Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Rootkit


  • Please log in to reply
15 replies to this topic

#1 killingyouguy

killingyouguy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 13 August 2008 - 03:09 AM

Ok, so the other day I walk in and go to my computer and it a bunch of weird sound files start playing. Weird because I had no programs open that play sound files. When I opened Windows Live Manager it tried starting to install things (which I cancelled) and when I opened IE the security settings had been changed. I brought up Task Manager and looked at what was running and found several processes I didn't recognize:

Perfs.exe
Afinding.exe
Routing.exe
Sobicyt.exe
tdxdowkc.exe
usnsvc.exe
Wserving.exe
nobicyt.exe
macidwe.exe

All of them were in the system32 folder and had an executable and pre-fetch file. I deleted all of them and none have come back except for the usnsvc.exe. The strange noises, programs installing and setting changes haven't returned either. But I worry the coast isn't clear and there is bad stuff hiding on my computer. I've run all the programs asked in the sticky and none of them have really found anything. So now I turn to you guys for help, here's my HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:25 PM, on 13/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program Files\Windows Media Player\WMPNetwk.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Razer\razerhid.exe
D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
D:\Program Files\Razer\razertra.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\Razer\razerofa.exe
D:\FRAPS\FRAPS.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\LeechGet 2004\LeechGet.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Wipe.com Update] D:\Program Files\Wipe.com\Secret Bookmarks\update.exe startup_check
O4 - HKCU\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15102/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: afinding Service (afinding) - Unknown owner - D:\WINDOWS\system32\AFinding.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: E10cesvhum - Intel Corporation - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - D:\WINDOWS\system32\macidwe.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - D:\WINDOWS\system32\Nobicyt.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: perfs Service (perfs) - Unknown owner - D:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: routing Service (routing) - Unknown owner - D:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - D:\WINDOWS\system32\sobicyt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - D:\WINDOWS\system32\tdxdowkc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wserving Service (wserving) - Unknown owner - D:\WINDOWS\system32\WServing.exe (file missing)

--
End of file - 13314 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 24 August 2008 - 02:49 PM

Hello killingyouguy

Welcome to BleepingComputer :thumbsup:
========================
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 24 August 2008 - 08:50 PM

When restarting my computer now (after combofix) Spybot's TeaTimer.exe is getting access violations.

ComboFix Log:

ComboFix 08-08-23.03 - Jay Hearfield 2008-08-25 11:04:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT 10:00]
Running from: D:\Documents and Settings\Jay Hearfield\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Jay Hearfield\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Jay Hearfield\Application Data\macromedia\Flash Player\#SharedObjects\AJQRAUNJ\interclick.com
D:\Documents and Settings\Jay Hearfield\Application Data\macromedia\Flash Player\#SharedObjects\AJQRAUNJ\interclick.com\darkpartintl1322007.sol
D:\Documents and Settings\Jay Hearfield\Application Data\macromedia\Flash Player\#SharedObjects\AJQRAUNJ\interclick.com\ud.sol
D:\Documents and Settings\Jay Hearfield\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
D:\Documents and Settings\Jay Hearfield\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
D:\Documents and Settings\Jay Hearfield\Cookies\jay_hearfield@clicktorrent[1].txt
D:\WINDOWS\system32\atsxyzd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_MACIDWE
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_SOBICYT
-------\Legacy_TDXDOWKC
-------\Legacy_WSERVING
-------\Service_afinding
-------\Service_macidwe
-------\Service_perfs
-------\Service_routing
-------\Service_sobicyt
-------\Service_tdxdowkc
-------\Service_wserving


