Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Antivirus / Xpsecuritycenter


  • This topic is locked This topic is locked
23 replies to this topic

#1 Jarmonkey

Jarmonkey

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 23 May 2008 - 02:22 AM

Hi guys,

I clicked a bad link and accidentally downloaded some nefarious programs. I was thusly able to identify xpsecuritycenter, which was the first to reveal itself, and used Malwarebytes Anti-Malware program to scan and remove. It seemed to get rid of the symptoms for a while (I was getting bogus virus alerts, etc.) and I was able to find a fix for my task manager, which had been disabled. All was good for a short while and then I was getting similar pop ups, this time from a program called "xp antivirus" which was pretty much the same deal. I had been continually scanning with the malwarebytes program but it seemed to be finding more infections every time I ran it so I also downloaded AVG's free virus program and scanned / quarantined with that. AVG def. found somethings malwarebytes didn't. I also scanned with comodo, which didn't find anything. I am a bit concerned because prior to scanning with AVG I had run netstat a few times to see if any action was going on and I found a TCP connection to a russian website (uh-oh!). It was something like ????-samara.ru
It seems like AVG took care of it but I wanted to make sure I found everything so here is my HJT log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\COMODO\Firewall\cfpconfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [1AC4GCph6q] C:\WINDOWS\system32\winver.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4092 bytes

I am running XP, btw. OH- and it seemed like firefox had been infected by something because it was giving me a lot of grief so I uninstalled and downloaded / reinstalled after I was done scanning. It seems ok now. I am scanning once again with AVG though to check and I am going through this log as best I can, but I'm no expert, so all replies are appreciated. Thanks so much in advance for replies.

-J

EDIT: I am still seeing this tcp connection. The address is: domo.gst-samara.ru
Thanks again for any replies.

Edited by Jarmonkey, 23 May 2008 - 02:37 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 23 May 2008 - 09:46 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please go to this page and scroll down to step 6.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Follow the directions there to run DSS and then post those logs back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 23 May 2008 - 10:36 AM

