Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet Another Xp Antivirus Removal Dilemma


  • This topic is locked This topic is locked
22 replies to this topic

#1 Uberstroker

Uberstroker

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 26 June 2008 - 07:18 PM

Hello.
I'm another unfortunate person to be infected with xp antivirus 2008. I have tried several manual fixes but so far, most have not, or only partially worked and I am still suffering most of the problems I had started with (ex) cannot change the desktop.
To learn more about my situation please visit my other thread http://www.bleepingcomputer.com/forums/t/154405/a-very-malicious-virus/
Any assistance regarding this would be greatly appreciated. I'm trying to avoid having to reformat my pc


And now for the log report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:49 PM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\services.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX18.547\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKLM\..\Run: [SMrhcvtaj0eret] C:\Program Files\rhcvtaj0eret\rhcvtaj0eret.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdczd.exe] C:\WINDOWS\system32\kdczd.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Owner\svchost.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [38edd563] rundll32.exe "C:\WINDOWS\system32\mitawqbm.dll",b
O4 - HKLM\..\Run: [BM3bdee6ff] Rundll32.exe "C:\WINDOWS\system32\ppurmaps.dll",s
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Owner\cftmon.exe
O4 - HKCU\..\Run: [65011245798986496025634672078643] C:\Program Files\XP Antivirus\xpa.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Owner\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: userinit.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://81.175.116.204/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{758DDBD5-3485-4D6E-977C-0F2665BA94A6}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{A37FEC63-41F1-4F10-AFA0-CD691859047B}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3350B8F-BFE4-4E32-B740-C97E5F441904}: NameServer = 85.255.113.140,85.255.112.93
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.140 85.255.112.93
O20 - AppInit_DLLs: C:\WINDOWS\system32\Com\patch32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe
O23 - Service: Ventrilo (ventrilo) - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 9231 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 29 June 2008 - 07:41 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please download FixWareout by LonnyRJones and save it to your desktop.

Please doubleclick Fixwareout >> click Next, then Install, make sure Run fixit is checked and click Finish.

The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please let your firewall allow it.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt).




NEXT


Please visit below webpage for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.




Please post the following logs in your next reply..Post each log in separate post..

1. FixWareout
2. ComboFix
3. A fresh HijackThis (after ComboFix step)



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 29 June 2008 - 03:18 PM

Firstly, I would just like to extend my sincerest thanks to you for taking the time to help me through this crisis. :thumbsup: My computer is doing SIGNIFICANTLY better now. I can access the internet now, so I won't have to use a family members! OK so without further ado...

Username "Owner" - 06/29/2008 12:55:51 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdczd.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.91 85.255.112.6" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{758DDBD5-3485-4D6E-977C-0F2665BA94A6}
"nameserver"="85.255.115.91,85.255.112.6" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A37FEC63-41F1-4F10-AFA0-CD691859047B}
"nameserver"="85.255.115.91,85.255.112.6" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C3350B8F-BFE4-4E32-B740-C97E5F441904}
"nameserver"="85.255.115.91,85.255.112.6" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1FD7240C-CAC1-46A3-A76B-B8474976A4A1}
"DhcpNameServer"="85.255.115.91,85.255.112.6" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A37FEC63-41F1-4F10-AFA0-CD691859047B}
"DhcpNameServer"="85.255.115.91,85.255.112.6" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C3350B8F-BFE4-4E32-B740-C97E5F441904}
"DhcpNameServer"="85.255.115.91,85.255.112.6" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Owner\\cftmon.exe"
"SMrhcvtaj0eret"="C:\\Program Files\\rhcvtaj0eret\\rhcvtaj0eret.exe"
"C:\\WINDOWS\\system32\\kdczd.exe"="C:\\WINDOWS\\system32\\kdczd.exe"
"[system]"="C:\\WINDOWS\\system32\\drivers\\services.exe"
"winlogon"="C:\\Documents and Settings\\Owner\\svchost.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SpyHunter Security Suite"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe\""
"38edd563"="rundll32.exe \"C:\\WINDOWS\\system32\\bagpysab.dll\",b"
"BM3bdee6ff"="Rundll32.exe \"C:\\WINDOWS\\system32\\lqxffqvq.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"autoload"="C:\\Documents and Settings\\Owner\\cftmon.exe"
"65011245798986496025634672078643"="C:\\Program Files\\XP Antivirus\\xpa.exe"
"[system]"="C:\\WINDOWS\\system32\\drivers\\services.exe"
"winlogon"="C:\\Documents and Settings\\Owner\\svchost.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


ComboFix 08-06-20.4 - Owner 2008-06-29 14:52:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1641 [GMT -5:00]
Running from: H:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\ShoppingReport
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\WINDOWS\BM3bdee6ff.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\2.tmp
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\5.tmp
C:\WINDOWS\system32\ahbrvy.dll
C:\WINDOWS\system32\B.tmp
C:\WINDOWS\system32\bagpysab.dll
C:\WINDOWS\system32\basypgab.ini
C:\WINDOWS\system32\byXNfghH.dll
C:\WINDOWS\system32\byXQKdBQ.dll
C:\WINDOWS\system32\dJkRYcfe.ini
C:\WINDOWS\system32\dJkRYcfe.ini2
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\efcYRkJd.dll
C:\WINDOWS\system32\khfEWnMd.dll
C:\WINDOWS\system32\lqxffqvq.dll
C:\WINDOWS\system32\mbqwatim.ini
C:\WINDOWS\system32\okmytxqe.dll
C:\WINDOWS\system32\ppurmaps.dll
C:\WINDOWS\system32\wkbqgwnr.dll
C:\WINDOWS\system32\ylhhejnn.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-29 )))))))))))))))))))))))))))))))
.