((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-22 07:27 . 2008-08-22 07:27 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\Application Data\InstallShield
2008-08-19 10:14 . 2008-05-02 00:30 331,776 -----c--- D:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 17:08 . 2008-08-18 11:54 <DIR> d-------- D:\Program Files\ScummVM
2008-08-15 17:08 . 2008-08-15 17:08 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\Application Data\ScummVM
2008-08-14 20:01 . 2008-08-14 20:01 31 --a------ D:\WINDOWS\skipbuf.ini
2008-08-14 19:58 . 2008-08-14 19:58 <DIR> d-------- D:\WINDOWS\Desktop
2008-08-14 19:54 . 1996-02-21 01:11 117,760 --a------ D:\WINDOWS\actunin.exe
2008-08-13 17:30 . 2008-08-13 17:52 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2008-08-13 14:46 . 2008-08-13 14:46 102,664 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-13 14:45 . 2008-08-13 14:57 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\.housecall6.6
2008-08-13 13:46 . 2008-08-13 13:52 <DIR> d-------- D:\Program Files\SpywareBlaster
2008-08-13 11:15 . 2008-08-13 11:15 <DIR> d-------- D:\Program Files\Lavasoft
2008-08-13 11:15 . 2008-08-13 11:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-13 04:38 . 2008-08-13 13:52 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 15:29 . 2008-08-12 15:29 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\Application Data\Malwarebytes
2008-08-12 15:29 . 2008-08-12 15:29 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 15:12 . 2008-08-13 05:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-11 17:54 . 2008-08-11 17:54 <DIR> d-------- D:\WINDOWS\Close Combat - Modern Tactics
2008-08-11 17:54 . 2008-08-11 17:54 <DIR> d-------- D:\Program Files\Matrix Games
2008-08-05 14:56 . 2008-08-05 14:56 <DIR> d-------- D:\Program Files\Telltale Games
2008-08-04 08:22 . 2008-08-04 08:22 <DIR> d-------- D:\Program Files\Telltale
2008-08-01 04:43 . 1994-09-21 00:00 92,208 --a------ D:\WINDOWS\system32\WING.DLL
2008-08-01 04:43 . 1994-09-21 00:00 12,800 --a------ D:\WINDOWS\system\WING32.DLL
2008-08-01 02:40 . 2008-08-01 02:42 <DIR> d-------- D:\WINDOWS\solcache
2008-08-01 02:40 . 2008-08-01 21:06 <DIR> d-------- D:\Program Files\Sierra On-Line
2008-07-31 23:19 . 2008-07-31 23:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ATI
2008-07-31 23:03 . 2008-07-03 21:05 593,920 --------- D:\WINDOWS\system32\ati2sgag.exe
2008-07-30 15:36 . 1998-01-14 12:51 1,022,976 --a------ D:\WINDOWS\system32\SierraNW.DLL
2008-07-30 15:36 . 1998-01-14 12:51 231,936 --a------ D:\WINDOWS\system32\SNWValid.dll
2008-07-30 15:36 . 1997-11-22 15:38 11,113 --a------ D:\WINDOWS\system\Snwvalid.hlp
2008-07-27 00:29 . 2008-06-13 11:13 65,536 --------- D:\WINDOWS\system32\ctdvda32.dll
2008-07-27 00:06 . 2008-07-27 00:08 <DIR> d--h----- D:\Program Files\Creative Installation Information
2008-07-27 00:06 . 2008-07-27 00:06 <DIR> d-------- D:\Program Files\Common Files\Creative
2008-07-26 23:17 . 2008-07-26 23:17 <DIR> d-------- D:\Program Files\The Adventure Company

