Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde / Vundo


  • This topic is locked This topic is locked
13 replies to this topic

#1 Uncrvd

Uncrvd

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 08 January 2009 - 05:26 PM

Hi, i've read through all the topics I can find about virtumonde and followed the steps here: http://www.bleepingcomputer.com/malware-re...undo-virtumonde but I still can't get rid of it.

I've tried Spybot S&D, AVG8, Malwarebytes, Adaware Free, Vundofix and VirtumondoBeGone, all in safe mode with my internet disabled, multiple times. I've removed all the stuff they found, but I can't remove the last traces. After I scan with Malwarebytes, it finds 2 registry entries, which I remove, but then on the next reboot if I scan, they are back again.

Here's my log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Solaris at 21:59:40.50 on 08/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.508 [GMT 0:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Program Files\Virtual CD v9\System\VC9SecS.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Misc Utils\CoreTemp\Core Temp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Virtual CD v9\System\VC9Tray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\changepaper\changepaper.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Solaris\Desktop\dds.scr
C:\Documents and Settings\Solaris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
BHO: {0e7d645f-dae9-49d9-b7fb-eba917a0be3a} - __BHODemonDisabled
BHO: {153ff8c7-1e13-4905-96a3-c62435be2cda} - __BHODemonDisabled
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {fe4ba044-9b25-4abb-9cc0-87ab830602c8} - __BHODemonDisabled
uRun: [Core Temp] d:\misc utils\coretemp\Core Temp.exe
uRun: [uTorrent] "d:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AnyDVD] d:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [RemoteControl] "d:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VC9Player] d:\program files\virtual cd v9\system\VC9Play.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [winpol] c:\windows\system32\winpol.exe
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\solaris\startm~1\programs\startup\random~1.lnk - d:\program files\changepaper\changepaper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: fztlma.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\solaris\applic~1\mozilla\firefox\profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\new folder\\docs\\backup\\links1.htm
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-8 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-9-5 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-5-9 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-4-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\solaris\locals~1\temp\alsysio.sys --> c:\docume~1\solaris\locals~1\temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-8 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-1-8 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\avg\avg8\avgfws8.exe [2009-1-8 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-8-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-5-1 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\virtual cd v9\system\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\digifilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-5-9 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
S4 Auto HotKey Poller;Auto HotKey Poller;c:\windows\system32\winpol.exe --> c:\windows\system32\winpol.exe [?]

=============== Created Last 30 ================

2009-01-08 21:28 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-08 21:28 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-08 21:28 <DIR> --d----- c:\program files\AVG
2009-01-08 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-08 21:04 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 <DIR> --d----- c:\program files\common files\Mediafour
2009-01-07 06:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Mediafour
2009-01-07 05:11 <DIR> --d----- C:\VundoFix Backups
2009-01-07 01:32 <DIR> --d----- c:\docume~1\solaris\applic~1\Malwarebytes
2009-01-07 01:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 01:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 01:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 21:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-06 21:21 57,856 a------- c:\windows\system32\ddcBUkhH.dll
2009-01-06 21:12 137,728 a------- c:\windows\system32\avueftdg.dll
2009-01-06 21:12 41,472 a------- c:\windows\system32\nscrelor.dll
2009-01-06 21:11 59 a------- c:\windows\system32\seneka.dat.rmv
2009-01-06 21:11 3 a------- c:\windows\system32\senekadf.dat.rmv
2009-01-06 21:06 40,256 a------- c:\windows\system32\drivers\senekatllkdxgx.sys.rmv
2009-01-06 21:06 21,312 a------- c:\windows\system32\senekauuvjtrln.dll.rmv
2009-01-06 21:06 17,308 a------- c:\windows\system32\senekalog.dat.rmv
2009-01-06 20:32 <DIR> --d----- c:\documents and settings\solaris\Downloads
2009-01-06 20:32 <DIR> --d----- c:\docume~1\solaris\applic~1\NewsLeecher
2009-01-03 00:21 244 a---h--- C:\sqmnoopt03.sqm
2009-01-03 00:21 232 a---h--- C:\sqmdata03.sqm
2008-12-21 00:00 244 a---h--- C:\sqmnoopt02.sqm
2008-12-21 00:00 232 a---h--- C:\sqmdata02.sqm
2008-12-20 16:43 244 a---h--- C:\sqmnoopt01.sqm
2008-12-20 16:43 232 a---h--- C:\sqmdata01.sqm
2008-12-20 03:57 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 <DIR> --d----- c:\docume~1\solaris\applic~1\Microsoft Games
2008-12-20 03:39 444,776 a------- c:\windows\system32\d3dx10_35.dll
2008-12-20 03:14 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-20 03:13 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-20 03:11 462,864 a------- c:\windows\system32\d3dx10_37.dll
2008-12-20 03:11 <DIR> --d----- c:\windows\system32\xlive
2008-12-20 03:11 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 02:54 <DIR> --d----- C:\New Folder
2008-12-20 02:31 268 a---h--- C:\sqmdata00.sqm
2008-12-20 02:31 244 a---h--- C:\sqmnoopt00.sqm
2008-12-10 19:38 113,168 a------- c:\windows\system32\drivers\vdrv9000.sys
2008-12-10 19:38 11,392 a------- c:\windows\system32\drivers\HH9Help.sys
2008-12-10 19:38 1,097,728 a------- c:\windows\system32\NMSDVDX.dll
2008-12-10 19:38 1,843,200 a------- c:\windows\system32\NCTAudioFile2.dll
2008-12-10 19:38 1,044,480 a------- c:\windows\system32\ROBOEX32.DLL
2008-12-10 19:38 315,392 a------- c:\windows\system32\NCTAudioPlayer2.dll

==================== Find3M ====================

2008-11-28 03:28 66,816 a------- c:\windows\system32\drivers\thdudf.sys
2008-11-13 22:13 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-11-13 22:13 225,280 a------- c:\windows\system32\ReWire.dll
2008-11-13 14:11 598,528 a------- c:\windows\system32\crypt32.dll
2008-11-13 14:11 177,664 a------- c:\windows\system32\wintrust.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2006-06-23 06:48 32,768 ac---r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 21:59:46.62 ===============