2008-06-29 15:06 . 2008-06-25 17:54 13,824 --a------ C:\WINDOWS\system32\drivers\services.exe
2008-06-29 12:55 . 2008-06-29 13:01 <DIR> d-------- C:\fixwareout
2008-06-28 17:21 . 2008-06-29 13:03 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-28 17:21 . 2008-06-29 13:03 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-28 17:19 . 2008-06-28 17:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-28 17:19 . 2008-06-29 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-28 17:19 . 2008-06-29 15:06 311,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 17:19 . 2008-06-29 15:06 10,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-28 17:19 . 2008-06-29 15:03 5,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 17:19 . 2008-06-29 15:03 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-28 17:05 . 2008-06-28 17:05 <DIR> d-------- C:\kav
2008-06-28 16:51 . 2008-06-28 16:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-28 16:51 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-06-28 16:36 . 2008-06-28 16:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-27 11:09 . 2008-06-27 11:09 <DIR> d-------- C:\Deckard
2008-06-27 11:05 . 2008-06-25 17:54 13,824 --a------ C:\userinit.exe
2008-06-26 18:02 . 2008-06-26 18:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-26 18:02 . 2008-06-26 18:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-26 17:44 . 2008-06-25 17:54 13,824 --a------ C:\Documents and Settings\Owner\svchost.exe
2008-06-26 16:52 . 2008-06-26 16:52 <DIR> d-------- C:\Documents and Settings\Guest
2008-06-26 16:52 . 2008-06-25 17:54 13,824 --a------ C:\Documents and Settings\Guest\svchost.exe
2008-06-25 19:33 . 2008-06-25 17:54 7,680 --a------ C:\Documents and Settings\LocalService\cftmon.exe
2008-06-25 18:57 . 2008-06-25 20:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-25 18:03 . 2008-06-25 18:03 13,824 --a------ C:\WINDOWS\system32\ipol.dll
2008-06-25 18:02 . 2008-06-25 18:02 18,944 --a------ C:\WINDOWS\system32\ksadio.dll
2008-06-25 17:59 . 2008-06-25 17:54 13,824 --a------ C:\Documents and Settings\LocalService\svchost.exe
2008-06-25 17:55 . 2008-06-25 17:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\rhcvtaj0eret
2008-06-25 17:55 . 2008-06-28 17:32 94,208 --a------ C:\WINDOWS\system32\pphcrtaj0eret.exe
2008-06-25 17:55 . 2008-06-25 17:55 90,838 --a------ C:\WINDOWS\system32\phcrtaj0eret.bmp
2008-06-25 17:55 . 2008-06-25 17:55 60,928 --a------ C:\WINDOWS\system32\blphcrtaj0eret.scr
2008-06-25 17:55 . 2008-06-25 17:55 14 --a------ C:\Documents
2008-06-25 17:55 . 2008-06-25 17:55 2 --a------ C:\955110860
2008-06-25 17:54 . 2008-06-25 17:54 109,056 --a------ C:\WINDOWS\system32\lphcrtaj0eret.exe
2008-06-25 17:54 . 63,920 C:\WINDOWS\system32\drivers\b004cbd9.sys
2008-06-25 17:54 . 2008-06-25 17:54 7,680 --a------ C:\Documents and Settings\Owner\cftmon.exe
2008-06-25 17:29 . 2008-06-25 17:36 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-06-25 17:29 . 2008-06-25 17:47 54,782 --a------ C:\WINDOWS\War3Unin.dat
2008-06-25 17:29 . 2008-06-25 17:36 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-19 10:54 . 2008-06-19 10:54 <DIR> d-------- C:\Program Files\Pinnacle
2008-06-19 10:54 . 2008-06-19 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-11 00:29 . 2008-06-11 00:29 <DIR> d-------- C:\Program Files\Ventrilo
2008-06-11 00:21 . 2008-06-11 00:26 <DIR> d-------- C:\Program Files\VentSrv
2008-06-10 14:23 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 18:12 . 2008-06-09 18:12 <DIR> d-------- C:\Logs
2008-06-05 16:49 . 2008-06-25 08:59 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-06-02 19:56 . 2008-06-02 19:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 18:03 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-28 22:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 22:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-28 21:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-26 22:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-06-26 15:45 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-06-26 14:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2008-06-25 16:49 --------- d-s---w C:\Program Files\Xfire
2008-06-22 22:36 --------- d-----w C:\Program Files\LimeWire
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 21:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 03:16 --------- d-----w C:\Program Files\InterActual
2008-05-23 21:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-23 21:41 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-21 03:33 257,917,321 ----a-w C:\Program Files\Command and Conquer Red Alert 2.zip
2007-08-24 19:24 349 ----a-w C:\Program Files\INSTALL.LOG
2007-07-31 04:32 51,185,123 ----a-w C:\Documents and Settings\Owner\WoW-2.1.3.6898-to-0.2.0.6932-enUS-patch.exe
2007-02-10 02:48 21,902,272 ----a-w C:\Documents and Settings\Drivers\81.98_forceware_winxp2k_english_whql.exe
2005-07-16 19:14 38,664 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-12-18 16:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 12:46 10,960 ----a-w C:\Program Files\EULA.txt
2007-10-24 01:14 284,076 --sha-r C:\WINDOWS\system32\Com\patch32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [2008-06-25 17:54 13824]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"winlogon"="C:\Documents and Settings\Owner\svchost.exe" [2008-06-25 17:54 13824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdczd.exe"="C:\WINDOWS\system32\kdczd.exe" [2007-06-13 05:23 51200]
"SMrhcvtaj0eret"="C:\Program Files\rhcvtaj0eret\rhcvtaj0eret.exe" [ ]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [2008-06-25 17:54 13824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-20 23:09 7618560]
"NvMediaCenter"="NvMCTray.dll" [2006-06-20 23:09 86016 C:\WINDOWS\system32\nvmctray.dll]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]
"winlogon"="C:\Documents and Settings\Owner\svchost.exe" [2008-06-25 17:54 13824]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-02-08 15:59 145920]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [2008-06-25 17:54 13824]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [2008-06-25 17:54 13824]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
userinit.exe [2008-06-25 17:54:41 13824]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
userinit.exe [2008-06-25 17:54:41 13824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-09 18:13:12 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-06 22:58:59 125624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-01-01 20:58:08 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\Com\patch32.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
C:\Program Files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\freecell.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"D:\\Program Files\\Steam\\SteamApps\\uberstroker\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"D:\\Program Files\\RelicCOH.exe"=
"C:\\kav\\kis\\setup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard downloader