Deckard's System Scanner v20071014.68
Run by Nick on 2008-05-23 11:09:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Nick.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:49 AM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Nick\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Nick.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [1AC4GCph6q] C:\WINDOWS\system32\winver.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdagent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\GEST\GSvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 4289 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 03:41:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 03:40:56 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 03:40:55 0 d-------- C:\WINDOWS\LastGood
2008-05-23 03:02:58 0 d-------- C:\Program Files\Trend Micro
2008-05-23 02:59:11 0 d-------- C:\Documents and Settings\Nick\Application Data\Talkback
2008-05-23 02:35:04 0 d-------- C:\Documents and Settings\Nick\Application Data\Comodo
2008-05-23 02:35:03 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-23 02:35:00 0 d-------- C:\Program Files\COMODO
2008-05-23 02:13:02 0 d--h----- C:\$AVG8.VAULT$
2008-05-23 02:09:00 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 02:09:00 0 d-------- C:\Documents and Settings\Nick\Application Data\AVGTOOLBAR
2008-05-23 02:08:50 0 d-------- C:\Program Files\AVG
2008-05-23 02:08:49 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-23 01:28:19 106496 --a------ C:\WINDOWS\system32\vlgfhjoe.dll
2008-05-23 01:28:14 38 --a------ C:\WINDOWS\system32\a.bat
2008-05-23 00:45:17 145 --a------ C:\WINDOWS\system32\winver.bat
2008-05-22 22:08:00 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-22 21:55:47 0 d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-05-22 21:55:40 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 21:55:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 21:55:17 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 19:32:50 2 --a------ C:\1678409293
2008-05-21 19:27:21 0 d-------- C:\Documents and Settings\Nick\Application Data\Ubisoft
2008-05-21 14:51:36 0 d-------- C:\Documents and Settings\Nick\Application Data\Media Player Classic
2008-05-21 14:09:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-17 19:17:45 0 d-------- C:\Documents and Settings\Nick\Application Data\Touchstone
2008-05-17 17:46:48 0 d-------- C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information
2008-05-17 17:39:15 0 d-------- C:\WINDOWS\system32\AGEIA
2008-05-17 17:39:14 0 d-------- C:\Program Files\AGEIA Technologies
2008-05-17 17:39:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 13:41:41 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2008-05-08 11:25:37 0 d-------- C:\Program Files\Alwil Software
2008-05-07 23:07:13 0 d-------- C:\Documents and Settings\Nick\Application Data\U3
2008-05-07 21:53:04 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-07 21:20:16 0 d-------- C:\Documents and Settings\Nick\Application Data\DivX
2008-05-07 21:02:01 34308 --a------ C:\WINDOWS\system32\Chip.dll
2008-05-07 20:58:18 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-07 20:58:18 0 d-------- C:\Documents and Settings\Nick\Application Data\Vso
2008-05-07 20:58:18 47360 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-07 20:58:14 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-05-07 20:58:14 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-05-07 20:58:14 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-05-07 20:58:14 65602 --a------ C:\WINDOWS\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-05-07 20:58:13 626688 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-05-07 20:58:12 0 d-------- C:\Program Files\VSO
2008-05-06 21:34:01 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 22:32:41 0 d-------- C:\Program Files\HJSplit
2008-05-05 21:23:16 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-04 06:22:24 90112 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-04 06:22:04 0 d-------- C:\Program Files\The Rosetta Stone
2008-05-01 22:06:27 0 d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-01 22:06:21 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 22:06:02 0 d-------- C:\Program Files\MSN Games
2008-05-01 12:25:44 0 d-------- C:\Program Files\MSXML 6.0
2008-04-30 13:36:05 0 d-------- C:\Program Files\Microsoft SQL Server
2008-04-30 13:32:10 0 d-------- C:\Program Files\Microsoft.NET
2008-04-30 13:32:09 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-30 13:32:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-29 15:44:23 0 d-------- C:\Documents and Settings\Nick\Application Data\teamspeak2
2008-04-29 15:44:11 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-04-29 08:38:18 0 d-------- C:\Program Files\America's Army Server Manager
2008-04-29 08:37:57 0 d-------- C:\Program Files\America's Army
2008-04-23 00:01:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-23 00:00:55 0 d-------- C:\Program Files\Common Files\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-05-22 21:55:17 0 d-------- C:\Program Files\Common Files
2008-05-22 19:12:56 668 --a------ C:\Documents and Settings\Nick\Application Data\vso_ts_preview.xml
2008-05-22 03:52:10 0 d-------- C:\Program Files\FlashGet
2008-05-21 14:09:05 2337865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-05-21 14:02:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 23:58:16 160158 --a------ C:\Documents and Settings\Nick\Application Data\debuggee.mdmp
2008-05-07 20:58:21 34 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.log
2008-05-07 20:58:18 1144 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.inf
2008-05-07 20:58:18 7887 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.cat
2008-05-04 22:07:43 0 d-------- C:\Documents and Settings\Nick\Application Data\Winamp
2008-05-04 21:58:23 0 d-------- C:\Documents and Settings\Nick\Application Data\Bioshock
2008-04-29 08:35:56 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-23 00:01:41 0 d-------- C:\Documents and Settings\Nick\Application Data\Adobe
2008-04-19 20:42:01 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-04-19 20:39:18 0 d-------- C:\Documents and Settings\Nick\Application Data\DAEMON Tools
2008-04-18 00:53:26 0 dr-h----- C:\Documents and Settings\Nick\Application Data\SecuROM
2008-04-16 21:08:11 0 d-------- C:\Documents and Settings\Nick\Application Data\Apple Computer
2008-04-16 21:02:01 0 d-------- C:\Documents and Settings\Nick\Application Data\WinRAR
2008-04-15 22:38:33 0 d-------- C:\Documents and Settings\Nick\Application Data\Macromedia
2008-04-15 22:36:28 0 d-------- C:\Documents and Settings\Nick\Application Data\Mozilla
2008-04-15 22:17:52 0 d-------- C:\Documents and Settings\Nick\Application Data\Identities
2008-04-15 21:21:52 0 d-------- C:\Program Files\Winamp
2008-04-15 01:34:20 0 d-------- C:\Program Files\QuickTime
2008-04-15 01:33:56 0 d-------- C:\Program Files\Apple Software Update
2008-04-13 00:17:22 0 d-------- C:\Program Files\BitLord
2008-04-12 23:39:03 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-04-12 21:40:21 0 d-------- C:\Program Files\GameSpy
2008-04-12 21:09:35 0 d-------- C:\Program Files\Electronic Arts
2008-04-12 21:03:11 0 d-------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-04-12 10:29:31 0 d-------- C:\Program Files\Messenger
2008-04-12 09:56:54 0 d-------- C:\Program Files\DVD Decrypter
2008-04-12 09:54:50 0 d-------- C:\Program Files\DVD Shrink
2008-04-11 23:03:27 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-11 13:36:03 0 d-------- C:\Program Files\Realtek
2008-04-11 13:33:36 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-04-11 13:30:55 0 d-------- C:\Program Files\Intel
2008-04-11 13:30:39 0 d-------- C:\Program Files\GIGABYTE
2008-04-11 10:43:09 0 d-------- C:\Program Files\microsoft frontpage
2008-04-11 10:42:47 0 -rahs---- C:\MSDOS.SYS
2008-04-11 10:42:47 0 -rahs---- C:\IO.SYS
2008-04-11 10:42:47 0 --a------ C:\CONFIG.SYS
2008-04-11 10:42:47 0 --a------ C:\AUTOEXEC.BAT
2008-04-11 10:41:59 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-11 10:41:20 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-11 10:41:13 0 d-------- C:\Program Files\Movie Maker
2008-04-11 10:40:41 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-11 10:40:22 0 d-------- C:\Program Files\Online Services
2008-04-11 10:40:15 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-11 10:40:09 0 d-------- C:\Program Files\Windows NT
2008-04-11 03:31:35 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-11 03:31:33 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-11 03:31:10 62 --ahs---- C:\Documents and Settings\Nick\Application Data\desktop.ini
2008-03-04 12:33:18 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
05/23/2008 02:08 AM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [05/23/2008 02:08 AM 2050816]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/11/2007 06:03 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/23/2008 02:08 AM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [05/23/2008 02:34 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [07/27/2007 05:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"1AC4GCph6q"=C:\WINDOWS\system32\winver.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="lsass.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
winrkp32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb70cb52-1cb2-11dd-bf4a-001d7e99de77}]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - CMDGUARD
*Newly Created Service* - CMDHLP
*Newly Created Service* - INSPECT