And here's a typical Malwarebytes log after a fresh reboot:

Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 2

07/01/2009 22:22:57
mbam-log-2009-01-07 (22-22-57).txt

Scan type: Quick Scan
Objects scanned: 52634
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Having been connected to internet for about 10 mins now and rebooted/scanned again, Malwarebytes found another problem (which AVG Resident shield has also alerted about)

Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 2

08/01/2009 22:21:19
mbam-log-2009-01-08 (22-21-19).txt

Scan type: Quick Scan
Objects scanned: 53175
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ddcBUkhH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



AVG shield has also alerted about another one avueftdg.dll

Would appreciate any help possible as I've been trying to fix it for 2 days and I'm right in the middle of writing my dissertation which is due at the end of the month!

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 January 2009 - 02:41 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Uncrvd

Uncrvd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 12 January 2009 - 06:05 PM

Thanks for the reply.

Here is the Combo-Fix log:

ComboFix 09-01-11.04 - Solaris 2009-01-12 22:54:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.622 [GMT 0:00]
Running from: c:\documents and settings\Solaris\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\nscrelor.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AUTO_HOTKEY_POLLER
-------\Service_Auto HotKey Poller
-------\Service_AVG
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-08 21:28 . 2009-01-12 22:56 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-08 21:28 . 2009-01-08 21:28 <DIR> d-------- c:\program files\AVG
2009-01-08 21:28 . 2009-01-08 21:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-08 21:28 . 2009-01-08 21:28 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 . 2009-01-08 21:28 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 . 2009-01-08 21:28 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 . 2009-01-08 21:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-08 21:04 . 2009-01-08 21:04 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 . 2009-01-08 21:04 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 . 2009-01-07 06:20 <DIR> d-------- c:\program files\Common Files\Mediafour
2009-01-07 06:20 . 2009-01-07 06:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Mediafour
2009-01-07 06:01 . 2009-01-07 06:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 05:11 . 2009-01-07 05:11 <DIR> d-------- C:\VundoFix Backups
2009-01-07 02:02 . 2009-01-07 06:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 01:32 . 2009-01-07 01:32 <DIR> d-------- c:\documents and settings\Solaris\Application Data\Malwarebytes
2009-01-07 01:31 . 2009-01-07 01:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 01:31 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 01:23 . 2009-01-09 07:19 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 01:14 . 2009-01-07 01:14 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-06 21:25 . 2009-01-08 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 21:11 . 2009-01-06 21:11 59 --a------ c:\windows\system32\seneka.dat.rmv
2009-01-06 21:11 . 2009-01-06 21:11 3 --a------ c:\windows\system32\senekadf.dat.rmv
2009-01-06 21:06 . 2009-01-07 00:45 17,308 --a------ c:\windows\system32\senekalog.dat.rmv
2009-01-06 20:32 . 2009-01-06 20:32 <DIR> d-------- c:\documents and settings\Solaris\Downloads
2009-01-06 20:32 . 2009-01-06 20:46 <DIR> d-------- c:\documents and settings\Solaris\Application Data\NewsLeecher
2009-01-03 00:21 . 2009-01-03 00:21 244 --ah----- C:\sqmnoopt03.sqm
2009-01-03 00:21 . 2009-01-03 00:21 232 --ah----- C:\sqmdata03.sqm
2008-12-21 00:00 . 2008-12-21 00:00 244 --ah----- C:\sqmnoopt02.sqm
2008-12-21 00:00 . 2008-12-21 00:00 232 --ah----- C:\sqmdata02.sqm
2008-12-20 16:43 . 2008-12-20 16:43 244 --ah----- C:\sqmnoopt01.sqm
2008-12-20 16:43 . 2008-12-20 16:43 232 --ah----- C:\sqmdata01.sqm
2008-12-20 03:57 . 2008-12-20 03:57 <DIR> d-------- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 . 2008-12-20 03:46 <DIR> d-------- c:\documents and settings\Solaris\Application Data\Microsoft Games
2008-12-20 03:39 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\MSBuild
2008-12-20 03:14 . 2008-12-20 03:14 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-20 03:14 . 2008-12-20 03:14 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-20 03:13 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-12-20 03:11 . 2008-12-20 03:11 <DIR> d-------- c:\windows\system32\xlive
2008-12-20 03:11 . 2008-12-20 03:12 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 03:11 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2008-12-20 02:54 . 2008-12-20 02:54 <DIR> d-------- C:\New Folder
2008-12-20 02:31 . 2008-12-20 02:31 268 --ah----- C:\sqmdata00.sqm
2008-12-20 02:31 . 2008-12-20 02:31 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 22:50 --------- d-----w c:\documents and settings\Solaris\Application Data\uTorrent
2009-01-07 06:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 21:22 --------- d-----w c:\documents and settings\Solaris\Application Data\mIRC
2008-12-10 19:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 02:46 --------- d-----w c:\documents and settings\Solaris\Application Data\U3
2008-11-29 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-28 03:28 66,816 ----a-w c:\windows\system32\drivers\thdudf.sys
2008-11-27 20:03 --------- d-----w c:\program files\AGEIA Technologies
2008-11-27 19:18 --------- d-----w c:\program files\MSXML 4.0
2008-11-26 02:23 --------- d-----w c:\program files\PDZ-1 Sony Proxy Browsing Software
2008-11-26 01:14 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-26 00:24 --------- d-----w c:\documents and settings\Solaris\Application Data\Apple Computer
2008-11-20 19:44 --------- d-----w c:\program files\iPod
2008-11-20 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-20 19:43 --------- d-----w c:\program files\Bonjour
2008-11-20 19:43 --------- d-----w c:\program files\Apple Software Update
2008-11-20 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-20 19:42 --------- d-----w c:\program files\Common Files\Apple
2008-11-13 22:13 --------- d-----w c:\documents and settings\Solaris\Application Data\Propellerhead Software
2008-11-13 22:13 --------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2008-11-12 14:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2006-06-23 06:48 32,768 -c--a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="d:\misc utils\CoreTemp\Core Temp.exe" [2008-08-14 260624]
"uTorrent"="d:\program files\uTorrent\uTorrent.exe" [2008-10-17 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-26 2177984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"RemoteControl"="d:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="d:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"VC9Player"="d:\program files\Virtual CD v9\System\VC9Play.exe" [2008-11-06 202056]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-08 1601304]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"SetDefaultMIDI"="MIDIDEF.EXE" [2008-06-27 c:\windows\system32\MIDIDEF.EXE]

