a virus. If anyone has a soloution i would realy appreciate it.
Thanks