Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

running very slow


  • This topic is locked This topic is locked
8 replies to this topic

#1 tritonr1

tritonr1

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 02 February 2009 - 03:46 PM

log file below, thanks for looking over as im not sure if infected or not
but there are a few strange entries

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44:10, on 02/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\Program Files\Winamp\winampa.exe
H:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\WINDOWS\system32\ctfmon.exe
H:\PROGRA~1\AVG\AVG8\avgam.exe
H:\PROGRA~1\AVG\AVG8\avgrsx.exe
H:\WINDOWS\system32\oodag.exe
H:\WINDOWS\system32\IoctlSvc.exe
H:\PROGRA~1\AVG\AVG8\avgemc.exe
H:\PROGRA~1\AVG\AVG8\avgnsx.exe
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
H:\Program Files\AVG\AVG8\avgcsrvx.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {2A2462BA-8A0D-436E-8811-66E69AD36B7D} - H:\WINDOWS\system32\ljJASmjg.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - H:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [GEST] m|\
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "H:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "H:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "H:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [MacDrive7.0.6TimeOutPatch] H:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKLM\..\Run: [StartCCC] "H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "H:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] H:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MacDrive7.0.6TimeOutPatch] H:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [MacDrive7.0.6TimeOutPatch] H:\Program Files\Mediafour\MacDrive 7\TimeOutPatch.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228597796734
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - H:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - H:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: ljJASmjg - ljJASmjg.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - H:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MacDriveService - Mediafour Corporation - H:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - H:\WINDOWS\system32\oodag.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - H:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - H:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6644 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:17 PM

Posted 03 February 2009 - 04:18 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 tritonr1

tritonr1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 03 February 2009 - 05:09 AM