-- Hosts -----------------------------------------------------------------------

127.255.255.255 serial.alcohol-soft.com


-- End of Deckard's System Scanner: finished at 2008-05-23 11:14:53 ------------


There is the new log and thanks a lot for helping me out in advance. How concerned do you think I should be? Comodo is also giving me warnings now about "nbdgram" , port 138 which google tells me is not good. I added ports 137 and 138 to the comodo's block list but of course that is only a temporary solution. What else should I do to minimize the damage / data loss? I am really not sure so I have been simply disabling my internet connection. Thanks again for your help.

-j


EDIT: I also ran the kaspersky online scanner, which did find a couple things. report is below.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 23, 2008 11:49:06 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/05/2008
Kaspersky Anti-Virus database records: 797708
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 54512
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:40:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log.3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log.5 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_4a4.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\cert8.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\history.dat Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\key3.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\parent.lock Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Nick\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\Cache\F04A6FAAd01 Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\506iex4q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temp\Binaries2.zip/XPSecurityCenter.dll Infected: not-a-virus:FraudTool.Win32.Reanimator.d skipped
C:\Documents and Settings\Nick\Local Settings\Temp\Binaries2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nick\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_44.trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP60\A0006030.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP61\A0006058.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP61\A0006073.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP61\A0006077.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP61\A0006084.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP61\A0006088.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP62\A0006518.exe Object is locked skipped
C:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP62\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CA04C365-BBF5-459E-B272-E7B28BF7FBAA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP62\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{17F4E6AF-51FF-4360-BCA3-68C95F851F47}\RP62\change.log Object is locked skipped

Scan process completed.

Edited by Jarmonkey, 23 May 2008 - 10:51 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 24 May 2008 - 08:09 AM

Let's check out a few suspicious files.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\system32\vlgfhjoe.dll


  • Click on the submit button
  • Please post the results in your next reply.

Also submit these files to be scanned.

C:\WINDOWS\system32\a.bat
C:\WINDOWS\system32\winver.bat

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 24 May 2008 - 01:04 PM

File: vlgfhjoe.dll
Status: INFECTED/MALWARE
MD5: 1d21439003f0231f63efb974eee85031
Packers detected: -
Scan taken on 24 May 2008 17:55:17 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic3.FCS
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Adware.UltimateDefender application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DG
VirusBuster Found nothing
VBA32 Found nothing

========================

File: a.bat
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
*All scans found nothing

========================

File: winver.bat_
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
*All scans found nothing

========================

Also I saw a lot of post about the "vundo" virus, which is one of the things that I found during my preliminary AVG scans. AVG found it and quarantined it but I guess it looks like in most cases that is not enough. I am also still seeing these disturbing .ru connections in netstat. Another strange thing I forgot to mention is that every time I boot up my "about windows" dialog box pops up on start up...I'm not sure what that's about and I couldn't find anything about it in google. Again thank you so much for your help.

-j

Edited by Jarmonkey, 24 May 2008 - 01:06 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 25 May 2008 - 08:02 AM

I don't see any signs of Vundo in your log and with the exception of the two we're about to remove I'm not seeing any other malware present either.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\a.bat
    C:\WINDOWS\system32\vlgfhjoe.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Let's take a closer look at things to be sure we're not missing anything.


Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 25 May 2008 - 06:10 PM

OTMoveit doesn't seem to work that great, maybe I'm doing something wrong. I followed your directions and it seemed to have taken care of a.bat would stop responding at some point every time I tried to run it. I had all app's closed and it just sat there, open task manager, said the app wasn't responding. There didn't seem to be any logs but one of the date/time folders had a.bat inside it.

Here is the combofix log:

