WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] infected computer

Started by twoshotsnobird , Dec 03 2007 07:59 PM

This topic is locked

14 replies to this topic

#1 twoshotsnobird

New Member

New Member
8 posts

Posted 03 December 2007 - 07:59 PM

my comuter is infected followed intructions of things to do before posting atf,spybot, and avgas,hijack this can someone help thanks i have attatched log files and the this to do before posting instructions that i followed

Attached Files

startuplist.txt 6.91KB 167 downloads
hijackthislog.txt 7.93KB 179 downloads
SpybotSD.Results.txt 187.66KB 241 downloads
Report_Scan_20071203_152850.txt 1.12KB 148 downloads
avg_report.txt 419bytes 188 downloads
before_posting_to_do_list.txt 4.73KB 159 downloads

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 04 December 2007 - 04:46 AM

Hi! Welcome to the WTT forums.
My name is Scotty. Please copy and paste the logs in your replies, dont attach.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back in your next reply.

Download and Save ComboFix

Download this file from below:

Here
Save it to your Desktop.
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

Edited by Scotty, 04 December 2007 - 04:47 AM.

You too could train to help others- Join the Classroom

#3 twoshotsnobird

New Member

New Member
8 posts

Posted 04 December 2007 - 10:28 PM

downloaded sdfix,extracted,restarted into safe mode and ran
finished scanning restarted
sdfix finished and saved report

will download and run combo fix next

SDFix: Version 1.116

Run by josh on Tue

12/04/2007 at 08:47 PM

Microsoft Windows XP

[Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows

Registry Values
Restoring Windows Default

Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\pics06.zip -

Deleted
C:\WINDOWS\pics08.zip -

Deleted
C:\WINDOWS\system32\NTSpo

ol.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svcho

st.exe
No streams found.

C:\WINDOWS\system32\ntosk

rnl.exe
No streams found.

Final Check:

catchme 0.3.1262.1

W2K/XP/Vista -

rootkit/stealth malware

detector by Gmer,

http://www.gmer.net
Rootkit scan 2007-12-04

20:56:00
Windows 5.1.2600 Service

Pack 2 NTFS

scanning hidden processes

...

scanning hidden services

& system hive ...

scanning hidden registry

entries ...

scanning hidden files ...

scan completed

successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application

Key Export:

[HKEY_LOCAL_MACHINE\syste

m\currentcontrolset\servi

ces\sharedaccess\paramete

rs\firewallpolicy\standar

dprofile\authorizedapplic

ations\list]
"%windir%\\system32\\sess

mgr.exe"="%windir%\\syste

m32\\sessmgr.exe:*:enable

d:@xpsp2res.dll,-22019"
"C:\\Program

Files\\Messenger\\msmsgs.

exe"="C:\\Program

Files\\Messenger\\msmsgs.

exe:*:Enabled:Windows

Messenger"
"C:\\Program Files\\EA

GAMES\\Battlefield

2\\BF2.exe"="C:\\Program

Files\\EA

GAMES\\Battlefield

2\\BF2.exe:*:Enabled:Batt

lefield 2"
"C:\\Program

Files\\BitTorrent\\bittor

rent.exe"="C:\\Program

Files\\BitTorrent\\bittor

rent.exe:*:Enabled:BitTor

rent"
"C:\\WINDOWS\\PCHealth\\H

elpCtr\\Binaries\\helpctr

.exe"="C:\\WINDOWS\\PCHea

lth\\HelpCtr\\Binaries\\h

elpctr.exe:*:Enabled:Remo

te Assistance - Windows

Messenger and Voice"
"C:\\Program

Files\\Yahoo!\\Messenger\

\YahooMessenger.exe"="C:\

\Program

Files\\Yahoo!\\Messenger\

\YahooMessenger.exe:*:Ena

bled:Yahoo! Messenger"
"C:\\Program

Files\\Yahoo!\\Messenger\

\YServer.exe"="C:\\Progra

m

Files\\Yahoo!\\Messenger\

\YServer.exe:*:Enabled:Ya

hoo! FT Server"
"C:\\Program Files\\MSN

Messenger\\msncall.exe"="

C:\\Program Files\\MSN

Messenger\\msncall.exe:*:

Enabled:Windows Live

Messenger 8.0 (Phone)"
"%windir%\\Network

Diagnostic\\xpnetdiag.exe

"="%windir%\\Network

Diagnostic\\xpnetdiag.exe

:*:Enabled:@xpsp3res.dll,

-20000"
"C:\\Program

Files\\SmartFTP Client

2.0\\SmartFTP.exe"="C:\\P

rogram Files\\SmartFTP

Client

2.0\\SmartFTP.exe:*:Enabl

ed:SmartFTP Client 2.0"
"C:\\Program

Files\\iTunes\\iTunes.exe

"="C:\\Program

Files\\iTunes\\iTunes.exe

:*:Enabled:iTunes"
"C:\\Program Files\\MSN

Messenger\\msnmsgr.exe"="