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 00:50 --------- d-----w D:\Documents and Settings\Jay Hearfield\Application Data\uTorrent
2008-08-22 03:38 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-08-14 09:54 --------- d-----w D:\Program Files\Activision
2008-08-13 01:14 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-08-13 00:56 --------- d-----w D:\Documents and Settings\Jay Hearfield\Application Data\Lavasoft
2008-08-11 23:56 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-11 23:46 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-07-31 16:37 --------- d-----w D:\Program Files\DOSBox-0.65
2008-07-31 13:07 --------- d-----w D:\Program Files\ATI Technologies
2008-07-26 14:07 --------- d-----w D:\Program Files\Creative
2008-07-22 07:52 --------- d-----w D:\Program Files\Darkstar One
2008-07-21 08:29 --------- d-----w D:\Documents and Settings\Jay Hearfield\Application Data\Gearbox Software
2008-07-19 03:59 --------- d-----w D:\Program Files\Ubisoft
2008-07-14 04:49 --------- d-----w D:\Program Files\Java
2008-07-04 06:33 3,230,720 ----a-w D:\WINDOWS\system32\drivers\ati2mtag.sys
2008-07-04 02:28 53,248 ----a-w D:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-03 02:33 --------- d-----w D:\Program Files\PowerISO
2008-06-27 09:21 99,352 ----a-w D:\WINDOWS\system32\drivers\COMMONFX.sys
2008-06-27 09:21 566,296 ----a-w D:\WINDOWS\system32\drivers\CTSBLFX.sys
2008-06-27 09:21 555,032 ----a-w D:\WINDOWS\system32\drivers\CTAUDFX.sys
2008-06-27 09:21 100,888 ----a-w D:\WINDOWS\system32\drivers\CTERFXFX.sys
2008-06-27 07:27 11,776 -c--a-w D:\WINDOWS\INRES.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 12:43 472632]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-30 14:45 1829712]
"RemoteCenter"="D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 15:35 139264]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 10:34 5724184]
"Microsoft Works Update Detection"="D:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 06:00 28739]
"Fraps"="D:\FRAPS\FRAPS.EXE" [2005-08-15 23:16 757760]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"Creative MediaSource Go"="D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2004-11-30 10:00 135168]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="D:\Program Files\Microsoft Works\wkfud.exe" [2000-07-14 06:00 24576]
"USIUDF_Eject_Monitor"="D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-05-28 05:50 81920]
"Ulead AutoDetector v2"="D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 08:57 90112]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SBDrvDet"="D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06 45056]
"razer"="D:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"PRONoMgrWired"="D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 15:08 86016]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2006-05-03 21:21 921600]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"eTrust PestPatrol Active Protection"="D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2004-09-27 07:09 106496]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 20:48 157592]
"CTSysVol"="D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43 57344]
"CTDVDDET"="D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"CTHelper"="CTHELPER.EXE" [2008-06-27 17:24 19456 D:\WINDOWS\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

D:\Documents and Settings\Jay Hearfield\Start Menu\Programs\Startup\
Webshots.lnk - D:\Program Files\Webshots\Launcher.exe [2005-11-07 23:05:01 45056]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Microsoft Works Calendar Reminders.lnk - D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-14 06:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= D:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Xfire\\Xfire.exe"=
"D:\\Program Files\\LeechGet 2004\\LeechGet.exe"=
"D:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Documents and Settings\\Jay Hearfield\\Desktop\\utorrent.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\BearFlix\\bearflix.exe"=
"D:\\Program Files\\Valve\\Steam\\steam.exe"=
"D:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"D:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\panzer2\\PANZER2.EXE"=
"D:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 PfDetNT;PfDetNT;D:\WINDOWS\system32\drivers\PfModNT.sys [2005-12-08 11:20]
R3 Razerlow;Razerlow USB Filter Driver;D:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]
S2 nobicyt;nobicyt Service;D:\WINDOWS\system32\Nobicyt.exe []
S3 COMMONFX;COMMONFX;D:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 19:21]
S3 CTAUDFX;CTAUDFX;D:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 19:21]
S3 CTERFXFX;CTERFXFX;D:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 19:21]
S3 CTSBLFX;CTSBLFX;D:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 19:21]
S3 Memctl;Memctl;D:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 18:49]
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{40DAD1B9-DDCF-4A31-A5D3-A03BC8881370} - (no file)
HKCU-Run-Wipe.com Update - D:\Program Files\Wipe.com\Secret Bookmarks\update.exe
HKCU-Run-LeechGet - (no file)
HKLM-Run-CTXFIREG - CTxfiReg.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Jay Hearfield\Application Data\Mozilla\Firefox\Profiles\7zk11d5u.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 11:24:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\CTSVCCDA.EXE
D:\Program Files\ESET\nod32krn.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\Razer\razertra.exe
D:\Program Files\Razer\razerofa.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\CA\eTrust PestPatrol\PestPatrol5.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\CA\eTrust PestPatrol\PPV5Updater.exe
.
**************************************************************************
.
Completion time: 2008-08-25 11:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 01:32:33

Pre-Run: 5,285,965,824 bytes free
Post-Run: 5,823,365,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
D:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

224 --- E O F --- 2008-08-21 00:29:37

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:32 AM, on 25/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Razer\razerhid.exe
D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\Program Files\Razer\razertra.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\FRAPS\FRAPS.EXE
D:\Program Files\Razer\razerofa.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15102/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: E10cesvhum - Intel Corporation - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - D:\WINDOWS\system32\Nobicyt.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12238 bytes

Edited by killingyouguy, 24 August 2008 - 08:51 PM.