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 RPCM;Remote Procedure Manager(TPM);C:\Program Files\Common Files\Microsoft Shared\Speech\csvde.exe [2005-06-05 15:06]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2002-11-08 04:50]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-07-18 15:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ce1c03-9c12-11db-9834-000d613b4b8f}]
\Shell\AutoRun\command - G:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 01:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 07:00:00 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-29 15:05:43
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\kdczd.exe 51200 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\userinit.exe
.
**************************************************************************
.
Completion time: 2008-06-29 15:09:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-29 20:09:32

Pre-Run: 95,108,694,016 bytes free
Post-Run: 95,465,881,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

273 --- E O F --- 2008-06-21 08:01:51

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:26 PM, on 6/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.406\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdczd.exe] C:\WINDOWS\system32\kdczd.exe
O4 - HKLM\..\Run: [SMrhcvtaj0eret] C:\Program Files\rhcvtaj0eret\rhcvtaj0eret.exe
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: userinit.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1f460357-8a94-4d71-9ca3-aa4acf32ed8e} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://81.175.116.204/activex/AMC.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.91 85.255.112.6
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.91 85.255.112.6
O20 - AppInit_DLLs: C:\WINDOWS\system32\Com\patch32.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (avp) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: Ventrilo (ventrilo) - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 7729 bytes

#4 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 29 June 2008 - 03:32 PM

oops...didn't think that was all the same post, if you really want me to I can make 3 separate posts

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 30 June 2008 - 03:35 AM

Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear




Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\drivers\services.exe
      C:\Documents and Settings\Guest\Start Menu\Programs\Startup\userinit.exe
  • Click on the submit button. You can only submit one file per round..
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


Before we continue, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.bleepingcomputer.com/forums/t/154478/yet-another-xp-antivirus-removal-dilemma/

Browse to the file you want to submit: Click Browse, and navigate to the following file:

C:\WINDOWS\system32\drivers\services.exe

Leave any comments, further information about this file, or contact information: From fenzodahl512 for SDFix.





NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Owner\svchost.exe
C:\Documents and Settings\Guest\svchost.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\WINDOWS\system32\ipol.dll
C:\WINDOWS\system32\ksadio.dll
C:\Documents and Settings\LocalService\svchost.exe
C:\WINDOWS\system32\pphcrtaj0eret.exe
C:\WINDOWS\system32\phcrtaj0eret.bmp
C:\WINDOWS\system32\blphcrtaj0eret.scr
C:\Documents
C:\955110860
C:\WINDOWS\system32\lphcrtaj0eret.exe
C:\WINDOWS\system32\drivers\b004cbd9.sys
C:\Documents and Settings\Owner\cftmon.exe
C:\WINDOWS\system32\kdczd.exe

Folder::
C:\Documents and Settings\Owner\Application Data\rhcvtaj0eret
C:\Program Files\rhcvtaj0eret

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winlogon"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdczd.exe"=-
"SMrhcvtaj0eret"=-
"winlogon"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"winlogon"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the ComboFix log in your next reply..




NEXT


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



Please post the following logs in your next reply...Post each log in separate post..