C:\\Program Files\\MSN

Messenger\\msnmsgr.exe:*:

Enabled:Windows Live

Messenger 8.1"
"C:\\Program Files\\MSN

Messenger\\livecall.exe"=

"C:\\Program Files\\MSN

Messenger\\livecall.exe:*

:Enabled:Windows Live

Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\syste

m\currentcontrolset\servi

ces\sharedaccess\paramete

rs\firewallpolicy\domainp

rofile\authorizedapplicat

ions\list]
"%windir%\\system32\\sess

mgr.exe"="%windir%\\syste

m32\\sessmgr.exe:*:enable

d:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN

Messenger\\msncall.exe"="

C:\\Program Files\\MSN

Messenger\\msncall.exe:*:

Enabled:Windows Live

Messenger 8.0 (Phone)"
"%windir%\\Network

Diagnostic\\xpnetdiag.exe

"="%windir%\\Network

Diagnostic\\xpnetdiag.exe

:*:Enabled:@xpsp3res.dll,

-20000"
"C:\\Program Files\\MSN

Messenger\\msnmsgr.exe"="

C:\\Program Files\\MSN

Messenger\\msnmsgr.exe:*:

Enabled:Windows Live

Messenger 8.1"
"C:\\Program Files\\MSN

Messenger\\livecall.exe"=

"C:\\Program Files\\MSN

Messenger\\livecall.exe:*

:Enabled:Windows Live

Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: -

C:\SDFix\backups\backups.

zip

Files with Hidden

Attributes:

Sun 11 Nov 2007

88 ..SHR ---

"C:\WINDOWS\system32\7381

6E8FAA.sys"
Sun 11 Nov 2007

2,516 A.SH. ---

"C:\WINDOWS\system32\KGyG

aAvL.sys"
Thu 3 Aug 2006

4,348 ..SH. ---

"C:\Documents and

Settings\All

Users\DRM\DRMv1.bak"
Tue 4 Dec 2007

96 A..H. --- "C:\Program

Files\ATI

Multimedia\RemCtrl\x10pro

d.sys"
Thu 3 Aug 2006

4,348 ...H. ---

"C:\Documents and

Settings\josh\Desktop\mus

ic\rat dog\License

Backup\drmv1key.bak"
Sat 5 Aug 2006

20 A..H. ---

"C:\Documents and

Settings\josh\Desktop\mus

ic\rat dog\License

Backup\drmv1lic.bak"
Fri 4 Aug 2006

400 A.SH. ---

"C:\Documents and

Settings\josh\Desktop\mus

ic\rat dog\License

Backup\drmv2key.bak"
Thu 3 Aug 2006

4,348 ...H. ---

"C:\Documents and

Settings\josh\Desktop\mus

ic\wave\mp3\janes\License

Backup\drmv1key.bak"
Sat 28 Oct 2006

20 A..H. ---

"C:\Documents and

Settings\josh\Desktop\mus

ic\wave\mp3\janes\License

Backup\drmv1lic.bak"
Fri 4 Aug 2006

400 A.SH. ---

"C:\Documents and

Settings\josh\Desktop\mus

ic\wave\mp3\janes\License

Backup\drmv2key.bak"

Finished!

#4 twoshotsnobird

New Member

New Member
8 posts

Posted 04 December 2007 - 11:05 PM

turned off antivirus and antispy ware and ran combofix
noticed when combo fix restarted my computer antivirus and antispyware were back on
is this because i snoozed the protection instead of turning it off?

