Security help !

[Bon]

C:\WINDOWS\$NtServicePackUninstall$\iexplore.exe <-- What is this? I scanned with A-Squared and it detect this as a Trojan-Spy.Win32.Goldun.ms, I deleted it then I scanned my computer again with A-Squared then it found "Trojan-Spy.Win32.Goldun.ms" again but different file directory: C:\System Volume Information\_restore{7FC5AE51-038D-4E9D-BF18-7A2D918702BE}\RP6\A0001474.dll and C:\System Volume Information\_restore{7FC5AE51-038D-4E9D-BF18-7A2D918702BE}\RP6\A0003169.exe

How did I ever get these files and trojan? :(

Can someone help me, is it false positive or what?

--------------------------------------------------------

ALSO IS THERE ANYTHING I SHOULD BE WORRIED ABOUT IN THIS HIJACK THIS LOG???

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Microsoft LifeCam\MSCamSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Winamp\Winamp.exe

C:\Documents and Settings\Admin\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181473509843

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope you can help me!

[Bon]

Someone help?

[soldier1st]

iexplore is internet explorer,a squard is ok but you should scan with something more reliable like spybot or spyware doctor and a squared has some false positives.

[OfF3nSiV3]

  Quote

This Trojan steals confidential data. It is a Windows PE EXE file. The Trojan components vary in size from 39 to 48KB.

The Trojan gets the path to Internet Explorer and modifies iexplore.exe, by adding an import from %System%\scvcrl.dll to the import table

This ensures that the Trojan file will be loaded every time Microsoft Internet Explorer is launched.

The Trojan harvests passwords from the data files of the following instant messenging clients:

QIP2005

Trillian

MSN Messenger

Yahoo Messenger

AOL

Miranda

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate all iexplore.exe processes.

2. Delete the following file:

%System%\msvcrl.dll

3. Restore the original iexplore.exe file using the Windows installation disk.

more information: http://www.viruslist.com/en/viruses/encycl...?virusid=135929