1. Jotti/VirusTotal
2. ComboFix
3. SDFix



Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 30 June 2008 - 09:52 AM

Scan taken on 30 Jun 2008 14:48:14 (GMT)
A-Squared
Found nothing
AntiVir
Found WORM/Socks.AE.15
ArcaVir
Found Trojan.Psw.Qqshou.Gw
Avast
Found Win32:Socks-AX
AVG Antivirus
Found nothing
BitDefender
Found Win32.Worm.Socks.BA
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found P2P-Worm.Win32.Socks.ae
Fortinet
Found nothing
Ikarus
Found Virus.P2P.Worm.Win32.Socks.ae
Kaspersky Anti-Virus
Found P2P-Worm.Win32.Socks.ae
NOD32
Found Win32/Zalup
Norman Virus Control
Found W32/Malware.CZMC
Panda Antivirus
Found W32/Socks.E.worm
Sophos Antivirus
Found Mal/EncPk-DB
VirusBuster
Found nothing
VBA32
Found P2P-Worm.Win32.Socks.ae

#7 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 30 June 2008 - 09:57 AM

Scan taken on 30 Jun 2008 14:55:42 (GMT)
A-Squared
Found nothing
AntiVir
Found WORM/Socks.AE.15
ArcaVir
Found Trojan.Psw.Qqshou.Gw
Avast
Found Win32:Socks-AX
AVG Antivirus
Found nothing
BitDefender
Found Win32.Worm.Socks.BA
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found P2P-Worm.Win32.Socks.ae
Fortinet
Found nothing
Ikarus
Found Virus.P2P.Worm.Win32.Socks.ae
Kaspersky Anti-Virus
Found P2P-Worm.Win32.Socks.ae
NOD32
Found Win32/Zalup
Norman Virus Control
Found W32/Malware.CZMC
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/EncPk-DB
VirusBuster
Found nothing
VBA32
Found P2P-Worm.Win32.Socks.ae