ComboFix 07-12-04.3 - josh 2007-12-04 22:36:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1600 [GMT -6:00]
Running from: C:\Documents and Settings\josh\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
J:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-04 20:46 . 2007-12-04 20:46 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-03 04:29 . 2007-12-03 04:29 <DIR> d-------- C:\Documents and Settings\josh\Application Data\Grisoft
2007-12-03 04:27 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 04:11 . 2007-12-03 04:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Program Files\InterMute
2007-12-02 16:56 . 2007-12-02 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 20:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-29 18:30 . 2007-12-04 22:39 60,862 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-11-29 18:30 . 2007-12-04 22:39 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-11-29 15:36 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-11-29 15:36 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-11-29 15:36 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2007-11-29 15:36 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-11-29 15:36 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2007-11-29 15:36 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-11-29 15:36 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-11-29 15:36 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-11-29 15:36 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-11-29 15:35 . 2007-11-29 15:35 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-28 20:54 . 2007-11-28 20:54 244 --ah----- C:\sqmnoopt00.sqm
2007-11-28 20:54 . 2007-11-28 20:54 232 --ah----- C:\sqmdata00.sqm
2007-11-23 16:09 . 2007-12-03 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 03:15 . 2007-11-20 03:15 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-18 01:15 . 2007-11-18 01:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-18 01:15 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-15 18:53 . 2007-11-15 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-15 18:46 . 2007-11-15 18:46 <DIR> d-------- C:\Program Files\WinAVI MP4 Converter
2007-11-15 18:46 . 2007-12-04 19:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-12-02 20:56 --------- d-----w C:\Documents and Settings\josh\Application Data\ATI MMC
2007-11-30 02:43 --------- d-----w C:\Program Files\Java
2007-11-29 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-11-29 21:35 --------- d-----w C:\Program Files\CA
2007-11-22 06:49 --------- d-----w C:\Documents and Settings\josh\Application Data\BitTorrent
2007-11-21 00:15 778,240 ----a-w C:\WINDOWS\system32\NTInfos.exe
2007-11-20 22:28 --------- d-----w C:\Documents and Settings\josh\Application Data\AdobeUM
2007-11-18 08:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 00:53 --------- d-----w C:\Program Files\Apple Software Update
2007-10-19 00:16 --------- d-----w C:\Program Files\BitTorrent
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-09-02 05:46]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-08-12 12:50]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2003-09-02 05:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 18:38]
"EPSON Stylus C80 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.exe" [2001-10-04 02:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 20:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-04-05 23:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 03:01]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 15:10]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 11:45]
"EnableDCOM"="N" []
"restrictanonymous"="1 (0x1)" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-11-29 15:36]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-08-20 13:42]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-08-14 10:06]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-08-14 10:06]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-08-14 10:01]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 00:53:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-29 22:37:17 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as josh at 3 36 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 22:43:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 22:55:47 - machine was rebooted
.
--- E O F ---

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:19 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EnableDCOM] N
O4 - HKLM\..\Run: [restrictanonymous]
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144886536953
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 9956 bytes

#5 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 05 December 2007 - 05:35 AM

Hello

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon (or click Start, then select My Computer)
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.

Go to http://www.virustota.../en/indexf.html
Copy the following line into the white textbox:
C:\sqmnoopt00.sqm
Click Send.
Please post the results of this scan to this thread.

Do the same for these files:
C:\sqmdata00.sqm
C:\WINDOWS\system32\NTInfos.exe

You too could train to help others- Join the Classroom

#6 twoshotsnobird

New Member

New Member
8 posts

Posted 05 December 2007 - 01:22 PM

Result: 0/32 (0%)
File sqmnoopt00.sqm received on 12.05.2007 19:35:46 (CET)
Antivirus;Version;Last Update;Result
AhnLab-V3;2007.12.5.0;2007.12.05;-
AntiVir;7.6.0.34;2007.12.05;-
Authentium;4.93.8;2007.12.05;-
Avast;4.7.1098.0;2007.12.05;-
AVG;7.5.0.503;2007.12.05;-
BitDefender;7.2;2007.12.05;-
CAT-QuickHeal;9.00;2007.12.05;-
ClamAV;0.91.2;2007.12.05;-
DrWeb;4.44.0.09170;2007.12.05;-
eSafe;7.0.15.0;2007.12.05;-
eTrust-Vet;31.3.5353;2007.12.05;-
Ewido;4.0;2007.12.05;-
FileAdvisor;1;2007.12.05;-
Fortinet;3.14.0.0;2007.12.05;-
F-Prot;4.4.2.54;2007.12.05;-
F-Secure;6.70.13030.0;2007.12.05;-
Ikarus;T3.1.1.12;2007.12.05;-
Kaspersky;7.0.0.125;2007.12.05;-
McAfee;5178;2007.12.05;-
Microsoft;1.3007;2007.12.05;-
NOD32v2;2701;2007.12.05;-
Norman;5.80.02;2007.12.05;-
Panda;9.0.0.4;2007.12.04;-
Prevx1;V2;2007.12.05;-
Rising;20.21.20.00;2007.12.05;-
Sophos;4.24.0;2007.12.05;-
Sunbelt;2.2.907.0;2007.12.05;-
Symantec;10;2007.12.05;-
TheHacker;6.2.9.150;2007.12.05;-
VBA32;3.12.2.5;2007.12.04;-
VirusBuster;4.3.26:9;2007.12.05;-
Webwasher-Gateway;6.6.2;2007.12.05;-