ComboFix 08-05-25.3 - Nick 2008-05-25 15:58:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nick\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 15:41 . 2008-05-25 15:41 <DIR> d-------- C:\_OTMoveIt
2008-05-23 11:08 . 2008-05-23 11:08 <DIR> d-------- C:\Deckard
2008-05-23 03:41 . 2008-05-23 03:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 03:40 . 2008-05-23 03:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 03:02 . 2008-05-23 03:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 02:59 . 2008-05-23 02:59 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Talkback
2008-05-23 02:35 . 2008-05-23 02:35 <DIR> d-------- C:\Program Files\COMODO
2008-05-23 02:35 . 2008-05-23 02:35 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Comodo
2008-05-23 02:35 . 2008-05-23 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-23 02:35 . 2008-05-23 02:35 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-23 02:35 . 2008-05-23 02:34 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-23 02:35 . 2008-05-23 02:35 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-23 02:13 . 2008-05-23 11:37 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-23 02:09 . 2008-05-23 09:17 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 02:09 . 2008-05-23 02:20 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\AVGTOOLBAR
2008-05-23 02:09 . 2008-05-23 02:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 02:09 . 2008-05-23 02:09 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 02:09 . 2008-05-23 02:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-23 02:08 . 2008-05-23 02:08 <DIR> d-------- C:\Program Files\AVG
2008-05-23 02:08 . 2008-05-23 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-23 01:28 . 2008-05-23 01:28 106,496 --a------ C:\WINDOWS\system32\vlgfhjoe.dll
2008-05-23 00:45 . 2008-05-23 00:45 145 --a------ C:\WINDOWS\system32\winver.bat
2008-05-22 22:08 . 2008-05-22 22:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 21:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 21:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-22 19:32 . 2008-05-25 16:00 69,042 --a------ C:\WINDOWS\system32\sywtdxaz.sys
2008-05-22 19:32 . 2008-05-22 19:32 2 --a------ C:\1678409293
2008-05-21 19:27 . 2008-05-21 19:27 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Ubisoft
2008-05-21 14:51 . 2008-05-21 14:51 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Media Player Classic
2008-05-21 14:09 . 2008-05-21 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-21 14:09 . 2008-05-21 14:09 22,328 --a------ C:\Documents and Settings\Nick\Application Data\PnkBstrK.sys
2008-05-17 19:17 . 2008-05-17 19:17 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Touchstone
2008-05-17 17:46 . 2008-05-17 17:46 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-12 13:42 . 2008-05-12 13:42 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-12 13:42 . 2008-05-12 13:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-05-12 13:41 . 2008-05-12 13:41 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-05-12 13:41 . 2007-08-31 12:13 1,421,736 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-12 13:41 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-05-12 13:41 . 2007-08-31 12:15 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-05-08 11:25 . 2008-05-08 11:25 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-08 11:25 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-05-08 11:25 . 2003-03-18 12:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-05-07 23:07 . 2008-05-07 23:25 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\U3
2008-05-07 21:53 . 2008-05-07 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-07 21:20 . 2008-05-07 21:20 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\DivX
2008-05-07 21:02 . 2008-05-07 21:02 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2008-05-07 21:02 . 2008-05-07 21:02 18,152 --a------ C:\WINDOWS\system32\Pvt.tmp
2008-05-07 20:58 . 2008-05-07 20:58 <DIR> d-------- C:\Program Files\VSO
2008-05-07 20:58 . 2008-05-22 19:12 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Vso
2008-05-07 20:58 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-07 20:58 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-07 20:58 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-07 20:58 . 2006-09-29 12:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-07 20:58 . 2006-09-29 12:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-07 20:58 . 2006-09-29 12:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-07 20:58 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-07 20:58 . 2008-05-07 20:58 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-07 20:58 . 2008-05-07 20:58 47,360 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.sys
2008-05-06 21:34 . 2008-05-06 21:34 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 22:32 . 2008-05-05 22:33 <DIR> d-------- C:\Program Files\HJSplit
2008-05-05 21:23 . 2008-05-05 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-04 06:22 . 2008-05-04 06:22 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-04 06:22 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-01 22:06 . 2008-05-01 23:07 <DIR> d-------- C:\Program Files\MSN Games
2008-05-01 22:06 . 2008-05-01 23:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 22:06 . 2008-05-01 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-01 12:25 . 2008-05-01 12:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-01 00:34 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-01 00:34 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-01 00:34 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-01 00:34 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-05-01 00:33 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-01 00:33 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-30 13:36 . 2008-04-30 13:38 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-30 13:32 . 2008-04-30 13:37 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-30 13:32 . 2008-04-30 13:34 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-30 13:32 . 2008-04-30 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\teamspeak2
2008-04-29 15:44 . 2008-04-29 15:44 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-29 08:38 . 2008-04-29 08:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2008-04-29 08:37 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\America's Army

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 02:33 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-22 10:52 --------- d-----w C:\Program Files\FlashGet
2008-05-21 22:44 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-21 22:44 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-21 21:09 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-05-21 21:09 2,337,865 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-05-21 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 08:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-05 05:07 --------- d-----w C:\Documents and Settings\Nick\Application Data\Winamp
2008-05-05 04:58 --------- d-----w C:\Documents and Settings\Nick\Application Data\Bioshock
2008-04-29 15:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 03:42 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-20 03:39 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-20 03:39 --------- d-----w C:\Documents and Settings\Nick\Application Data\DAEMON Tools
2008-04-18 07:53 --------- d--h--r C:\Documents and Settings\Nick\Application Data\SecuROM
2008-04-17 04:08 --------- d-----w C:\Documents and Settings\Nick\Application Data\Apple Computer
2008-04-16 04:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-04-16 04:21 --------- d-----w C:\Program Files\Winamp
2008-04-15 08:34 --------- d-----w C:\Program Files\QuickTime
2008-04-15 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-15 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 05:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-04-13 07:17 --------- d-----w C:\Program Files\BitLord
2008-04-13 06:39 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-13 04:49 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 04:49 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-04-13 04:40 --------- d-----w C:\Program Files\GameSpy
2008-04-13 04:23 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2008-04-13 04:09 --------- d-----w C:\Program Files\Electronic Arts
2008-04-13 04:03 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-13 04:03 --------- d-----w C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-04-12 16:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 16:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-11 20:36 --------- d-----w C:\Program Files\Realtek
2008-04-11 20:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-04-11 20:33 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-11 20:30 --------- d-----w C:\Program Files\Intel
2008-04-11 20:30 --------- d-----w C:\Program Files\GIGABYTE
2008-04-11 17:43 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-04 19:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
2008-05-23 02:08 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-23 02:08 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-23 02:08 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 02:08 1177368]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 02:34 1575680]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"1AC4GCph6q"= C:\WINDOWS\system32\winver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkp32]
winrkp32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"D:\\R-Games\\Binaries\\UT3.exe"=
"D:\\R-Games\\Turok.Full-Rip.Skullptura.www.Media-Zone.net\\Turok\\Binaries\\TurokGame.exe"=
"D:\\R-Games\\Binaries\\R6Vegas2_Game.exe"=
"D:\\R-Games\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 avgldx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 02:09]
R1 cmdguard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 02:34]
R1 cmdhlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 02:35]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 02:08]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 02:08]
R2 avgtdix;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 02:09]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-22 19:33]
S3 GEST Service;GEST Service for program management.;"C:\Program Files\GIGABYTE\GEST\GSvr.exe" [2007-12-14 11:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb70cb52-1cb2-11dd-bf4a-001d7e99de77}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - catchme
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 16:00:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-25 16:00:19
ComboFix-quarantined-files.txt 2008-05-25 23:00:17