c:\documents and settings\Solaris\Start Menu\Programs\Startup\
Random Wallpaper Changer.lnk - d:\program files\changepaper\changepaper.exe [2008-05-19 399360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-08 21:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=fztlma.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= diomidi.dll
"wave2"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-08 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-09-05 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-08 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-08 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-05-09 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-04-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\Solaris\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Solaris\LOCALS~1\Temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-08 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2009-01-08 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-08 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-08 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-08-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [2007-05-01 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\Virtual CD v9\System\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-05-09 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39ead3e6-bd48-11dd-813a-0015af0f379d}]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\setup\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bd0d716-7d78-11dd-9efc-0015af0f379d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc22bd6e-6d50-11dd-9ecb-fcb26b19153c}]
\Shell\Auto\command - ,.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ,.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e43c7a70-67ac-11dd-9ec1-0015af0f379d}]
\Shell\Auto\command - ,.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ,.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\sidjxqqh.job
- c:\windows\system32\rundll32.exe [2004-08-03 23:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0E7D645F-DAE9-49D9-B7FB-EBA917A0BE3A} - __BHODemonDisabled
BHO-{153FF8C7-1E13-4905-96A3-C62435BE2CDA} - __BHODemonDisabled
BHO-{FE4BA044-9B25-4ABB-9CC0-87AB830602C8} - __BHODemonDisabled
ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)
HKLM-Run-winpol - c:\windows\system32\winpol.exe
Notify-opnnlLdc - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Solaris\Application Data\Mozilla\Firefox\Profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\New Folder\\Docs\\Backup\\links1.htm
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 22:56:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\d:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vdrv9000]
"ImagePath"="system32\DRIVERS\vdrv9000.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
d:\progra~1\AVG\AVG8\avgam.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\progra~1\AVG\AVG8\avgnsx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\Virtual CD v9\System\vc9tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-12 22:58:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 22:58:23

Pre-Run: 760,332,288 bytes free
Post-Run: 750,968,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Avid 2.7GB" /3GB /userva=2700 /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

278

And by HijackThis, did you mean the DDS pseudo-Hijack this log?

Here it is:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Solaris at 23:00:49.18 on 12/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.642 [GMT 0:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Program Files\Virtual CD v9\System\VC9SecS.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Misc Utils\CoreTemp\Core Temp.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\changepaper\changepaper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Solaris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Core Temp] d:\misc utils\coretemp\Core Temp.exe
uRun: [uTorrent] "d:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AnyDVD] d:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [RemoteControl] "d:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VC9Player] d:\program files\virtual cd v9\system\VC9Play.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\solaris\startm~1\programs\startup\random~1.lnk - d:\program files\changepaper\changepaper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: fztlma.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\solaris\applic~1\mozilla\firefox\profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\new folder\\docs\\backup\\links1.htm
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-8 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-9-5 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-5-9 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-4-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\solaris\locals~1\temp\alsysio.sys --> c:\docume~1\solaris\locals~1\temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-8 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-1-8 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\avg\avg8\avgfws8.exe [2009-1-8 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-8-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-5-1 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\virtual cd v9\system\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\digifilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-5-9 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

=============== Created Last 30 ================

2009-01-12 22:53 <DIR> a-dshr-- C:\cmdcons
2009-01-12 22:52 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:52 98,816 a------- c:\windows\sed.exe
2009-01-12 22:51 <DIR> --d----- C:\Combo-Fix
2009-01-08 21:28 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-08 21:28 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-08 21:28 <DIR> --d----- c:\program files\AVG
2009-01-08 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-08 21:04 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 <DIR> --d----- c:\program files\common files\Mediafour
2009-01-07 06:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Mediafour
2009-01-07 05:11 <DIR> --d----- C:\VundoFix Backups
2009-01-07 01:32 <DIR> --d----- c:\docume~1\solaris\applic~1\Malwarebytes
2009-01-07 01:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 01:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 01:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 21:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-06 21:11 59 a------- c:\windows\system32\seneka.dat.rmv
2009-01-06 21:11 3 a------- c:\windows\system32\senekadf.dat.rmv
2009-01-06 21:06 17,308 a------- c:\windows\system32\senekalog.dat.rmv
2009-01-06 20:32 <DIR> --d----- c:\documents and settings\solaris\Downloads
2009-01-06 20:32 <DIR> --d----- c:\docume~1\solaris\applic~1\NewsLeecher
2009-01-03 00:21 244 a---h--- C:\sqmnoopt03.sqm
2009-01-03 00:21 232 a---h--- C:\sqmdata03.sqm
2008-12-21 00:00 244 a---h--- C:\sqmnoopt02.sqm
2008-12-21 00:00 232 a---h--- C:\sqmdata02.sqm
2008-12-20 16:43 244 a---h--- C:\sqmnoopt01.sqm
2008-12-20 16:43 232 a---h--- C:\sqmdata01.sqm
2008-12-20 03:57 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 <DIR> --d----- c:\docume~1\solaris\applic~1\Microsoft Games
2008-12-20 03:39 444,776 a------- c:\windows\system32\d3dx10_35.dll
2008-12-20 03:14 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-20 03:13 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-20 03:11 462,864 a------- c:\windows\system32\d3dx10_37.dll
2008-12-20 03:11 <DIR> --d----- c:\windows\system32\xlive
2008-12-20 03:11 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 02:54 <DIR> --d----- C:\New Folder
2008-12-20 02:31 268 a---h--- C:\sqmdata00.sqm
2008-12-20 02:31 244 a---h--- C:\sqmnoopt00.sqm