Antivirus;Version;Last Update;Result

Additional information
File size: 244 bytes
MD5: 629b8b3e9d99e0b0141587de2abc9dd6
SHA1: eaee62eac5380ddfadd0d1b029d3d47f53074c2b
PEiD: -

File sqmdata00.sqm received on 12.05.2007 19:49:39 (CET)

Result: 0/31 (0%)

Antivirus;Version;Last Update;Result
AhnLab-V3;2007.12.5.0;2007.12.05;-
AntiVir;7.6.0.34;2007.12.05;-
Authentium;4.93.8;2007.12.05;-
Avast;4.7.1098.0;2007.12.05;-
AVG;7.5.0.503;2007.12.05;-
BitDefender;7.2;2007.12.05;-
CAT-QuickHeal;9.00;2007.12.05;-
ClamAV;0.91.2;2007.12.05;-
DrWeb;4.44.0.09170;2007.12.05;-
eSafe;7.0.15.0;2007.12.05;-
eTrust-Vet;31.3.5353;2007.12.05;-
Ewido;4.0;2007.12.05;-
FileAdvisor;1;2007.12.05;-
Fortinet;3.14.0.0;2007.12.05;-
F-Prot;4.4.2.54;2007.12.05;-
F-Secure;6.70.13030.0;2007.12.05;-
Ikarus;T3.1.1.12;2007.12.05;-
Kaspersky;7.0.0.125;2007.12.05;-
McAfee;5178;2007.12.05;-
Microsoft;1.3007;2007.12.05;-
NOD32v2;2701;2007.12.05;-
Norman;5.80.02;2007.12.05;-
Panda;9.0.0.4;2007.12.04;-
Prevx1;V2;2007.12.05;-
Rising;20.21.20.00;2007.12.05;-
Sophos;4.24.0;2007.12.05;-
Sunbelt;2.2.907.0;2007.12.05;-
Symantec;10;2007.12.05;-
TheHacker;6.2.9.150;2007.12.05;-
VBA32;3.12.2.5;2007.12.04;-
VirusBuster;4.3.26:9;2007.12.05;-

Additional information
File size: 232 bytes
MD5: ffe2324326e1a8dc68051cdbb68d7f9d
SHA1: 95a0c2c76a5acff718555686f9871daba57c9769
PEiD: -

File NTInfos.exe received on 12.05.2007 20:06:34 (CET)

Result: 5/32 (15.63%)

Antivirus;Version;Last Update;Result
AhnLab-V3;2007.12.5.0;2007.12.05;-
AntiVir;7.6.0.34;2007.12.05;HEUR/Malware
Authentium;4.93.8;2007.12.05;-
Avast;4.7.1098.0;2007.12.05;-
AVG;7.5.0.503;2007.12.05;-
BitDefender;7.2;2007.12.05;-
CAT-QuickHeal;9.00;2007.12.05;-
ClamAV;0.91.2;2007.12.05;-
DrWeb;4.44.0.09170;2007.12.05;-
eSafe;7.0.15.0;2007.12.05;-
eTrust-Vet;31.3.5353;2007.12.05;-
Ewido;4.0;2007.12.05;-
FileAdvisor;1;2007.12.05;-
Fortinet;3.14.0.0;2007.12.05;-
F-Prot;4.4.2.54;2007.12.05;-
F-Secure;6.70.13030.0;2007.12.05;-
Ikarus;T3.1.1.12;2007.12.05;Backdoor.Win32.Rbot.cqk
Kaspersky;7.0.0.125;2007.12.05;-
McAfee;5178;2007.12.05;-
Microsoft;1.3007;2007.12.05;-
NOD32v2;2701;2007.12.05;-
Norman;5.80.02;2007.12.05;-
Panda;9.0.0.4;2007.12.04;Suspicious file
Prevx1;V2;2007.12.05;Heuristic: Suspicious File With Covert Attributes
Rising;20.21.20.00;2007.12.05;-
Sophos;4.24.0;2007.12.05;-
Sunbelt;2.2.907.0;2007.12.05;-
Symantec;10;2007.12.05;-
TheHacker;6.2.9.150;2007.12.05;-
VBA32;3.12.2.5;2007.12.04;-
VirusBuster;4.3.26:9;2007.12.05;-
Webwasher-Gateway;6.6.2;2007.12.05;Heuristic.Malware

Additional information
File size: 778240 bytes
MD5: 6ee4c5bb6d666d25979a67e63d3faffb
SHA1: 05e22f14679a5b64d4baec562ea1e2297e6ea017
PEiD: -
packers: Armadillo
Prevx info: http://fileinfo.prev...4A6F9008D7AC934

#7 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 05 December 2007 - 03:27 PM

Hi

Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\WINDOWS\system32\NTInfos.exe
C:\WINDOWS\system32\73816E8FAA.sys

Folder::
C:\SDFix
 
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnableDCOM"=-
"restrictanonymous"=-

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  
  + Extended(If available otherwise Standard)
- Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.