#8 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 30 June 2008 - 10:24 AM

ComboFix 08-06-20.4 - Owner 2008-06-30 10:09:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1426 [GMT -5:00]
Running from: H:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Guest\svchost.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\LocalService\svchost.exe
C:\Documents and Settings\Owner\cftmon.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Owner\svchost.exe
C:\WINDOWS\system32\drivers\services.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-29 23:19 . 2008-06-29 23:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-29 23:19 . 2008-06-29 23:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-29 23:12 . 2008-06-29 23:12 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-29 12:55 . 2008-06-29 13:01 <DIR> d-------- C:\fixwareout
2008-06-28 17:21 . 2008-06-29 13:03 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-28 17:21 . 2008-06-29 13:03 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-28 17:19 . 2008-06-28 17:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-28 17:19 . 2008-06-29 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-28 17:19 . 2008-06-30 10:18 702,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 17:19 . 2008-06-30 10:18 21,024 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-28 17:19 . 2008-06-30 10:16 10,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 17:19 . 2008-06-30 10:16 4,040 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-28 17:05 . 2008-06-28 17:05 <DIR> d-------- C:\kav
2008-06-28 16:51 . 2008-06-28 16:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-28 16:51 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-06-28 16:36 . 2008-06-28 16:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-27 11:09 . 2008-06-27 11:09 <DIR> d-------- C:\Deckard
2008-06-27 11:05 . 2008-06-25 17:54 13,824 --a------ C:\userinit.exe
2008-06-26 16:52 . 2008-06-30 10:14 <DIR> d-------- C:\Documents and Settings\Guest
2008-06-25 18:57 . 2008-06-25 20:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-25 18:03 . 2008-06-25 18:03 13,824 --a------ C:\WINDOWS\system32\ipol.dll
2008-06-25 18:02 . 2008-06-25 18:02 18,944 --a------ C:\WINDOWS\system32\ksadio.dll
2008-06-25 17:55 . 2008-06-25 17:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\rhcvtaj0eret
2008-06-25 17:55 . 2008-06-28 17:32 94,208 --a------ C:\WINDOWS\system32\pphcrtaj0eret.exe
2008-06-25 17:55 . 2008-06-25 17:55 90,838 --a------ C:\WINDOWS\system32\phcrtaj0eret.bmp
2008-06-25 17:55 . 2008-06-25 17:55 60,928 --a------ C:\WINDOWS\system32\blphcrtaj0eret.scr
2008-06-25 17:55 . 2008-06-25 17:55 14 --a------ C:\Documents
2008-06-25 17:55 . 2008-06-25 17:55 2 --a------ C:\955110860
2008-06-25 17:54 . 2008-06-25 17:54 109,056 --a------ C:\WINDOWS\system32\lphcrtaj0eret.exe
2008-06-25 17:54 . 63,920 C:\WINDOWS\system32\drivers\b004cbd9.sys
2008-06-25 17:29 . 2008-06-29 15:45 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-06-25 17:29 . 2008-06-29 23:22 76,868 --a------ C:\WINDOWS\War3Unin.dat
2008-06-25 17:29 . 2008-06-29 15:45 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-19 10:54 . 2008-06-19 10:54 <DIR> d-------- C:\Program Files\Pinnacle
2008-06-19 10:54 . 2008-06-19 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-11 00:29 . 2008-06-11 00:29 <DIR> d-------- C:\Program Files\Ventrilo
2008-06-11 00:21 . 2008-06-11 00:26 <DIR> d-------- C:\Program Files\VentSrv
2008-06-10 14:23 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 18:12 . 2008-06-09 18:12 <DIR> d-------- C:\Logs
2008-06-05 16:49 . 2008-06-29 23:04 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-06-02 19:56 . 2008-06-02 19:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-05-23 22:27 . 2008-05-23 22:27 0 --a------ C:\WINDOWS\iPlayer.INI
2008-05-23 22:15 . 2008-05-23 22:16 <DIR> d-------- C:\Program Files\InterActual
2008-05-16 17:52 . 2008-05-16 17:52 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 15:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-30 15:17 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-06-29 22:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-29 18:03 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-28 22:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-26 22:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-06-26 14:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\Xfire
2008-06-25 16:49 --------- d-s---w C:\Program Files\Xfire
2008-06-22 22:36 --------- d-----w C:\Program Files\LimeWire
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 21:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-23 21:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-23 21:41 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-09-21 03:33 257,917,321 ----a-w C:\Program Files\Command and Conquer Red Alert 2.zip
2007-08-24 19:24 349 ----a-w C:\Program Files\INSTALL.LOG
2007-07-31 04:32 51,185,123 ----a-w C:\Documents and Settings\Owner\WoW-2.1.3.6898-to-0.2.0.6932-enUS-patch.exe
2007-02-10 02:48 21,902,272 ----a-w C:\Documents and Settings\Drivers\81.98_forceware_winxp2k_english_whql.exe
2005-07-16 19:14 38,664 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-12-18 16:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 12:46 10,960 ----a-w C:\Program Files\EULA.txt
2007-10-24 01:14 284,076 --sha-r C:\WINDOWS\system32\Com\patch32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_15.08.25.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 20:04:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-30 15:17:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-04-12 20:08:16 15,872 ----a-w C:\WINDOWS\system32\drivers\AVFilter.sys
+ 2008-02-12 15:44:10 21,904 ----a-w C:\WINDOWS\system32\drivers\AVFilter.sys
- 2007-02-21 18:27:12 22,528 ----a-w C:\WINDOWS\system32\drivers\AVHook.sys
+ 2007-12-06 20:51:44 28,568 ----a-w C:\WINDOWS\system32\drivers\AVHook.sys
- 2007-02-21 18:27:12 15,872 ----a-w C:\WINDOWS\system32\drivers\AVRec.sys
+ 2007-12-06 20:51:44 21,912 ----a-w C:\WINDOWS\system32\drivers\AVRec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdczd.exe"="C:\WINDOWS\system32\kdczd.exe" [2007-06-13 05:23 51200]
"SMrhcvtaj0eret"="C:\Program Files\rhcvtaj0eret\rhcvtaj0eret.exe" [ ]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-20 23:09 7618560]
"NvMediaCenter"="NvMCTray.dll" [2006-06-20 23:09 86016 C:\WINDOWS\system32\nvmctray.dll]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-02-08 15:59 145920]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-09 18:13:12 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-06 22:58:59 125624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-01-01 20:58:08 169472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\Com\patch32.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
C:\Program Files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\freecell.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"D:\\Program Files\\Steam\\SteamApps\\uberstroker\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"D:\\Program Files\\RelicCOH.exe"=
"C:\\kav\\kis\\setup.exe"=
"D:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard downloader

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 RPCM;Remote Procedure Manager(TPM);C:\Program Files\Common Files\Microsoft Shared\Speech\csvde.exe [2005-06-05 15:06]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2002-11-08 04:50]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-07-18 15:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ce1c03-9c12-11db-9834-000d613b4b8f}]
\Shell\AutoRun\command - G:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 01:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 07:00:00 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 10:17:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\kdczd.exe 51200 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
.
**************************************************************************
.
Completion time: 2008-06-30 10:22:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 15:22:01
ComboFix2.txt 2008-06-29 20:09:45

Pre-Run: 95,248,146,432 bytes free
Post-Run: 95,254,405,120 bytes free

243 --- E O F --- 2008-06-21 08:01:51

#9 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 30 June 2008 - 10:51 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
b004cbd9