==================== Find3M ====================

2008-11-28 03:28 66,816 a------- c:\windows\system32\drivers\thdudf.sys
2008-11-13 22:13 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-11-13 22:13 225,280 a------- c:\windows\system32\ReWire.dll
2008-11-13 14:11 598,528 a------- c:\windows\system32\crypt32.dll
2008-11-13 14:11 177,664 a------- c:\windows\system32\wintrust.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2006-06-23 06:48 32,768 ac---r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 23:00:53.39 ===============

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 January 2009 - 11:07 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\Tasks\sidjxqqh.job

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc22bd6e-6d50-11dd-9ecb-fcb26b19153c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e43c7a70-67ac-11dd-9ec1-0015af0f379d}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Uncrvd

Uncrvd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 12 January 2009 - 11:26 PM

ComboFix 09-01-11.04 - Solaris 2009-01-13 4:20:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.610 [GMT 0:00]
Running from: c:\documents and settings\Solaris\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Solaris\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\sidjxqqh.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\sidjxqqh.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-08 21:28 . 2009-01-12 23:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-08 21:28 . 2009-01-08 21:28 <DIR> d-------- c:\program files\AVG
2009-01-08 21:28 . 2009-01-08 21:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-08 21:28 . 2009-01-08 21:28 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 . 2009-01-08 21:28 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 . 2009-01-08 21:28 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 . 2009-01-08 21:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-08 21:04 . 2009-01-08 21:04 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 . 2009-01-08 21:04 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 . 2009-01-07 06:20 <DIR> d-------- c:\program files\Common Files\Mediafour
2009-01-07 06:20 . 2009-01-07 06:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Mediafour
2009-01-07 06:01 . 2009-01-07 06:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 05:11 . 2009-01-07 05:11 <DIR> d-------- C:\VundoFix Backups
2009-01-07 02:02 . 2009-01-07 06:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 01:32 . 2009-01-07 01:32 <DIR> d-------- c:\documents and settings\Solaris\Application Data\Malwarebytes
2009-01-07 01:31 . 2009-01-07 01:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 01:31 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 01:23 . 2009-01-09 07:19 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 01:14 . 2009-01-07 01:14 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-06 21:25 . 2009-01-08 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 21:11 . 2009-01-06 21:11 59 --a------ c:\windows\system32\seneka.dat.rmv
2009-01-06 21:11 . 2009-01-06 21:11 3 --a------ c:\windows\system32\senekadf.dat.rmv
2009-01-06 21:06 . 2009-01-07 00:45 17,308 --a------ c:\windows\system32\senekalog.dat.rmv
2009-01-06 20:32 . 2009-01-06 20:32 <DIR> d-------- c:\documents and settings\Solaris\Downloads
2009-01-06 20:32 . 2009-01-06 20:46 <DIR> d-------- c:\documents and settings\Solaris\Application Data\NewsLeecher
2009-01-03 00:21 . 2009-01-03 00:21 244 --ah----- C:\sqmnoopt03.sqm
2009-01-03 00:21 . 2009-01-03 00:21 232 --ah----- C:\sqmdata03.sqm
2008-12-21 00:00 . 2008-12-21 00:00 244 --ah----- C:\sqmnoopt02.sqm
2008-12-21 00:00 . 2008-12-21 00:00 232 --ah----- C:\sqmdata02.sqm
2008-12-20 16:43 . 2008-12-20 16:43 244 --ah----- C:\sqmnoopt01.sqm
2008-12-20 16:43 . 2008-12-20 16:43 232 --ah----- C:\sqmdata01.sqm
2008-12-20 03:57 . 2008-12-20 03:57 <DIR> d-------- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 . 2008-12-20 03:46 <DIR> d-------- c:\documents and settings\Solaris\Application Data\Microsoft Games
2008-12-20 03:39 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\MSBuild
2008-12-20 03:14 . 2008-12-20 03:14 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-20 03:14 . 2008-12-20 03:14 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-20 03:13 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-12-20 03:11 . 2008-12-20 03:11 <DIR> d-------- c:\windows\system32\xlive
2008-12-20 03:11 . 2008-12-20 03:12 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 03:11 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2008-12-20 02:54 . 2008-12-20 02:54 <DIR> d-------- C:\New Folder
2008-12-20 02:31 . 2008-12-20 02:31 268 --ah----- C:\sqmdata00.sqm
2008-12-20 02:31 . 2008-12-20 02:31 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 04:20 --------- d-----w c:\documents and settings\Solaris\Application Data\uTorrent
2009-01-07 06:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 21:22 --------- d-----w c:\documents and settings\Solaris\Application Data\mIRC
2008-12-10 19:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 02:46 --------- d-----w c:\documents and settings\Solaris\Application Data\U3
2008-11-29 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-28 03:28 66,816 ----a-w c:\windows\system32\drivers\thdudf.sys
2008-11-27 20:03 --------- d-----w c:\program files\AGEIA Technologies
2008-11-27 19:18 --------- d-----w c:\program files\MSXML 4.0
2008-11-26 02:23 --------- d-----w c:\program files\PDZ-1 Sony Proxy Browsing Software
2008-11-26 01:14 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-26 00:24 --------- d-----w c:\documents and settings\Solaris\Application Data\Apple Computer
2008-11-20 19:44 --------- d-----w c:\program files\iPod
2008-11-20 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-20 19:43 --------- d-----w c:\program files\Bonjour
2008-11-20 19:43 --------- d-----w c:\program files\Apple Software Update
2008-11-20 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-20 19:42 --------- d-----w c:\program files\Common Files\Apple
2008-11-13 22:13 --------- d-----w c:\documents and settings\Solaris\Application Data\Propellerhead Software
2008-11-13 22:13 --------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2006-06-23 06:48 32,768 -c--a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="d:\misc utils\CoreTemp\Core Temp.exe" [2008-08-14 260624]
"uTorrent"="d:\program files\uTorrent\uTorrent.exe" [2008-10-17 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-26 2177984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"RemoteControl"="d:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="d:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"VC9Player"="d:\program files\Virtual CD v9\System\VC9Play.exe" [2008-11-06 202056]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-08 1601304]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"SetDefaultMIDI"="MIDIDEF.EXE" [2008-06-27 c:\windows\system32\MIDIDEF.EXE]