In your next reply post:
Kaspersky report
ComboFix.txt
New HJT log taken after the above scan has run

You too could train to help others- Join the Classroom

#8 twoshotsnobird

New Member

New Member
8 posts

Posted 05 December 2007 - 10:31 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 10:16:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/12/2007
Kaspersky Anti-Virus database records: 473506
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 170582
Number of viruses found: 3
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 03:16:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ATI MMC\RemoteWonder.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\120c3c3b71f6f7dbfee143f3cac2cfb0_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\132d6f3905a335484304fd221c1f2fe9_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b11a2470a5045dd15f0f8a51a254caf_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1d3f60010ecc468b53a2bb3c5f609ff3_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2d1c1629ab94bc03e4d17f93abbc9382_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6bf6ebde633f3cb0d57851b69c8158a1_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca3461f968a1fda05693dc8f43bdcc71_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fd140a497895d25b9ac1665e6cdfa33d_7afbb97e-90de-47c6-a5bf-1c0bdbd7fa74 Object is locked skipped
C:\Documents and Settings\josh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\winavi_ipod_video_converter.exe/data33 Infected: Trojan.Win32.Agent.csy skipped
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\winavi_ipod_video_converter.exe SIM: infected - 1 skipped
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar/WinAvi Ipod PSP 3GP MP4 Converter v3.1/winavi_ipod_video_converter.exe/data33 Infected: Trojan.Win32.Agent.csy skipped
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar/WinAvi Ipod PSP 3GP MP4 Converter v3.1/winavi_ipod_video_converter.exe Infected: Trojan.Win32.Agent.csy skipped
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar RAR: infected - 2 skipped
C:\Documents and Settings\josh\Desktop\software\DVD to DivX Advanced.zip/DivX Pro 5.02/DivX Pro 5.02.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Documents and Settings\josh\Desktop\software\DVD to DivX Advanced.zip/DivX Pro 5.02/DivX Pro 5.02.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
C:\Documents and Settings\josh\Desktop\software\DVD to DivX Advanced.zip ZIP: infected - 2 skipped
C:\Documents and Settings\josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\josh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\josh\Local Settings\History\History.IE5\MSHist012007120520071206\index.dat Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DF791C.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DF88A0.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DF88B6.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DF88D.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DF9456.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DFAB69.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temp\~DFDA0C.tmp Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\josh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\josh\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\josh\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CA\SharedComponents\PPRT\logs\2007-12-05.csv Object is locked skipped
C:\Program Files\WinAVI MP4 Converter\Skins\0\install.exe Infected: Trojan.Win32.Agent.csy skipped
C:\qoobox\Quarantine\C\SDFix\backups\backups.zip.vir/backups/NTSpool.exe Infected: Trojan.Win32.Agent.csy skipped
C:\qoobox\Quarantine\C\SDFix\backups\backups.zip.vir/backups/pics06.zip/pics06.exe Infected: Trojan.Win32.Agent.csy skipped
C:\qoobox\Quarantine\C\SDFix\backups\backups.zip.vir/backups/pics06.zip Infected: Trojan.Win32.Agent.csy skipped
C:\qoobox\Quarantine\C\SDFix\backups\backups.zip.vir/backups/pics08.zip/pics08.exe Infected: Trojan.Win32.Agent.csy skipped
C:\qoobox\Quarantine\C\SDFix\backups\backups.zip.vir/backups/pics08.zip Infected: Trojan.Win32.Agent.csy skipped
C:\qoobox\Quarantine\C\SDFix\backups\backups.zip.vir ZIP: infected - 5 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP643\A0158460.exe Infected: Trojan.Win32.Agent.csy skipped
C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP643\A0158465.exe Infected: Trojan.Win32.Agent.csy skipped
C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP645\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
J:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP645\change.log Object is locked skipped
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar/WinAvi Ipod PSP 3GP MP4 Converter v3.1/winavi_ipod_video_converter.exe/data33 Infected: Trojan.Win32.Agent.csy skipped
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar/WinAvi Ipod PSP 3GP MP4 Converter v3.1/winavi_ipod_video_converter.exe Infected: Trojan.Win32.Agent.csy skipped
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar RAR: infected - 2 skipped
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\winavi_ipod_video_converter.exe/data33 Infected: Trojan.Win32.Agent.csy skipped
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\winavi_ipod_video_converter.exe SIM: infected - 1 skipped
J:\all folders\software\DVD to DivX Advanced.zip/DivX Pro 5.02/DivX Pro 5.02.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
J:\all folders\software\DVD to DivX Advanced.zip/DivX Pro 5.02/DivX Pro 5.02.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
J:\all folders\software\DVD to DivX Advanced.zip ZIP: infected - 2 skipped
K:\old stuff from computer\desktop\Desktop\mirc\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
K:\old stuff from computer\desktop\Desktop\mirc\mirc616.exe mIRC: infected - 1 skipped
K:\old stuff from computer\desktop\Desktop\stuff\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
K:\old stuff from computer\desktop\Desktop\stuff\mirc616.exe mIRC: infected - 1 skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP645\change.log Object is locked skipped