Pre-Run: 41,422,848,000 bytes free
Post-Run: 41,434,546,176 bytes free

242 --- E O F --- 2008-05-16 05:35:46


Thanks again.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 26 May 2008 - 09:12 AM

Ok, let's try it with combofix.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\vlgfhjoe.dll
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 26 May 2008 - 11:19 PM

ComboFix 08-05-26.2 - Nick 2008-05-26 21:02:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1635 [GMT -7:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\vlgfhjoe.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-25 16:26 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-05-25 15:41 . 2008-05-25 15:41 <DIR> d-------- C:\_OTMoveIt
2008-05-23 11:08 . 2008-05-23 11:08 <DIR> d-------- C:\Deckard
2008-05-23 03:41 . 2008-05-23 03:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 03:40 . 2008-05-23 03:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 03:02 . 2008-05-23 03:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 02:59 . 2008-05-23 02:59 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Talkback
2008-05-23 02:35 . 2008-05-23 02:35 <DIR> d-------- C:\Program Files\COMODO
2008-05-23 02:35 . 2008-05-23 02:35 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Comodo
2008-05-23 02:35 . 2008-05-23 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-23 02:35 . 2008-05-23 02:35 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-23 02:35 . 2008-05-23 02:34 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-23 02:35 . 2008-05-23 02:35 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-23 02:13 . 2008-05-25 17:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-23 02:09 . 2008-05-25 17:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 02:09 . 2008-05-23 02:20 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\AVGTOOLBAR
2008-05-23 02:09 . 2008-05-23 02:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 02:09 . 2008-05-23 02:09 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 02:09 . 2008-05-23 02:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-23 02:08 . 2008-05-23 02:08 <DIR> d-------- C:\Program Files\AVG
2008-05-23 02:08 . 2008-05-23 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-22 22:08 . 2008-05-22 22:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 21:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 21:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-22 19:32 . 2008-05-25 16:42 69,042 --a------ C:\WINDOWS\system32\SYWTDXAZ.SYS.del
2008-05-22 19:32 . 2008-05-22 19:32 2 --a------ C:\1678409293
2008-05-21 19:27 . 2008-05-21 19:27 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Ubisoft
2008-05-21 14:51 . 2008-05-21 14:51 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Media Player Classic
2008-05-21 14:09 . 2008-05-21 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-21 14:09 . 2008-05-21 14:09 22,328 --a------ C:\Documents and Settings\Nick\Application Data\PnkBstrK.sys
2008-05-17 19:17 . 2008-05-17 19:17 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Touchstone
2008-05-17 17:46 . 2008-05-17 17:46 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-12 13:42 . 2008-05-12 13:42 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-12 13:42 . 2008-05-12 13:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-05-12 13:41 . 2008-05-12 13:41 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-05-12 13:41 . 2007-08-31 12:13 1,421,736 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-12 13:41 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-05-12 13:41 . 2007-08-31 12:15 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-05-08 11:25 . 2008-05-08 11:25 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-08 11:25 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-05-08 11:25 . 2003-03-18 12:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-05-07 23:07 . 2008-05-07 23:25 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\U3
2008-05-07 21:53 . 2008-05-07 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-07 21:20 . 2008-05-07 21:20 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\DivX
2008-05-07 21:02 . 2008-05-07 21:02 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2008-05-07 21:02 . 2008-05-07 21:02 18,152 --a------ C:\WINDOWS\system32\Pvt.tmp
2008-05-07 20:58 . 2008-05-07 20:58 <DIR> d-------- C:\Program Files\VSO
2008-05-07 20:58 . 2008-05-22 19:12 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Vso
2008-05-07 20:58 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-07 20:58 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-07 20:58 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-07 20:58 . 2006-09-29 12:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-07 20:58 . 2006-09-29 12:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-07 20:58 . 2006-09-29 12:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-07 20:58 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-07 20:58 . 2008-05-07 20:58 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-07 20:58 . 2008-05-07 20:58 47,360 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.sys
2008-05-06 21:34 . 2008-05-06 21:34 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 22:32 . 2008-05-05 22:33 <DIR> d-------- C:\Program Files\HJSplit
2008-05-05 21:23 . 2008-05-05 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-04 06:22 . 2008-05-04 06:22 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-04 06:22 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-01 22:06 . 2008-05-01 23:07 <DIR> d-------- C:\Program Files\MSN Games
2008-05-01 22:06 . 2008-05-01 23:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 22:06 . 2008-05-01 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-01 12:25 . 2008-05-01 12:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-01 00:34 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-01 00:34 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-01 00:34 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-01 00:34 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-05-01 00:33 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-01 00:33 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-30 13:36 . 2008-04-30 13:38 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-30 13:32 . 2008-04-30 13:37 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-30 13:32 . 2008-04-30 13:34 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-30 13:32 . 2008-04-30 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\teamspeak2
2008-04-29 15:44 . 2008-04-29 15:44 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-29 08:38 . 2008-04-29 08:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2008-04-29 08:37 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\America's Army