c:\documents and settings\Solaris\Start Menu\Programs\Startup\
Random Wallpaper Changer.lnk - d:\program files\changepaper\changepaper.exe [2008-05-19 399360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-08 21:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= diomidi.dll
"wave2"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-08 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-09-05 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-08 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-08 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-05-09 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-04-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\Solaris\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Solaris\LOCALS~1\Temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-08 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2009-01-08 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-08 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-08 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-08-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [2007-05-01 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\Virtual CD v9\System\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-05-09 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39ead3e6-bd48-11dd-813a-0015af0f379d}]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\setup\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bd0d716-7d78-11dd-9efc-0015af0f379d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Solaris\Application Data\Mozilla\Firefox\Profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\New Folder\\Docs\\Backup\\links1.htm
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 04:22:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\d:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vdrv9000]
"ImagePath"="system32\DRIVERS\vdrv9000.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
d:\progra~1\AVG\AVG8\avgam.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\progra~1\AVG\AVG8\avgnsx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\Virtual CD v9\System\vc9tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-13 4:24:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 04:24:10
ComboFix2.txt 2009-01-12 22:58:25

Pre-Run: 717,623,296 bytes free
Post-Run: 748,240,896 bytes free

244

Here's my DDS Log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Solaris at 4:24:47.39 on 13/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.547 [GMT 0:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Program Files\Virtual CD v9\System\VC9SecS.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Misc Utils\CoreTemp\Core Temp.exe
D:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\changepaper\changepaper.exe
D:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Solaris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Core Temp] d:\misc utils\coretemp\Core Temp.exe
uRun: [uTorrent] "d:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AnyDVD] d:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [RemoteControl] "d:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VC9Player] d:\program files\virtual cd v9\system\VC9Play.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\solaris\startm~1\programs\startup\random~1.lnk - d:\program files\changepaper\changepaper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\solaris\applic~1\mozilla\firefox\profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\new folder\\docs\\backup\\links1.htm
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-8 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-9-5 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-5-9 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-4-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\solaris\locals~1\temp\alsysio.sys --> c:\docume~1\solaris\locals~1\temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-8 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-1-8 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\avg\avg8\avgfws8.exe [2009-1-8 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-8-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-5-1 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\virtual cd v9\system\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\digifilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-5-9 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

=============== Created Last 30 ================

2009-01-13 04:19 <DIR> --d----- C:\Combo-Fix
2009-01-12 22:53 <DIR> a-dshr-- C:\cmdcons
2009-01-12 22:52 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:52 98,816 a------- c:\windows\sed.exe
2009-01-08 21:28 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-08 21:28 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-08 21:28 <DIR> --d----- c:\program files\AVG
2009-01-08 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-08 21:04 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 <DIR> --d----- c:\program files\common files\Mediafour
2009-01-07 06:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Mediafour
2009-01-07 05:11 <DIR> --d----- C:\VundoFix Backups
2009-01-07 01:32 <DIR> --d----- c:\docume~1\solaris\applic~1\Malwarebytes
2009-01-07 01:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 01:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 01:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 21:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-06 21:11 59 a------- c:\windows\system32\seneka.dat.rmv
2009-01-06 21:11 3 a------- c:\windows\system32\senekadf.dat.rmv
2009-01-06 21:06 17,308 a------- c:\windows\system32\senekalog.dat.rmv
2009-01-06 20:32 <DIR> --d----- c:\documents and settings\solaris\Downloads
2009-01-06 20:32 <DIR> --d----- c:\docume~1\solaris\applic~1\NewsLeecher
2009-01-03 00:21 244 a---h--- C:\sqmnoopt03.sqm
2009-01-03 00:21 232 a---h--- C:\sqmdata03.sqm
2008-12-21 00:00 244 a---h--- C:\sqmnoopt02.sqm
2008-12-21 00:00 232 a---h--- C:\sqmdata02.sqm
2008-12-20 16:43 244 a---h--- C:\sqmnoopt01.sqm
2008-12-20 16:43 232 a---h--- C:\sqmdata01.sqm
2008-12-20 03:57 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 <DIR> --d----- c:\docume~1\solaris\applic~1\Microsoft Games
2008-12-20 03:39 444,776 a------- c:\windows\system32\d3dx10_35.dll
2008-12-20 03:14 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-20 03:13 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-20 03:11 462,864 a------- c:\windows\system32\d3dx10_37.dll
2008-12-20 03:11 <DIR> --d----- c:\windows\system32\xlive
2008-12-20 03:11 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 02:54 <DIR> --d----- C:\New Folder
2008-12-20 02:31 268 a---h--- C:\sqmdata00.sqm
2008-12-20 02:31 244 a---h--- C:\sqmnoopt00.sqm

==================== Find3M ====================

2008-11-28 03:28 66,816 a------- c:\windows\system32\drivers\thdudf.sys
2008-11-13 22:13 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-11-13 22:13 225,280 a------- c:\windows\system32\ReWire.dll
2008-11-13 14:11 598,528 a------- c:\windows\system32\crypt32.dll
2008-11-13 14:11 177,664 a------- c:\windows\system32\wintrust.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2006-06-23 06:48 32,768 ac---r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 4:24:51.75 ===============

Edited by Uncrvd, 12 January 2009 - 11:28 PM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 12 January 2009 - 11:37 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\seneka.dat.rmv
c:\windows\system32\senekadf.dat.rmv
c:\windows\system32\senekalog.dat.rmv