Scan process completed.

ComboFix 07-12-04.3 - josh 2007-12-05 18:38:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1559 [GMT -6:00]
Running from: C:\Documents and Settings\josh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\josh\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\73816E8FAA.sys
C:\WINDOWS\system32\NTInfos.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\drivers.exe
C:\SDFix\apps\dummy.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\moveex.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\RegDACL.exe
C:\SDFix\apps\regedit.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\SecurityProviders.reg
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\zip.exe
C:\SDFix\backups\attrib.exe
C:\SDFix\backups\backupreg.zip
C:\SDFix\backups\backups.zip
C:\SDFix\backups\find.exe
C:\SDFix\backups\findstr.exe
C:\SDFix\backups\HOSTS
C:\SDFix\backups\regedit.exe
C:\SDFix\catchme.exe
C:\SDFix\dummy.exe
C:\SDFix\dummy.sys
C:\SDFix\Report.txt
C:\SDFix\RunThis.cmd
C:\SDFix\SDFIX_ReadMe_Online.url
C:\WINDOWS\system32\73816E8FAA.sys
C:\WINDOWS\system32\NTInfos.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-04 20:46 . 2007-12-04 20:46 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-03 04:29 . 2007-12-03 04:29 <DIR> d-------- C:\Documents and Settings\josh\Application Data\Grisoft
2007-12-03 04:27 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 04:11 . 2007-12-03 04:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Program Files\InterMute
2007-12-02 16:56 . 2007-12-02 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 20:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-29 18:30 . 2007-12-05 13:51 60,862 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-11-29 18:30 . 2007-12-05 13:51 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-11-29 15:36 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-11-29 15:36 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-11-29 15:36 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2007-11-29 15:36 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-11-29 15:36 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2007-11-29 15:36 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-11-29 15:36 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-11-29 15:36 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-11-29 15:36 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-11-29 15:35 . 2007-11-29 15:35 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-28 20:54 . 2007-11-28 20:54 244 --ah----- C:\sqmnoopt00.sqm
2007-11-28 20:54 . 2007-11-28 20:54 232 --ah----- C:\sqmdata00.sqm
2007-11-23 16:09 . 2007-12-03 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 03:15 . 2007-11-20 03:15 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-18 01:15 . 2007-11-18 01:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-18 01:15 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-15 18:53 . 2007-11-15 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-15 18:46 . 2007-11-15 18:46 <DIR> d-------- C:\Program Files\WinAVI MP4 Converter
2007-11-15 18:46 . 2007-12-04 19:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-12-02 20:56 --------- d-----w C:\Documents and Settings\josh\Application Data\ATI MMC
2007-11-30 02:43 --------- d-----w C:\Program Files\Java
2007-11-29 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-11-29 21:35 --------- d-----w C:\Program Files\CA
2007-11-22 06:49 --------- d-----w C:\Documents and Settings\josh\Application Data\BitTorrent
2007-11-20 22:28 --------- d-----w C:\Documents and Settings\josh\Application Data\AdobeUM
2007-11-18 08:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 00:53 --------- d-----w C:\Program Files\Apple Software Update
2007-10-19 00:16 --------- d-----w C:\Program Files\BitTorrent
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-09-02 05:46]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-08-12 12:50]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2003-09-02 05:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 18:38]
"EPSON Stylus C80 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.exe" [2001-10-04 02:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 20:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-04-05 23:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 03:01]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 15:10]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 11:45]
"EnableDCOM"="N" []
"restrictanonymous"="1 (0x1)" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-11-29 15:36]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-08-20 13:42]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-08-14 10:06]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-08-14 10:06]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-08-14 10:01]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 00:53:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-29 22:37:17 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as josh at 3 36 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 18:42:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-05 18:43:23
C:\ComboFix2.txt ... 2007-12-04 22:55
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:19 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144886536953
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 9982 bytes