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 02:33 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-22 10:52 --------- d-----w C:\Program Files\FlashGet
2008-05-21 22:44 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-21 22:44 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-21 21:09 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-05-21 21:09 2,337,865 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-05-21 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 08:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-05 05:07 --------- d-----w C:\Documents and Settings\Nick\Application Data\Winamp
2008-05-05 04:58 --------- d-----w C:\Documents and Settings\Nick\Application Data\Bioshock
2008-04-29 15:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 03:42 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-20 03:39 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-20 03:39 --------- d-----w C:\Documents and Settings\Nick\Application Data\DAEMON Tools
2008-04-18 07:53 --------- d--h--r C:\Documents and Settings\Nick\Application Data\SecuROM
2008-04-17 04:08 --------- d-----w C:\Documents and Settings\Nick\Application Data\Apple Computer
2008-04-16 04:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-04-16 04:21 --------- d-----w C:\Program Files\Winamp
2008-04-15 08:34 --------- d-----w C:\Program Files\QuickTime
2008-04-15 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-15 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 05:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-04-13 07:17 --------- d-----w C:\Program Files\BitLord
2008-04-13 06:39 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-13 04:49 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 04:49 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-04-13 04:40 --------- d-----w C:\Program Files\GameSpy
2008-04-13 04:23 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2008-04-13 04:09 --------- d-----w C:\Program Files\Electronic Arts
2008-04-13 04:03 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-13 04:03 --------- d-----w C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-04-12 16:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 16:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-11 20:36 --------- d-----w C:\Program Files\Realtek
2008-04-11 20:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-04-11 20:33 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-11 20:30 --------- d-----w C:\Program Files\Intel
2008-04-11 20:30 --------- d-----w C:\Program Files\GIGABYTE
2008-04-11 17:43 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-04 19:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_16.00.13.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 22:38:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 03:56:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
2008-05-23 02:08 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-23 02:08 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-23 02:08 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 02:08 1177368]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 02:34 1575680]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"1AC4GCph6q"= C:\WINDOWS\system32\winver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"D:\\R-Games\\Binaries\\UT3.exe"=
"D:\\R-Games\\Turok.Full-Rip.Skullptura.www.Media-Zone.net\\Turok\\Binaries\\TurokGame.exe"=
"D:\\R-Games\\Binaries\\R6Vegas2_Game.exe"=
"D:\\R-Games\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 avgldx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 02:09]
R1 cmdguard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 02:34]
R1 cmdhlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 02:35]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 02:08]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 02:08]
R2 avgtdix;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 02:09]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-22 19:33]
S3 GEST Service;GEST Service for program management.;"C:\Program Files\GIGABYTE\GEST\GSvr.exe" [2007-12-14 11:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb70cb52-1cb2-11dd-bf4a-001d7e99de77}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - gtndis5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 21:04:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-26 21:04:30
ComboFix-quarantined-files.txt 2008-05-27 04:04:26
ComboFix2.txt 2008-05-25 23:00:20

Pre-Run: 44,855,922,688 bytes free
Post-Run: 44,844,376,064 bytes free

241 --- E O F --- 2008-05-16 05:35:46


=========

That's the log after running combo fix with the CFScript. Also while I was monitoring netstat connections often I found a lot of connections to a single IP and after I googled it I found this: http://www.spywareinfoforum.com/lofiversio...hp/t109273.html
I was showing the same IP connection as in his post so I downloaded the software / guide he links to later in the forum and tried it, and it showed winver.exe as being the culprit but couldn't seem to remove it because every time I scanned it found it again. I went and manually right click- deleted it. I was also suspicious of the file because, as I mentioned earlier, one of the strange things that was happening was that "about windows" was coming up everytime I rebooted. Is manually going into the file and sending it to recycle bin > emtpying recycle bin going to be enough to actually get rid of the file?

It seems like the system is running the way it was before now but I do want to make absolutely sure as I pay bills online, etc.. Netstat isn't showing the .ru connections any more, nor am I seeing the 208.xxx.... ip conection that seemed to be cause by winver.exe

XP antivirus and xp security center def. seem to be gone as I am not getting any pop ups or anything like that at this point...what do you think, am I clean yet??