DirLook::
C:\New Folder

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Uncrvd

Uncrvd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 12 January 2009 - 11:59 PM

ComboFix 09-01-11.04 - Solaris 2009-01-13 4:54:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.609 [GMT 0:00]
Running from: c:\documents and settings\Solaris\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Solaris\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\seneka.dat.rmv
c:\windows\system32\senekadf.dat.rmv
c:\windows\system32\senekalog.dat.rmv
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\seneka.dat.rmv
c:\windows\system32\senekadf.dat.rmv
c:\windows\system32\senekalog.dat.rmv

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-08 21:28 . 2009-01-12 23:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-08 21:28 . 2009-01-08 21:28 <DIR> d-------- c:\program files\AVG
2009-01-08 21:28 . 2009-01-08 21:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-08 21:28 . 2009-01-08 21:28 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 . 2009-01-08 21:28 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 . 2009-01-08 21:28 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 . 2009-01-08 21:28 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-08 21:04 . 2009-01-08 21:04 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 . 2009-01-08 21:04 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 . 2009-01-07 06:20 <DIR> d-------- c:\program files\Common Files\Mediafour
2009-01-07 06:20 . 2009-01-07 06:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Mediafour
2009-01-07 06:01 . 2009-01-07 06:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-07 05:11 . 2009-01-07 05:11 <DIR> d-------- C:\VundoFix Backups
2009-01-07 02:02 . 2009-01-07 06:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 01:32 . 2009-01-07 01:32 <DIR> d-------- c:\documents and settings\Solaris\Application Data\Malwarebytes
2009-01-07 01:31 . 2009-01-07 01:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 01:31 . 2009-01-04 18:41 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 . 2009-01-04 18:41 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 01:23 . 2009-01-09 07:19 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-07 01:14 . 2009-01-07 01:14 <DIR> d---s---- c:\documents and settings\Administrator\UserData
2009-01-06 21:25 . 2009-01-08 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 20:32 . 2009-01-06 20:32 <DIR> d-------- c:\documents and settings\Solaris\Downloads
2009-01-06 20:32 . 2009-01-06 20:46 <DIR> d-------- c:\documents and settings\Solaris\Application Data\NewsLeecher
2009-01-03 00:21 . 2009-01-03 00:21 244 --ah----- C:\sqmnoopt03.sqm
2009-01-03 00:21 . 2009-01-03 00:21 232 --ah----- C:\sqmdata03.sqm
2008-12-21 00:00 . 2008-12-21 00:00 244 --ah----- C:\sqmnoopt02.sqm
2008-12-21 00:00 . 2008-12-21 00:00 232 --ah----- C:\sqmdata02.sqm
2008-12-20 16:43 . 2008-12-20 16:43 244 --ah----- C:\sqmnoopt01.sqm
2008-12-20 16:43 . 2008-12-20 16:43 232 --ah----- C:\sqmdata01.sqm
2008-12-20 03:57 . 2008-12-20 03:57 <DIR> d-------- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 . 2008-12-20 03:46 <DIR> d-------- c:\documents and settings\Solaris\Application Data\Microsoft Games
2008-12-20 03:39 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-12-20 03:15 . 2008-12-20 03:15 <DIR> d-------- c:\program files\MSBuild
2008-12-20 03:14 . 2008-12-20 03:14 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-20 03:14 . 2008-12-20 03:14 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-20 03:13 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-12-20 03:11 . 2008-12-20 03:11 <DIR> d-------- c:\windows\system32\xlive
2008-12-20 03:11 . 2008-12-20 03:12 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 03:11 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2008-12-20 02:54 . 2008-12-20 02:54 <DIR> d-------- C:\New Folder
2008-12-20 02:31 . 2008-12-20 02:31 268 --ah----- C:\sqmdata00.sqm
2008-12-20 02:31 . 2008-12-20 02:31 244 --ah----- C:\sqmnoopt00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 04:52 --------- d-----w c:\documents and settings\Solaris\Application Data\uTorrent
2009-01-07 06:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-06 21:22 --------- d-----w c:\documents and settings\Solaris\Application Data\mIRC
2008-12-10 19:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 02:46 --------- d-----w c:\documents and settings\Solaris\Application Data\U3
2008-11-29 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2008-11-28 03:28 66,816 ----a-w c:\windows\system32\drivers\thdudf.sys
2008-11-27 20:03 --------- d-----w c:\program files\AGEIA Technologies
2008-11-27 19:18 --------- d-----w c:\program files\MSXML 4.0
2008-11-26 02:23 --------- d-----w c:\program files\PDZ-1 Sony Proxy Browsing Software
2008-11-26 01:14 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-26 00:24 --------- d-----w c:\documents and settings\Solaris\Application Data\Apple Computer
2008-11-20 19:44 --------- d-----w c:\program files\iPod
2008-11-20 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-20 19:43 --------- d-----w c:\program files\Bonjour
2008-11-20 19:43 --------- d-----w c:\program files\Apple Software Update
2008-11-20 19:43 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-20 19:42 --------- d-----w c:\program files\Common Files\Apple
2008-11-13 22:13 233,472 ----a-w c:\windows\system32\REX Shared Library.dll
2008-11-13 22:13 225,280 ----a-w c:\windows\system32\ReWire.dll
2008-11-13 22:13 --------- d-----w c:\documents and settings\Solaris\Application Data\Propellerhead Software
2008-11-13 22:13 --------- d-----w c:\documents and settings\All Users\Application Data\Propellerhead Software
2008-11-13 14:11 598,528 ----a-w c:\windows\system32\crypt32.dll
2008-11-13 14:11 177,664 ----a-w c:\windows\system32\wintrust.dll
2008-11-12 13:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 ----a-w c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 ----a-w c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 10:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-13 09:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2006-06-23 06:48 32,768 -c--a-r c:\windows\inf\UpdateUSB.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\New Folder ----