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 24 August 2008 - 10:28 PM

You are supposed to disable any protection before running Combofix.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

Spybot guards against registry changes which Combofix has to do to remove the malware.
SPybot is free so it won't matter also you need to disable yuor antivirus before proceeding with this next fix.
Disable Tea timer as well.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
===============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
nobicyt

File::
D:\WINDOWS\system32\Nobicyt.exe


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 24 August 2008 - 11:17 PM

ComboFix Log:

ComboFix 08-08-23.03 - Jay Hearfield 2008-08-25 13:42:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.531 [GMT 10:00]
Running from: D:\Documents and Settings\Jay Hearfield\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Jay Hearfield\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
D:\WINDOWS\system32\Nobicyt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Jay Hearfield\Cookies\jay_hearfield@clicktorrent[2].txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NOBICYT
-------\Service_nobicyt


((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-22 07:27 . 2008-08-22 07:27 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\Application Data\InstallShield
2008-08-19 10:14 . 2008-05-02 00:30 331,776 -----c--- D:\WINDOWS\system32\dllcache\msadce.dll
2008-08-15 17:08 . 2008-08-18 11:54 <DIR> d-------- D:\Program Files\ScummVM
2008-08-15 17:08 . 2008-08-15 17:08 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\Application Data\ScummVM
2008-08-14 20:01 . 2008-08-14 20:01 31 --a------ D:\WINDOWS\skipbuf.ini
2008-08-14 19:58 . 2008-08-14 19:58 <DIR> d-------- D:\WINDOWS\Desktop
2008-08-14 19:54 . 1996-02-21 01:11 117,760 --a------ D:\WINDOWS\actunin.exe
2008-08-13 17:30 . 2008-08-13 17:52 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2008-08-13 14:46 . 2008-08-13 14:46 102,664 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-13 14:45 . 2008-08-13 14:57 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\.housecall6.6
2008-08-13 13:46 . 2008-08-13 13:52 <DIR> d-------- D:\Program Files\SpywareBlaster
2008-08-13 11:15 . 2008-08-13 11:15 <DIR> d-------- D:\Program Files\Lavasoft
2008-08-13 11:15 . 2008-08-13 11:18 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-13 04:38 . 2008-08-13 13:52 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 15:29 . 2008-08-12 15:29 <DIR> d-------- D:\Documents and Settings\Jay Hearfield\Application Data\Malwarebytes
2008-08-12 15:29 . 2008-08-12 15:29 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 15:12 . 2008-08-13 05:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-08-11 17:54 . 2008-08-11 17:54 <DIR> d-------- D:\WINDOWS\Close Combat - Modern Tactics
2008-08-11 17:54 . 2008-08-11 17:54 <DIR> d-------- D:\Program Files\Matrix Games
2008-08-05 14:56 . 2008-08-05 14:56 <DIR> d-------- D:\Program Files\Telltale Games
2008-08-04 08:22 . 2008-08-04 08:22 <DIR> d-------- D:\Program Files\Telltale
2008-08-01 04:43 . 1994-09-21 00:00 92,208 --a------ D:\WINDOWS\system32\WING.DLL
2008-08-01 04:43 . 1994-09-21 00:00 12,800 --a------ D:\WINDOWS\system\WING32.DLL
2008-08-01 02:40 . 2008-08-01 02:42 <DIR> d-------- D:\WINDOWS\solcache
2008-08-01 02:40 . 2008-08-01 21:06 <DIR> d-------- D:\Program Files\Sierra On-Line
2008-07-31 23:19 . 2008-07-31 23:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ATI
2008-07-31 23:03 . 2008-07-03 21:05 593,920 --------- D:\WINDOWS\system32\ati2sgag.exe
2008-07-30 15:36 . 1998-01-14 12:51 1,022,976 --a------ D:\WINDOWS\system32\SierraNW.DLL
2008-07-30 15:36 . 1998-01-14 12:51 231,936 --a------ D:\WINDOWS\system32\SNWValid.dll
2008-07-30 15:36 . 1997-11-22 15:38 11,113 --a------ D:\WINDOWS\system\Snwvalid.hlp
2008-07-27 00:29 . 2008-06-13 11:13 65,536 --------- D:\WINDOWS\system32\ctdvda32.dll
2008-07-27 00:06 . 2008-07-27 00:08 <DIR> d--h----- D:\Program Files\Creative Installation Information
2008-07-27 00:06 . 2008-07-27 00:06 <DIR> d-------- D:\Program Files\Common Files\Creative
2008-07-26 23:17 . 2008-07-26 23:17 <DIR> d-------- D:\Program Files\The Adventure Company