Path :
\SystemRoot\System32\drivers\b004cbd9.sys

b004cbd9 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\KSADIO.DLL - Deleted
C:\955110~1 - Deleted
C:\userinit.exe - Deleted
C:\WINDOWS\system32\drivers\b004cbd9.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 10:47:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:92,74,af,1b,d0,28,85,bc,52,d2,ed,9d,33,99,a5,aa,b4,64,52,83,79,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,45,a0,15,af,f2,13,ae,24,4d,81,86,1d,43,c8,f6,5f,3b,..
"khjeh"=hex:ee,bb,98,0e,c7,7f,e5,c4,6b,d1,45,e2,57,6a,c1,27,ba,42,2d,c6,28,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9e,57,b9,29,fe,26,ea,25,64,c9,96,fb,23,50,45,03,14,d9,48,a4,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:23697110
"s2"=dword:7efbee33
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:92,74,af,1b,d0,28,85,bc,52,d2,ed,9d,33,99,a5,aa,b4,64,52,83,79,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,45,a0,15,af,f2,13,ae,24,4d,81,86,1d,43,c8,f6,5f,3b,..
"khjeh"=hex:ee,bb,98,0e,c7,7f,e5,c4,6b,d1,45,e2,57,6a,c1,27,ba,42,2d,c6,28,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:10,1c,de,26,90,5f,da,36,8f,84,c1,c2,0b,bc,02,ae,1e,c6,81,35,bc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:92,74,af,1b,d0,28,85,bc,52,d2,ed,9d,33,99,a5,aa,b4,64,52,83,79,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,45,a0,15,af,f2,13,ae,24,4d,81,86,1d,43,c8,f6,5f,3b,..
"khjeh"=hex:ee,bb,98,0e,c7,7f,e5,c4,6b,d1,45,e2,57,6a,c1,27,ba,42,2d,c6,28,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9e,57,b9,29,fe,26,ea,25,64,c9,96,fb,23,50,45,03,14,d9,48,a4,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:92,74,af,1b,d0,28,85,bc,52,d2,ed,9d,33,99,a5,aa,b4,64,52,83,79,..

[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,45,a0,15,af,f2,13,ae,24,4d,81,86,1d,43,c8,f6,5f,3b,..
"khjeh"=hex:ee,bb,98,0e,c7,7f,e5,c4,6b,d1,45,e2,57,6a,c1,27,ba,42,2d,c6,28,..

[HKEY_LOCAL_MACHINE\SYSTEM\controlset004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:10,1c,de,26,90,5f,da,36,8f,84,c1,c2,0b,bc,02,ae,1e,c6,81,35,bc,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"="C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe:*:Enabled:WinDVD"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"C:\\WINDOWS\\system32\\freecell.exe"="C:\\WINDOWS\\system32\\freecell.exe:*:Enabled:FreeCell"
"D:\\Program Files\\Azureus\\Azureus.exe"="D:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"D:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"="D:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe:*:Enabled:il2fb"
"D:\\Program Files\\Steam\\SteamApps\\uberstroker\\half-life 2 deathmatch\\hl2.exe"="D:\\Program Files\\Steam\\SteamApps\\uberstroker\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"="D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"="D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"D:\\Program Files\\RelicCOH.exe"="D:\\Program Files\\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"C:\\kav\\kis\\setup.exe"="C:\\kav\\kis\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"
"D:\\Program Files\\eMule\\emule.exe"="D:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"D:\\Program Files\\Warcraft III\\Warcraft III.exe"="D:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 6 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 23 May 2008 114 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti18D.tmp"
Tue 23 Oct 2007 284,076 A.SHR --- "C:\WINDOWS\system32\Com\patch32.dll"
Mon 22 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 5 Jun 2005 399,872 ..SHR --- "C:\Program Files\Common Files\Microsoft Shared\Speech\csvde.exe"
Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT5.tmp"
Sat 28 Jan 2006 4,348 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Thu 25 May 2006 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 26 Mar 2006 400 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 01 July 2008 - 12:16 AM

Please run FixWareout again.. Then do the following...



NEXT


Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\Com\patch32.dll
  • Click on the submit button
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
b004cbd9

File::
C:\WINDOWS\system32\pphcrtaj0eret.exe
C:\WINDOWS\system32\phcrtaj0eret.bmp
C:\WINDOWS\system32\blphcrtaj0eret.scr
C:\Documents
C:\955110860
C:\WINDOWS\system32\lphcrtaj0eret.exe
C:\WINDOWS\system32\drivers\b004cbd9.sys
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\kdczd.exe
C:\Documents and Settings\LocalService\svchost.exe

Folder::
C:\Documents and Settings\Owner\Application Data\rhcvtaj0eret
C:\Program Files\rhcvtaj0eret

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdczd.exe"=-
"SMrhcvtaj0eret"=-
"[system]"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
"winlogon"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • FixWareout
  • Jotti/VirusTotal result
  • ComboFix
  • A new HijackThis log.
Regards
fenzodahl512

Edited by fenzodahl512, 01 July 2008 - 12:19 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 01 July 2008 - 10:31 AM

Username "Owner" - 07/01/2008 10:24:54 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdczd.exe"="C:\\WINDOWS\\system32\\kdczd.exe"
"SMrhcvtaj0eret"="C:\\Program Files\\rhcvtaj0eret\\rhcvtaj0eret.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"SpyHunter Security Suite"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter3.exe"
"PCTAVApp"="\"C:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe\" /MONITORSCAN"
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\avp.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#12 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 01 July 2008 - 10:35 AM

Scan taken on 01 Jul 2008 15:33:25 (GMT)
A-Squared
Found Backdoor.Win32.Hupigon.uzg
AntiVir
Found TR/AdAdds.A
ArcaVir
Found Trojan.Hupigon.Uzg
Avast
Found nothing
AVG Antivirus
Found BackDoor.Hupigon3.ABZL
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found BackDoor.W32.Hupigon.uzg
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Backdoor.Win32.Hupigon.uzg
Fortinet
Found nothing
Ikarus
Found Backdoor.Win32.Hupigon.uzg
Kaspersky Anti-Virus
Found Backdoor.Win32.Hupigon.uzg
NOD32
Found nothing
Norman Virus Control
Found W32/Hupigon.BHOG
Panda Antivirus
Found Bck/Hupigon.AZG
Sophos Antivirus
Found Mal/EncPk-AA
VirusBuster
Found nothing
VBA32
Found Backdoor.Win32.Hupigon.uzg