2008-10-10 04:52 452440 --a------ c:\new folder\d3dx10_40.dll
2008-07-10 11:01 467984 --a------ c:\new folder\d3dx10_39.dll
2008-05-30 14:11 467984 --a------ c:\new folder\d3dx10_38.dll
2008-02-05 23:07 462864 --a------ c:\new folder\d3dx10_37.dll
2007-10-02 09:56 444776 --a------ c:\new folder\d3dx10_36.dll
2007-07-19 18:14 444776 --a------ c:\new folder\d3dx10_35.dll
2007-05-16 16:45 443752 --a------ c:\new folder\d3dx10_34.dll
2007-03-15 16:57 443752 --a------ c:\new folder\d3dx10_33.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="d:\misc utils\CoreTemp\Core Temp.exe" [2008-08-14 260624]
"uTorrent"="d:\program files\uTorrent\uTorrent.exe" [2008-10-17 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"AnyDVD"="d:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-26 2177984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"RemoteControl"="d:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"LanguageShortcut"="d:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"VC9Player"="d:\program files\Virtual CD v9\System\VC9Play.exe" [2008-11-06 202056]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-08 1601304]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"SetDefaultMIDI"="MIDIDEF.EXE" [2008-06-27 c:\windows\system32\MIDIDEF.EXE]

c:\documents and settings\Solaris\Start Menu\Programs\Startup\
Random Wallpaper Changer.lnk - d:\program files\changepaper\changepaper.exe [2008-05-19 399360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-08 21:28 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"= diomidi.dll
"wave2"= Digi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-08 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-09-05 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-08 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-08 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-05-09 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-04-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\Solaris\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Solaris\LOCALS~1\Temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-08 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2009-01-08 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-08 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-08 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-08-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [2007-05-01 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\Virtual CD v9\System\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-08 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-05-09 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39ead3e6-bd48-11dd-813a-0015af0f379d}]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\setup\command - J:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bd0d716-7d78-11dd-9efc-0015af0f379d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Solaris\Application Data\Mozilla\Firefox\Profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\New Folder\\Docs\\Backup\\links1.htm
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 04:55:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...


c:\windows\TEMP\e57ad0fc-9e35-4f73-bd8e-3e33f6ba72ad.tmp 0 bytes
c:\windows\TEMP\f9085241-7e56-404c-8d5d-664e0157f377.tmp 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\d:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vdrv9000]
"ImagePath"="system32\DRIVERS\vdrv9000.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
d:\progra~1\AVG\AVG8\avgam.exe
d:\program files\AVG\AVG8\avgrsx.exe
d:\progra~1\AVG\AVG8\avgnsx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
d:\program files\AVG\AVG8\avgcsrvx.exe
d:\program files\Virtual CD v9\System\vc9tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-13 4:57:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 04:57:12
ComboFix2.txt 2009-01-13 04:24:13
ComboFix3.txt 2009-01-12 22:58:25

Pre-Run: 748,929,024 bytes free
Post-Run: 756,768,768 bytes free

273

My DDS log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Solaris at 4:58:02.95 on 13/01/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.600 [GMT 0:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Virtual CD v9\System\VC9SecS.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Virtual CD v9\System\VC9Play.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Misc Utils\CoreTemp\Core Temp.exe
D:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\changepaper\changepaper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Solaris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Core Temp] d:\misc utils\coretemp\Core Temp.exe
uRun: [uTorrent] "d:\program files\utorrent\uTorrent.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AnyDVD] d:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [RemoteControl] "d:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "d:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VC9Player] d:\program files\virtual cd v9\system\VC9Play.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "c:\program files\mediafour\macdrive 7\MacDrive.exe"
mRun: [MDGetStarted.exe] "c:\program files\mediafour\macdrive 7\MDGetStarted.exe" /auto
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\solaris\startm~1\programs\startup\random~1.lnk - d:\program files\changepaper\changepaper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - d:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\solaris\applic~1\mozilla\firefox\profiles\h70wxk27.default\
FF - prefs.js: browser.startup.homepage - d:\\new folder\\docs\\backup\\links1.htm
FF - component: d:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: d:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-8 12552]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [2007-9-5 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [2007-2-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-8 107272]
R1 ProDscFS;ProDiscFS;c:\windows\system32\drivers\ProDscFS.sys [2008-5-9 92544]
R1 ProDscFT;ProDiscFilter;c:\windows\system32\drivers\ProDscFT.sys [2008-4-23 28800]
R1 vdrv9000;vdrv9000;c:\windows\system32\drivers\vdrv9000.sys [2008-12-10 113168]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\solaris\locals~1\temp\alsysio.sys --> c:\docume~1\solaris\locals~1\temp\ALSysIO.sys [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-11-8 332928]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};d:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-1-8 903960]
R4 avg8wd;AVG8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-8 298264]
R4 avgfws8;AVG8 Firewall;d:\progra~1\avg\avg8\avgfws8.exe [2009-1-8 1339600]
R4 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2008-8-18 16400]
R4 MacDriveService;MacDriveService;c:\program files\mediafour\macdrive 7\MacDriveService.exe [2007-5-1 143360]
R4 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [2008-11-25 66816]
R4 VC9SecS;Virtual CD v9 Management Service;d:\program files\virtual cd v9\system\VC9SecS.exe [2008-12-10 132424]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\digifilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-1-8 29208]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 HH9Help.sys;HH9Help.sys;c:\windows\system32\drivers\HH9Help.sys [2008-12-10 11392]
S3 ProDisc;Sony ProDisc Device Driver;c:\windows\system32\drivers\ProDisc.sys [2008-5-9 47872]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]