#9 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 06 December 2007 - 05:41 AM

Hello

Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\Program Files\WinAVI MP4 Converter\Skins\0\install.exe

Folder::
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen 
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar
C:\Documents and Settings\josh\Desktop\software\DVD to DivX Advanced.zip
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen
J:\all folders\software\DVD to DivX Advanced.zip 
K:\old stuff from computer\desktop\Desktop\mirc\mirc616.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EnableDCOM"=-
"restrictanonymous"=dword:00000000

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Dr Web CureIt

Download Dr.Web CureIt from here and save it to your desktop

Doubleclick the drweb-cureit.exe file and click Start > OK to allow the Express Scan to run
- This will scan the files currently running in memory
- If something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, see if you can click the icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured - this is in case we need samples
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer.
Post the contents of the Dr.WebIt report (DrWeb.csv) in your next reply.

In your next reply post:
DrWeb report
ComboFix.txt
New HJT log taken after the above scan has run

You too could train to help others- Join the Classroom

#10 twoshotsnobird

New Member

New Member
8 posts

Posted 06 December 2007 - 02:00 PM

dr web

Process.exe.vir;C:\qoobox\Quarantine\C\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0152164.reg;C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP633;Trojan.StartPage.1505;Deleted.;
A0152384.reg;C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP633;Trojan.StartPage.1505;Deleted.;
A0152538.reg;C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP635;Trojan.StartPage.1505;Deleted.;
A0158635.exe;C:\System Volume Information\_restore{E8F6C452-6735-41E5-B0C8-084A857B8CA1}\RP645;Tool.Prockill;Incurable.Moved.;

ComboFix 07-12-04.3 - josh 2007-12-06 10:44:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1582 [GMT -6:00]
Running from: C:\Documents and Settings\josh\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\josh\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\WinAVI MP4 Converter\Skins\0\install.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar\
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\keygen.exe
C:\Documents and Settings\josh\Desktop\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\winavi_ipod_video_converter.exe
C:\Documents and Settings\josh\Desktop\software\DVD to DivX Advanced.zip\
C:\Program Files\WinAVI MP4 Converter\Skins\0\install.exe
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen.rar\
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\keygen.exe
J:\all folders\branden\WinAvi Ipod PSP 3GP MP4 Convert 3.1 + Keygen\WinAvi Ipod PSP 3GP MP4 Converter v3.1\winavi_ipod_video_converter.exe
J:\all folders\software\DVD to DivX Advanced.zip\
K:\old stuff from computer\desktop\Desktop\mirc\mirc616.exe\