#13 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 01 July 2008 - 10:52 AM

ComboFix 08-06-20.4 - Owner 2008-07-01 10:38:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1661 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript2.txt
* Created a new restore point

FILE ::
C:\955110860
C:\Documents
C:\Documents and Settings\LocalService\svchost.exe
C:\WINDOWS\system32\blphcrtaj0eret.scr
C:\WINDOWS\system32\drivers\b004cbd9.sys
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\kdczd.exe
C:\WINDOWS\system32\lphcrtaj0eret.exe
C:\WINDOWS\system32\phcrtaj0eret.bmp
C:\WINDOWS\system32\pphcrtaj0eret.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\rhcvtaj0eret
C:\Documents
C:\WINDOWS\system32\blphcrtaj0eret.scr
C:\WINDOWS\system32\lphcrtaj0eret.exe
C:\WINDOWS\system32\phcrtaj0eret.bmp
C:\WINDOWS\system32\pphcrtaj0eret.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 10:38 . 2008-06-30 10:38 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-30 10:26 . 2008-06-30 10:49 <DIR> d-------- C:\SDFix
2008-06-29 23:12 . 2008-06-29 23:12 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-06-29 12:55 . 2008-07-01 10:29 <DIR> d-------- C:\fixwareout
2008-06-28 17:21 . 2008-06-29 13:03 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-28 17:21 . 2008-06-29 13:03 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-28 17:19 . 2008-06-28 17:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-28 17:19 . 2008-07-01 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-28 17:19 . 2008-07-01 10:44 1,075,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-28 17:19 . 2008-07-01 10:44 40,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-28 17:19 . 2008-07-01 10:44 14,504 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-28 17:19 . 2008-07-01 10:44 5,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-28 17:05 . 2008-06-28 17:05 <DIR> d-------- C:\kav
2008-06-28 16:51 . 2008-06-28 16:51 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-28 16:51 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-06-28 16:36 . 2008-06-28 16:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-27 11:09 . 2008-06-27 11:09 <DIR> d-------- C:\Deckard
2008-06-26 16:52 . 2008-06-30 10:14 <DIR> d-------- C:\Documents and Settings\Guest
2008-06-26 15:10 . 2008-06-26 15:10 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-25 18:57 . 2008-06-25 20:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-25 18:03 . 2008-06-25 18:03 13,824 --a------ C:\WINDOWS\system32\ipol.dll
2008-06-25 17:29 . 2008-06-29 15:45 126,976 --a------ C:\WINDOWS\War3Unin.exe
2008-06-25 17:29 . 2008-06-29 23:22 76,868 --a------ C:\WINDOWS\War3Unin.dat
2008-06-25 17:29 . 2008-06-29 15:45 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-06-19 10:54 . 2008-06-19 10:54 <DIR> d-------- C:\Program Files\Pinnacle
2008-06-19 10:54 . 2008-06-19 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-18 12:52 . 2008-06-18 12:52 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-11 00:29 . 2008-06-11 00:29 <DIR> d-------- C:\Program Files\Ventrilo
2008-06-11 00:21 . 2008-06-11 00:26 <DIR> d-------- C:\Program Files\VentSrv
2008-06-10 19:07 . 2008-06-10 19:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-10 19:07 . 2008-06-10 19:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-06-10 19:07 . 2008-06-10 19:07 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-06-10 19:04 . 2008-06-10 19:04 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-06-10 19:04 . 2008-06-10 19:04 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-06-10 14:23 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 18:12 . 2008-06-09 18:12 <DIR> d-------- C:\Logs
2008-06-05 16:49 . 2004-06-30 13:59 23 --a------ C:\WINDOWS\BlendSettings.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 15:46 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-07-01 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-29 18:03 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-28 22:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-26 22:51 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
2008-06-22 22:36 --------- d-----w C:\Program Files\LimeWire
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 21:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-24 03:16 --------- d-----w C:\Program Files\InterActual
2008-05-23 21:41 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-23 21:41 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-09-21 03:33 257,917,321 ----a-w C:\Program Files\Command and Conquer Red Alert 2.zip
2007-08-24 19:24 349 ----a-w C:\Program Files\INSTALL.LOG
2007-07-31 04:32 51,185,123 ----a-w C:\Documents and Settings\Owner\WoW-2.1.3.6898-to-0.2.0.6932-enUS-patch.exe
2007-02-10 02:48 21,902,272 ----a-w C:\Documents and Settings\Drivers\81.98_forceware_winxp2k_english_whql.exe
2005-07-16 19:14 38,664 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-12-18 16:33 20,102 ----a-w C:\Program Files\Readme.txt
2003-09-03 12:46 10,960 ----a-w C:\Program Files\EULA.txt
2007-10-24 01:14 284,076 --sha-r C:\WINDOWS\system32\Com\patch32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-29_15.08.25.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-29 20:04:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 15:44:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 08:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-30 15:38:36 8,867,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-06-30 15:38:36 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-01 08:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-30 15:38:21 8,867,840 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-06-30 15:38:21 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2007-09-13 05:51:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-01 14:41:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-09-13 05:51:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-01 14:41:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-13 05:51:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-01 14:41:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-09 11:16:02 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
+ 2008-06-11 00:03:18 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
- 2008-01-09 11:16:02 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
+ 2008-06-11 00:03:20 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
+ 2008-06-11 00:03:20 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
- 2008-01-09 11:16:02 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
+ 2008-06-11 00:03:20 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
- 2008-01-09 11:16:02 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
+ 2008-06-11 00:03:20 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
- 2008-01-09 11:16:10 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
+ 2008-06-11 00:03:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
- 2007-12-11 19:44:20 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
+ 2008-06-11 00:03:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
- 2007-12-11 19:44:20 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
+ 2008-06-11 00:03:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
- 2007-12-11 19:44:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
+ 2008-06-11 00:03:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
- 2007-12-11 19:44:20 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
+ 2008-06-11 00:03:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
- 2007-12-11 19:44:20 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
+ 2008-06-11 00:03:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
- 2007-12-11 19:44:20 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
+ 2008-06-11 00:03:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
- 2007-04-12 20:08:16 15,872 ----a-w C:\WINDOWS\system32\drivers\AVFilter.sys
+ 2008-02-12 15:44:10 21,904 ----a-w C:\WINDOWS\system32\drivers\AVFilter.sys
- 2007-02-21 18:27:12 22,528 ----a-w C:\WINDOWS\system32\drivers\AVHook.sys
+ 2007-12-06 20:51:44 28,568 ----a-w C:\WINDOWS\system32\drivers\AVHook.sys
- 2007-02-21 18:27:12 15,872 ----a-w C:\WINDOWS\system32\drivers\AVRec.sys
+ 2007-12-06 20:51:44 21,912 ----a-w C:\WINDOWS\system32\drivers\AVRec.sys
- 2003-03-31 12:00:00 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
+ 2004-06-30 18:59:25 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
- 2008-01-09 11:16:10 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
+ 2008-06-11 00:03:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdczd.exe"="C:\WINDOWS\system32\kdczd.exe" [2007-06-13 05:23 51200]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-20 23:09 7618560]
"NvMediaCenter"="NvMCTray.dll" [2006-06-20 23:09 86016 C:\WINDOWS\system32\nvmctray.dll]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 15:47 847872]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 00:51 185632]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2008-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-02-08 15:59 145920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-09 18:13:12 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-06 22:58:59 125624]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-01-01 20:58:08 169472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00B3ADD0-D7A2-456A-AE04-EB9ABF822FE4}"= C:\WINDOWS\TEMP\Down(0)ow.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\Com\patch32.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime Alternative\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
C:\Program Files\TiVo\Desktop\TiVoServer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
C:\Program Files\tunebite\tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SAVScan"=3 (0x3)
"NSCService"=3 (0x3)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"comHost"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\WINDOWS\\system32\\freecell.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"D:\\Program Files\\Steam\\SteamApps\\uberstroker\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"D:\\Program Files\\RelicCOH.exe"=
"C:\\kav\\kis\\setup.exe"=
"D:\\Program Files\\eMule\\emule.exe"=
"D:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard downloader