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 00:50 --------- d-----w D:\Documents and Settings\Jay Hearfield\Application Data\uTorrent
2008-08-22 03:38 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-08-14 09:54 --------- d-----w D:\Program Files\Activision
2008-08-13 01:14 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2008-08-13 00:56 --------- d-----w D:\Documents and Settings\Jay Hearfield\Application Data\Lavasoft
2008-08-11 23:56 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-11 23:46 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-07-31 16:37 --------- d-----w D:\Program Files\DOSBox-0.65
2008-07-31 13:07 --------- d-----w D:\Program Files\ATI Technologies
2008-07-26 14:07 --------- d-----w D:\Program Files\Creative
2008-07-22 07:52 --------- d-----w D:\Program Files\Darkstar One
2008-07-21 08:29 --------- d-----w D:\Documents and Settings\Jay Hearfield\Application Data\Gearbox Software
2008-07-19 03:59 --------- d-----w D:\Program Files\Ubisoft
2008-07-14 04:49 --------- d-----w D:\Program Files\Java
2008-07-04 06:33 3,230,720 ----a-w D:\WINDOWS\system32\drivers\ati2mtag.sys
2008-07-04 02:28 53,248 ----a-w D:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-03 02:33 --------- d-----w D:\Program Files\PowerISO
2008-06-27 09:21 99,352 ----a-w D:\WINDOWS\system32\drivers\COMMONFX.sys
2008-06-27 09:21 566,296 ----a-w D:\WINDOWS\system32\drivers\CTSBLFX.sys
2008-06-27 09:21 555,032 ----a-w D:\WINDOWS\system32\drivers\CTAUDFX.sys
2008-06-27 09:21 100,888 ----a-w D:\WINDOWS\system32\drivers\CTERFXFX.sys
2008-06-27 07:27 11,776 -c--a-w D:\WINDOWS\INRES.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 12:43 472632]
"RemoteCenter"="D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 15:35 139264]
"msnmsgr"="D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 10:34 5724184]
"Microsoft Works Update Detection"="D:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 06:00 28739]
"Fraps"="D:\FRAPS\FRAPS.EXE" [2005-08-15 23:16 757760]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"Creative MediaSource Go"="D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2004-11-30 10:00 135168]
"Creative Detector"="D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23 102400]
"WMPNSCFG"="D:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="D:\Program Files\Microsoft Works\wkfud.exe" [2000-07-14 06:00 24576]
"USIUDF_Eject_Monitor"="D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-05-28 05:50 81920]
"Ulead AutoDetector v2"="D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2005-05-23 08:57 90112]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SBDrvDet"="D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 17:06 45056]
"razer"="D:\Program Files\Razer\razerhid.exe" [2005-05-17 18:21 147456]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"PRONoMgrWired"="D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 15:08 86016]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2006-05-03 21:21 921600]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"eTrust PestPatrol Active Protection"="D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe" [2004-09-27 07:09 106496]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 20:48 157592]
"CTSysVol"="D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 09:43 57344]
"CTDVDDET"="D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"CTHelper"="CTHELPER.EXE" [2008-06-27 17:24 19456 D:\WINDOWS\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