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-05 18:47 . 2007-12-05 18:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-05 18:47 . 2007-12-05 18:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-04 20:46 . 2007-12-04 20:46 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-03 04:29 . 2007-12-03 04:29 <DIR> d-------- C:\Documents and Settings\josh\Application Data\Grisoft
2007-12-03 04:27 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-03 04:11 . 2007-12-03 04:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Program Files\InterMute
2007-12-02 16:56 . 2007-12-02 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 20:43 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-29 18:30 . 2007-12-05 22:35 60,862 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-11-29 18:30 . 2007-12-05 22:35 64 --a------ C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-11-29 15:36 . 2007-08-20 13:42 879,784 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2007-11-29 15:36 . 2007-08-20 13:42 108,312 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2007-11-29 15:36 . 2007-08-20 13:42 99,592 --a------ C:\WINDOWS\system32\isafeif.dll
2007-11-29 15:36 . 2007-08-20 13:42 79,424 --a------ C:\WINDOWS\system32\vetredir.dll
2007-11-29 15:36 . 2007-08-20 13:42 75,016 --a------ C:\WINDOWS\system32\isafprod.dll
2007-11-29 15:36 . 2007-08-20 13:42 32,264 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-11-29 15:36 . 2007-08-20 13:42 26,376 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-11-29 15:36 . 2007-08-20 13:42 21,512 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-11-29 15:36 . 2007-08-20 13:42 21,128 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-11-29 15:35 . 2007-11-29 15:35 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-28 20:54 . 2007-11-28 20:54 244 --ah----- C:\sqmnoopt00.sqm
2007-11-28 20:54 . 2007-11-28 20:54 232 --ah----- C:\sqmdata00.sqm
2007-11-23 16:09 . 2007-12-03 04:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-20 03:15 . 2007-11-20 03:15 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-18 01:15 . 2007-11-18 01:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-18 01:15 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-15 18:53 . 2007-11-15 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-15 18:46 . 2007-11-15 18:46 <DIR> d-------- C:\Program Files\WinAVI MP4 Converter
2007-11-15 18:46 . 2007-12-04 19:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 04:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
2007-12-02 20:56 --------- d-----w C:\Documents and Settings\josh\Application Data\ATI MMC
2007-11-30 02:43 --------- d-----w C:\Program Files\Java
2007-11-29 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-11-29 21:35 --------- d-----w C:\Program Files\CA
2007-11-22 06:49 --------- d-----w C:\Documents and Settings\josh\Application Data\BitTorrent
2007-11-20 22:28 --------- d-----w C:\Documents and Settings\josh\Application Data\AdobeUM
2007-11-18 08:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 00:53 --------- d-----w C:\Program Files\Apple Software Update
2007-10-19 00:16 --------- d-----w C:\Program Files\BitTorrent
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_22.47.42.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2003-09-02 05:46]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2003-08-12 12:50]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2003-09-02 05:42]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 18:38]
"EPSON Stylus C80 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.exe" [2001-10-04 02:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 20:10]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2006-04-05 23:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-20 03:01]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 15:10]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 14:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 11:45]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-16 22:25]
"QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-11-29 15:36]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-08-20 13:42]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-08-14 10:06]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-08-14 10:06]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-08-14 10:01]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 P17;Sound Blaster Audigy;C:\WINDOWS\system32\drivers\P17.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-16 00:53:58 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-29 22:37:17 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as josh at 3 36 PM.job"
- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 10:47:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-06 10:49:11
C:\ComboFix2.txt ... 2007-12-05 18:43
C:\ComboFix3.txt ... 2007-12-04 22:55
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:00 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1144886536953
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 10081 bytes

#11 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 07 December 2007 - 05:58 AM

Hi

You may wish to keep hold of the Kaspersky Online Scan as an extra on-demand virus-scanner.
If not you can uninstall it through Start>Control Panel>Add/Remove Programs

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
When shown the disclaimer, Select "2"

1 - Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy

Go to Start > Control Panel > Add/Remove Programs
Remove ALL instances of Adobe Reader
Re-boot your computer as required.
Once ALL versions of Adobe Reader have been uninstalled, visit: www.adobe.com/uk/products/acrobat/readstep2.html and download the latest version of Adobe Reader

OR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.

Congratulations, you appear to be malware free.

Here are some free programs I recommend, although you will not need them all.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

You too could train to help others- Join the Classroom

#12 twoshotsnobird

New Member

New Member
8 posts

Posted 07 December 2007 - 05:23 PM

thanks removed and uninstalled adobe reader i noticed that there are still some things in the hijack this log that i dont have or use like adobe photo downloader and epson stylus c80 series should i not mess with things in hijack this? also which of the suggested programs should i use? i still have spybot, and add aware, and i am running Ca security center this includes Ca Anti-virus,Ca anti-spyware, and ca personal firewall i appreciate all your help an i will read how i got infected im assuming its from downloading things from untrusted sources like bittorrent,news groups, ans msn instantmessenger (there was a virus that was posing as the user and pretending to send pictures that actually was a virus) also i tried to goto www.pogo.com to play online games and my internet explorer just closes could this be a java or adobe flash player thing i will try getting the most current java and adobe flash player thanks again for all your help i really appreciate it

#13 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 07 December 2007 - 06:07 PM

Hi

If you have uninstalled Adobe Photoshop and the Epson thingy, then you can fix those too in HijackThis. It's best to uninstall first as the uninstaller should remove those regkeys. If they are still there, then have HijackThis fix them.

The only program you should need is Winpatrol. As well as protecting your browser from hijacks, it comes with other useful utilities, such as a Startup Programs organiser, which works in the same way as using msconfig, but safer.

I cant say for sure what the problem with pogo is. Try the latest Java and Adobe Flash 9, and if you are still having a problem post here.
http://forums.whatth...ndows_f119.html

Reply and let me know you read this. :thumbup:

You too could train to help others- Join the Classroom

#14 twoshotsnobird

New Member

New Member
8 posts

Posted 07 December 2007 - 08:35 PM

dont know what the problem was but i couldnt even get the download page at java to work found an offline java installer to work and got flash player 9 and the installed firefox and it worked i will install winpartol thanks again for your help

#15 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 08 December 2007 - 11:07 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

You too could train to help others- Join the Classroom

Body Background

skin color theme