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S2 RPCH;Remote Procedure Call (HPM);C:\Program Files\NetMeeting\Intell.exe [2005-06-16 12:37]
S2 RPCM;Remote Procedure Manager(TPM);C:\Program Files\Common Files\Microsoft Shared\Speech\csvde.exe [2005-06-05 15:06]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2002-11-08 04:50]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-07-18 15:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95ce1c03-9c12-11db-9834-000d613b4b8f}]
\Shell\AutoRun\command - G:\wd_windows_tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 01:06:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 07:00:00 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 10:45:58
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\NetMeeting\Down(0).dat
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-01 10:50:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 15:49:23
ComboFix2.txt 2008-06-30 15:22:18
ComboFix3.txt 2008-06-29 20:09:45

Pre-Run: 95,028,924,416 bytes free
Post-Run: 95,012,286,464 bytes free

290 --- E O F --- 2008-07-01 03:08:15

#14 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 01 July 2008 - 10:54 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:31 AM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.484\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdczd.exe] C:\WINDOWS\system32\kdczd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1f460357-8a94-4d71-9ca3-aa4acf32ed8e} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://81.175.116.204/activex/AMC.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.91 85.255.112.6
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.91 85.255.112.6
O20 - AppInit_DLLs: C:\WINDOWS\system32\Com\patch32.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (avp) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (pctavsvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: Ventrilo (ventrilo) - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 7883 bytes

#15 Uberstroker

Uberstroker
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 AM

Posted 01 July 2008 - 12:14 PM

Just out of curiosity, have we gotten rid of all the significant threats? Are we just dealing with inactive remnants of malware, or can these still pose a significant threat to my pc? I know we have to get rid of everything; I was just wondering. ;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users