D:\Documents and Settings\Jay Hearfield\Start Menu\Programs\Startup\
Webshots.lnk - D:\Program Files\Webshots\Launcher.exe [2005-11-07 23:05:01 45056]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Microsoft Works Calendar Reminders.lnk - D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-14 06:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= D:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Program Files\\Xfire\\Xfire.exe"=
"D:\\Program Files\\LeechGet 2004\\LeechGet.exe"=
"D:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Documents and Settings\\Jay Hearfield\\Desktop\\utorrent.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\BearFlix\\bearflix.exe"=
"D:\\Program Files\\Valve\\Steam\\steam.exe"=
"D:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"D:\\WINDOWS\\system32\\dplaysvr.exe"=
"D:\\panzer2\\PANZER2.EXE"=
"D:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"D:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 PfDetNT;PfDetNT;D:\WINDOWS\system32\drivers\PfModNT.sys [2005-12-08 11:20]
R3 Razerlow;Razerlow USB Filter Driver;D:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 22:43]
S3 COMMONFX;COMMONFX;D:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 19:21]
S3 CTAUDFX;CTAUDFX;D:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 19:21]
S3 CTERFXFX;CTERFXFX;D:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 19:21]
S3 CTSBLFX;CTSBLFX;D:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 19:21]
S3 Memctl;Memctl;D:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 18:49]
.
Contents of the 'Scheduled Tasks' folder

2008-08-20 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 13:55:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\CTSVCCDA.EXE
D:\Program Files\ESET\nod32krn.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\Razer\razertra.exe
D:\Program Files\Razer\razerofa.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-08-25 14:02:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 04:02:12
ComboFix2.txt 2008-08-25 01:32:39

Pre-Run: 6,142,803,968 bytes free
Post-Run: 6,173,130,752 bytes free

187 --- E O F --- 2008-08-21 00:29:37


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:31 PM, on 25/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Razer\razerhid.exe
D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Razer\razertra.exe
D:\FRAPS\FRAPS.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
D:\Program Files\Razer\razerofa.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WorksFUD] D:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] D:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] D:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SBDrvDet] D:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgrWired] D:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "D:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [SsAAD.exe] D:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] D:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Fraps] D:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "D:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15102/CTPID.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: E10cesvhum - Intel Corporation - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - D:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - D:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12052 bytes

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 25 August 2008 - 06:12 PM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 25 August 2008 - 07:39 PM

Malwarebytes' Anti-Malware 1.25
Database version: 1087
Windows 5.1.2600 Service Pack 2

10:38:17 AM 26/08/2008
mbam-log-08-26-2008 (10-38-17).txt

Scan type: Quick Scan
Objects scanned: 56768
Time elapsed: 18 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 25 August 2008 - 09:40 PM

Looks good everything back to normal?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 25 August 2008 - 11:35 PM

I guess so. I hope so. Just hope there's nothing hidden there monitoring my passwords and stuff.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 26 August 2008 - 09:53 AM

From what I can see nothing is left it was present but now it is gone.

I would like to run one more scan to double check.
======================================
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 August 2008 - 01:07 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, August 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 29, 2008 02:38:35
Records in database: 1159655
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 135661
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:23:20


File name / Threat name / Threats count
D:\WINDOWS\system32\edtxfst.sys Infected: Trojan-Clicker.Win32.VB.bpg 1

The selected area was scanned.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 29 August 2008 - 04:56 AM

We need to upload a Suspicious file to Malwarebytes Anti-Malware
  • Please go to Malwarebytes' UploadNET
  • Under File 1: browse for

    D:\WINDOWS\system32\edtxfst.sys

    *Note: If you are asked to upload more files, please repeat these steps for each of the File boxes.
Once you have selected all the files you want to upload, click on the Upload Button.
=============================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    D:\WINDOWS\system32\edtxfst.sys
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 29 August 2008 - 06:06 AM

D:\WINDOWS\system32\edtxfst.sys moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08292008_210332

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:51 PM

Posted 29 August 2008 - 10:47 AM

Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 killingyouguy

killingyouguy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 01 September 2008 - 12:02 AM

I got ZoneAlarm and tried installing it. If I install it with it's anti-virus windows won't even start up. When I install it without the anti-virus windows loads up and so does the program but nothing seems to be able to access the internet now. I can't even access the web page to watch the tutorial video that came with it. And it's a bit of a mess (for me at least) to try setting up. I started it in auto-learn but it's being incredibly restrictive.

Also will ZoneAlarm interfere with my 360 and the ports I've forwarded on my router?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users