=============== Created Last 30 ================

2009-01-13 04:52 <DIR> --d----- C:\Combo-Fix
2009-01-12 22:53 <DIR> a-dshr-- C:\cmdcons
2009-01-12 22:52 161,792 a------- c:\windows\SWREG.exe
2009-01-12 22:52 98,816 a------- c:\windows\sed.exe
2009-01-08 21:28 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-08 21:28 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-08 21:28 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-01-08 21:28 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-08 21:28 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-08 21:28 <DIR> --d----- c:\program files\AVG
2009-01-08 21:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-08 21:04 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-01-08 21:04 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 06:20 <DIR> --d----- c:\program files\common files\Mediafour
2009-01-07 06:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Mediafour
2009-01-07 05:11 <DIR> --d----- C:\VundoFix Backups
2009-01-07 01:32 <DIR> --d----- c:\docume~1\solaris\applic~1\Malwarebytes
2009-01-07 01:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 01:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 01:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 01:23 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-06 21:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-06 20:32 <DIR> --d----- c:\documents and settings\solaris\Downloads
2009-01-06 20:32 <DIR> --d----- c:\docume~1\solaris\applic~1\NewsLeecher
2009-01-03 00:21 244 a---h--- C:\sqmnoopt03.sqm
2009-01-03 00:21 232 a---h--- C:\sqmdata03.sqm
2008-12-21 00:00 244 a---h--- C:\sqmnoopt02.sqm
2008-12-21 00:00 232 a---h--- C:\sqmdata02.sqm
2008-12-20 16:43 244 a---h--- C:\sqmnoopt01.sqm
2008-12-20 16:43 232 a---h--- C:\sqmdata01.sqm
2008-12-20 03:57 <DIR> --d----- c:\program files\Microsoft Xbox 360 Accessories
2008-12-20 03:46 <DIR> --d----- c:\docume~1\solaris\applic~1\Microsoft Games
2008-12-20 03:39 444,776 a------- c:\windows\system32\d3dx10_35.dll
2008-12-20 03:14 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-20 03:13 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-20 03:11 462,864 a------- c:\windows\system32\d3dx10_37.dll
2008-12-20 03:11 <DIR> --d----- c:\windows\system32\xlive
2008-12-20 03:11 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-20 02:54 <DIR> --d----- C:\New Folder
2008-12-20 02:31 268 a---h--- C:\sqmdata00.sqm
2008-12-20 02:31 244 a---h--- C:\sqmnoopt00.sqm

==================== Find3M ====================

2008-11-28 03:28 66,816 a------- c:\windows\system32\drivers\thdudf.sys
2008-11-13 22:13 233,472 a------- c:\windows\system32\REX Shared Library.dll
2008-11-13 22:13 225,280 a------- c:\windows\system32\ReWire.dll
2008-11-13 14:11 598,528 a------- c:\windows\system32\crypt32.dll
2008-11-13 14:11 177,664 a------- c:\windows\system32\wintrust.dll
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2006-06-23 06:48 32,768 ac---r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 4:58:07.14 ===============

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 13 January 2009 - 12:18 AM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Uncrvd

Uncrvd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 13 January 2009 - 02:03 AM

Damn, that ESET scan took a long time!!

GooredFix v1.81 by jpshortstuff
Log created at 05:38 on 13/01/2009 running Option #1 (Solaris)
Firefox version 3.0.5 (en-GB)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="D:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="D:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="D:\Program Files\AVG\AVG8\Firefox"

Eset:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3760 (20090112)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=595e9bb6011cc24fb919c59025c8ea69
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-13 06:55:17
# local_time=2009-01-13 06:55:17 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=791477
# found=1
# scan_time=4461
C:\Qoobox\Quarantine\C\WINDOWS\system32\nscrelor.dll.vir Win32/TrojanDownloader.Agent.ONC trojan (unable to clean - deleted) 00000000000000000000000000000000

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 13 January 2009 - 07:06 AM

Damn, that ESET scan took a long time!!

:thumbsup:

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Uncrvd

Uncrvd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 15 January 2009 - 10:08 AM

Everything seems okay so far although I'm so busy with work I haven't really been using my computer. Can I report back proprely on the weekend?

Thank you very much for the help by the way :thumbsup:

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 15 January 2009 - 11:31 AM

Ok.. will wait until weekend :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Uncrvd

Uncrvd
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 19 January 2009 - 01:14 PM

Sorry for the lack of reply. I didn't really use my computer until yesterday.

There has been one issue that seems to have resulted from either the infection or cleaning process. When I boot up, it doesn't give me the option to choose between standard or the boot option to allows programs to use 3GB of virtual memory (which I need for a video editing application). It just flashes for a second before continuing booting. I can also see that there are now 3 options there instead of 2, the new one looks like it's recovery console which I chose to install when I ran Combofix.

That was the only problem so I thought i'd secure my machine before reporting back and I installed Avira Antivir Premium, but it seems to have brought on disk errors on one of my drives! (and of course the one with all my work on).

After it being installed for a few hours, when I was using the PC later i noticed it was being slow and unresponsive. When trying to play mp3's in zoomplayer, it was taking several seconds to play them, and to skip to later in the track (I was trying to skip between tracks, and skip into the track) and then a popup appeared in the systray saying something about my music folder being corrupt, please run chkdsk. And now the whole computer is slow, explorer seems to freeze for 30 seconds, then be fine for 30, then freeze, etc, making it extremely difficult to use. Booting up causes a long pause (about 2 minutes) on a black screen, before launching into CHKDSK for G: no matter how many times I run it and fix errors. Doing a dirty query returns 'incorrect parameter'

Well anyways I know it's not malware related, i'll try the instructions given here http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/ for recovery console and system file checker. I swear it's not a coincidence though and I am being punished, god just won't give me a bleep break. Everytime I have some important deadline my computer dies, literally 5 times in the last 2 years!

Thanks for your help fenzodahl, it does look as though the malware is definitely gone. And once i'm back up and running I will have avira antivir (maybe, with read/write scanning disabled), comodo firewall and superantispyware so hopefully won't be back anytime soon!

Edited by Uncrvd, 19 January 2009 - 01:17 PM.


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 20 January 2009 - 07:21 AM

Thank you for the feedback.. If you still have problems with the computer, I reckon you to get further assistance at our Windows XP forum below...

http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/


Anyhow, if you got repeated chkdsk error, it would be useful if you start to back-up all necessary data/documents/files/pictures/music/song/movies/etc.. That's a bad sign for hard disk.. I'm not an expert in hardware issues but its just my personal experience...


I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users