Thanks again so much for your help.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 27 May 2008 - 01:58 PM

Initial research on that file shows it as a legitimate Microsoft file. But let's check it out.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\system32\winver.exe


  • Click on the submit button
  • Please post the results in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 27 May 2008 - 03:22 PM

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

^^ I got this message when i tried to upload. Like I said in previous post though I did manually delete and I do not see the file when I go into C:\windows\system32 folder. Could it be that this message is because the file is gone?

It is very confusing to determine which files are actually problematic as even putting each running process into google turns up results saying that there have been cases of it being infected but that it is also a legit file...I suppose this is done on purpose though.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 28 May 2008 - 09:46 AM

That makes this even easier.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


===================



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 28 May 2008 - 05:11 PM

Combo fix log:

ComboFix 08-05-26.2 - Nick 2008-05-28 15:06:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1649 [GMT -7:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-25 16:26 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-05-25 15:41 . 2008-05-25 15:41 <DIR> d-------- C:\_OTMoveIt
2008-05-23 11:08 . 2008-05-23 11:08 <DIR> d-------- C:\Deckard
2008-05-23 03:41 . 2008-05-23 03:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 03:40 . 2008-05-23 03:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-23 03:02 . 2008-05-23 03:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 02:59 . 2008-05-23 02:59 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Talkback
2008-05-23 02:35 . 2008-05-23 02:35 <DIR> d-------- C:\Program Files\COMODO
2008-05-23 02:35 . 2008-05-23 02:35 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Comodo
2008-05-23 02:35 . 2008-05-23 02:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-23 02:35 . 2008-05-23 02:35 143,104 --a------ C:\WINDOWS\system32\guard32.dll
2008-05-23 02:35 . 2008-05-23 02:34 87,056 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-05-23 02:35 . 2008-05-23 02:35 24,208 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-05-23 02:13 . 2008-05-25 17:17 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-23 02:09 . 2008-05-27 13:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-23 02:09 . 2008-05-23 02:20 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\AVGTOOLBAR
2008-05-23 02:09 . 2008-05-23 02:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-23 02:09 . 2008-05-23 02:09 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-23 02:09 . 2008-05-23 02:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-23 02:08 . 2008-05-23 02:08 <DIR> d-------- C:\Program Files\AVG
2008-05-23 02:08 . 2008-05-23 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-22 22:08 . 2008-05-22 22:08 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-05-22 21:55 . 2008-05-22 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 21:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-22 21:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-22 19:32 . 2008-05-25 16:42 69,042 --a------ C:\WINDOWS\system32\SYWTDXAZ.SYS.del
2008-05-22 19:32 . 2008-05-22 19:32 2 --a------ C:\1678409293
2008-05-21 19:27 . 2008-05-21 19:27 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Ubisoft
2008-05-21 14:51 . 2008-05-21 14:51 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Media Player Classic
2008-05-21 14:09 . 2008-05-21 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-21 14:09 . 2008-05-21 14:09 22,328 --a------ C:\Documents and Settings\Nick\Application Data\PnkBstrK.sys
2008-05-17 19:17 . 2008-05-17 19:17 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Touchstone
2008-05-17 17:46 . 2008-05-17 17:46 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\InstallShield Installation Information
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 17:39 . 2008-05-17 17:39 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-12 13:42 . 2008-05-12 13:42 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-12 13:42 . 2008-05-12 13:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-05-12 13:41 . 2008-05-12 13:41 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-05-12 13:41 . 2007-08-31 12:13 1,421,736 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-12 13:41 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-05-12 13:41 . 2007-08-31 12:15 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-05-08 11:25 . 2008-05-08 11:25 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-08 11:25 . 2003-03-18 13:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-05-08 11:25 . 2003-03-18 12:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-05-07 23:07 . 2008-05-07 23:25 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\U3
2008-05-07 21:53 . 2008-05-07 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-07 21:20 . 2008-05-07 21:20 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\DivX
2008-05-07 21:02 . 2008-05-07 21:02 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2008-05-07 21:02 . 2008-05-07 21:02 18,152 --a------ C:\WINDOWS\system32\Pvt.tmp
2008-05-07 20:58 . 2008-05-07 20:58 <DIR> d-------- C:\Program Files\VSO
2008-05-07 20:58 . 2008-05-22 19:12 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Vso
2008-05-07 20:58 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-07 20:58 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-07 20:58 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-07 20:58 . 2006-09-29 12:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-07 20:58 . 2006-09-29 12:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-07 20:58 . 2006-09-29 12:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-07 20:58 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-07 20:58 . 2008-05-07 20:58 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-07 20:58 . 2008-05-07 20:58 47,360 --a------ C:\Documents and Settings\Nick\Application Data\pcouffin.sys
2008-05-06 21:34 . 2008-05-06 21:34 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-05 22:32 . 2008-05-05 22:33 <DIR> d-------- C:\Program Files\HJSplit
2008-05-05 21:23 . 2008-05-05 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-04 06:22 . 2008-05-04 06:22 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-05-04 06:22 . 2004-03-29 16:23 90,112 --a------ C:\WINDOWS\unvise32.exe
2008-05-01 22:06 . 2008-05-01 23:07 <DIR> d-------- C:\Program Files\MSN Games
2008-05-01 22:06 . 2008-05-01 23:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-01 22:06 . 2008-05-01 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2008-05-01 12:25 . 2008-05-01 12:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-01 00:34 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-01 00:34 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-01 00:34 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-01 00:34 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-05-01 00:33 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-01 00:33 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-04-30 13:36 . 2008-04-30 13:38 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-04-30 13:32 . 2008-04-30 13:37 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-04-30 13:32 . 2008-04-30 13:34 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-30 13:32 . 2008-04-30 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-04-29 15:44 . 2008-04-29 15:44 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\teamspeak2
2008-04-29 15:44 . 2008-04-29 15:44 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-29 08:38 . 2008-04-29 08:38 <DIR> d-------- C:\Program Files\America's Army Server Manager
2008-04-29 08:37 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\America's Army

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 02:33 16,608 ----a-w C:\WINDOWS\gdrv.sys
2008-05-22 10:52 --------- d-----w C:\Program Files\FlashGet
2008-05-21 22:44 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-21 22:44 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-21 21:09 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-05-21 21:09 2,337,865 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-05-21 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 08:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-05 05:07 --------- d-----w C:\Documents and Settings\Nick\Application Data\Winamp
2008-05-05 04:58 --------- d-----w C:\Documents and Settings\Nick\Application Data\Bioshock
2008-04-29 15:35 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 03:42 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-04-20 03:39 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-20 03:39 --------- d-----w C:\Documents and Settings\Nick\Application Data\DAEMON Tools
2008-04-18 07:53 --------- d--h--r C:\Documents and Settings\Nick\Application Data\SecuROM
2008-04-17 04:08 --------- d-----w C:\Documents and Settings\Nick\Application Data\Apple Computer
2008-04-16 04:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Winamp
2008-04-16 04:21 --------- d-----w C:\Program Files\Winamp
2008-04-15 08:34 --------- d-----w C:\Program Files\QuickTime
2008-04-15 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-15 08:33 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 05:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2008-04-13 07:17 --------- d-----w C:\Program Files\BitLord
2008-04-13 06:39 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-04-13 04:49 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 04:49 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-04-13 04:40 --------- d-----w C:\Program Files\GameSpy
2008-04-13 04:23 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2008-04-13 04:09 --------- d-----w C:\Program Files\Electronic Arts
2008-04-13 04:03 20,747 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-04-13 04:03 --------- d-----w C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2008-04-12 16:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 16:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 06:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-04-11 20:36 --------- d-----w C:\Program Files\Realtek
2008-04-11 20:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-04-11 20:33 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-11 20:30 --------- d-----w C:\Program Files\Intel
2008-04-11 20:30 --------- d-----w C:\Program Files\GIGABYTE
2008-04-11 17:43 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-04 19:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_16.00.13.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 22:38:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 21:28:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-07-27 12:00:00 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2007-07-27 12:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a057a204-bacc-4d26-9990-79a187e2698e}]
2008-05-23 02:08 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-23 02:08 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-23 02:08 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-11 06:03 8429568]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-23 02:08 1177368]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-05-23 02:34 1575680]
"nwiz"="nwiz.exe" [2007-05-11 06:03 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"1AC4GCph6q"= C:\WINDOWS\system32\winver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\GIGABYTE\\GEST\\run.exe"=
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"D:\\R-Games\\Binaries\\UT3.exe"=
"D:\\R-Games\\Turok.Full-Rip.Skullptura.www.Media-Zone.net\\Turok\\Binaries\\TurokGame.exe"=
"D:\\R-Games\\Binaries\\R6Vegas2_Game.exe"=
"D:\\R-Games\\Binaries\\R6Vegas2_Launcher.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 avgldx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-23 02:09]
R1 cmdguard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-05-23 02:34]
R1 cmdhlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-05-23 02:35]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-23 02:08]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-23 02:08]
R2 avgtdix;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-23 02:09]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-05-22 19:33]
S3 GEST Service;GEST Service for program management.;"C:\Program Files\GIGABYTE\GEST\GSvr.exe" [2007-12-14 11:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb70cb52-1cb2-11dd-bf4a-001d7e99de77}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 15:08:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-05-28 15:08:22
ComboFix-quarantined-files.txt 2008-05-28 22:08:19
ComboFix2.txt 2008-05-27 04:04:31
ComboFix3.txt 2008-05-25 23:00:20

Pre-Run: 44,793,806,848 bytes free
Post-Run: 44,781,568,000 bytes free

243 --- E O F --- 2008-05-28 04:17:28


==================

the other will be up soon..

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:53 PM

Posted 29 May 2008 - 09:42 AM

Ok, just post that log when you can.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Jarmonkey

Jarmonkey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 29 May 2008 - 01:13 PM

I can't seem to find the super anti spyware log, but it only found a single tracking cookie. I quarantined / removed and am going to scan again. I looked in program files and c:\ but didn't seem to see any logs for it. I will look at website for directions or if you happen to see this post before I run the scan again perhaps you could inform me..thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users