ComboFix 09-02-02.04 - Owner 2009-02-03 10:06:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2845 [GMT 0:00]
Running from: h:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\documents and settings\Owner\Application Data\inst.exe
h:\windows\system32\Pncrt.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 18:40 . 2009-02-02 18:40 <DIR> d-------- h:\windows\system32\NtmsData
2009-02-02 18:32 . 2009-02-02 18:32 <DIR> d-------- h:\program files\Spybot - Search & Destroy
2009-02-02 18:32 . 2009-02-03 09:42 <DIR> d-------- h:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 08:30 . 2009-02-01 12:00 <DIR> d--h----- H:\$AVG8.VAULT$
2009-02-01 08:27 . 2009-02-03 09:43 <DIR> d-------- h:\windows\system32\drivers\Avg
2009-02-01 08:27 . 2009-02-01 08:27 <DIR> d-------- h:\program files\AVG
2009-02-01 08:27 . 2009-02-02 14:42 <DIR> d-------- h:\documents and settings\All Users\Application Data\avg8
2009-02-01 08:27 . 2009-02-02 14:42 325,128 --a------ h:\windows\system32\drivers\avgldx86.sys
2009-02-01 08:27 . 2009-02-02 14:41 107,272 --a------ h:\windows\system32\drivers\avgtdix.sys
2009-02-01 08:27 . 2009-02-02 14:41 12,552 --a------ h:\windows\system32\drivers\avgrkx86.sys
2009-02-01 08:27 . 2009-02-02 14:42 10,520 --a------ h:\windows\system32\avgrsstx.dll
2009-01-31 18:21 . 2009-01-31 18:21 <DIR> d-------- h:\documents and settings\Owner\Application Data\Nero
2009-01-31 18:20 . 2009-01-31 18:20 <DIR> d-------- h:\program files\Nero
2009-01-31 18:20 . 2009-01-31 18:20 <DIR> d-------- h:\program files\Common Files\Nero
2009-01-31 18:20 . 2009-01-31 18:20 <DIR> d-------- h:\documents and settings\All Users\Application Data\Nero
2009-01-31 08:10 . 2009-01-31 08:10 <DIR> d-------- h:\program files\MSXML 4.0
2009-01-31 00:15 . 2009-01-31 00:16 <DIR> d-------- h:\program files\SureThing CD Labeler 5
2009-01-31 00:15 . 2009-01-31 00:15 <DIR> d-------- h:\program files\Common Files\SureThing Shared
2009-01-31 00:15 . 2006-09-21 08:42 487,424 --a------ h:\windows\system32\msvcp70.dll
2009-01-31 00:15 . 2006-09-21 08:42 344,064 --a------ h:\windows\system32\msvcr70.dll
2009-01-30 15:39 . 2009-01-30 15:39 <DIR> d--hs---- h:\windows\ftpcache
2009-01-30 15:19 . 2009-01-31 23:22 69 --a------ h:\windows\NeroDigital.ini
2009-01-30 14:16 . 2009-02-01 07:50 <DIR> d-------- h:\documents and settings\All Users\Application Data\LightScribe
2009-01-30 14:14 . 2009-02-01 07:49 <DIR> d-------- h:\program files\Common Files\LightScribe
2009-01-30 14:13 . 2009-01-30 15:19 <DIR> d-------- h:\documents and settings\Owner\Application Data\Ahead
2009-01-30 14:13 . 2009-01-30 14:13 <DIR> d-------- h:\documents and settings\All Users\Application Data\Ahead
2009-01-30 09:41 . 2009-01-30 09:41 <DIR> d-------- h:\documents and settings\All Users\Application Data\ATI
2009-01-30 09:37 . 2009-01-30 09:37 <DIR> d-------- h:\program files\My Company Name
2009-01-30 09:31 . 2009-01-30 09:31 <DIR> d-------- h:\program files\Common Files\ATI Technologies
2009-01-24 13:50 . 2009-01-24 13:50 0 --ah----- h:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-24 13:50 . 2009-01-24 13:50 0 --ah----- h:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-01-23 22:15 . 2009-01-23 22:15 1,700,352 --a------ h:\windows\system32\gdiplus.dll
2009-01-23 22:15 . 2009-01-23 22:15 1,060,864 --a------ h:\windows\system32\mfc71.dll
2009-01-23 22:02 . 2009-01-23 22:02 <DIR> dr-h----- h:\documents and settings\Owner\Application Data\SecuROM
2009-01-23 21:48 . 2009-01-23 21:48 107,888 --a------ h:\windows\system32\CmdLineExt.dll
2009-01-23 21:47 . 2009-01-23 22:02 <DIR> d-------- h:\program files\Microsoft Games for Windows - LIVE
2009-01-23 20:37 . 2009-01-23 20:38 <DIR> d-------- h:\program files\Rockstar Games
2009-01-22 15:07 . 2009-01-22 15:07 <DIR> d-------- h:\program files\Bethesda Softworks
2009-01-22 15:07 . 2009-01-22 15:07 <DIR> d-------- h:\documents and settings\All Users\Application Data\Fallout3
2009-01-22 15:07 . 2008-05-30 14:19 507,400 --a------ h:\windows\system32\XAudio2_1.dll
2009-01-22 15:07 . 2008-05-30 14:18 238,088 --a------ h:\windows\system32\xactengine3_1.dll
2009-01-22 15:07 . 2008-05-30 14:17 65,032 --a------ h:\windows\system32\XAPOFX1_0.dll
2009-01-22 15:07 . 2008-05-30 14:17 25,608 --a------ h:\windows\system32\X3DAudio1_4.dll
2009-01-22 15:06 . 2009-01-22 15:06 <DIR> d-------- h:\program files\MSBuild
2009-01-22 15:05 . 2009-01-22 15:05 <DIR> d-------- h:\windows\system32\XPSViewer
2009-01-22 15:04 . 2009-01-22 15:04 <DIR> d-------- h:\program files\Reference Assemblies
2009-01-22 15:04 . 2006-06-29 13:07 14,048 --------- h:\windows\system32\spmsg2.dll
2009-01-22 15:03 . 2009-01-22 15:03 <DIR> d-------- h:\windows\system32\xlive
2009-01-22 15:03 . 2007-03-12 16:42 3,495,784 --a------ h:\windows\system32\d3dx9_33.dll
2009-01-22 15:03 . 2007-03-12 16:42 1,123,696 --a------ h:\windows\system32\D3DCompiler_33.dll
2009-01-22 15:03 . 2007-03-15 16:57 443,752 --a------ h:\windows\system32\d3dx10_33.dll
2009-01-22 15:03 . 2007-04-04 18:53 81,768 --a------ h:\windows\system32\xinput1_3.dll
2009-01-19 17:27 . 2009-01-19 17:27 <DIR> d-------- h:\program files\NOS
2009-01-19 17:27 . 2009-01-19 17:27 <DIR> d-------- h:\documents and settings\All Users\Application Data\NOS
2009-01-19 17:04 . 2009-01-19 17:04 <DIR> d-------- h:\windows\ConfigKFT
2009-01-19 17:04 . 2009-01-19 17:04 16 --a------ h:\windows\DigiNetc.INI
2009-01-18 21:02 . 2003-09-17 02:27 40,816 --a------ h:\windows\system32\drivers\SDDrv.sys
2009-01-18 19:58 . 2009-01-18 19:58 <DIR> d-------- h:\documents and settings\Owner\WINDOWS
2009-01-18 19:58 . 1997-03-24 17:42 314,368 --a------ h:\windows\IsUninst.exe
2009-01-17 10:30 . 2009-01-17 10:30 <DIR> d-------- h:\program files\Alcohol Soft
2009-01-17 10:27 . 2009-01-17 10:27 717,296 --a------ h:\windows\system32\drivers\sptd.sys
2009-01-17 10:21 . 2009-01-17 10:21 <DIR> d-------- h:\program files\DVD Decrypter
2009-01-13 10:08 . 2009-01-13 10:08 <DIR> d-------- h:\documents and settings\Owner\Application Data\FLV Extract
2009-01-06 19:08 . 2009-01-06 19:08 <DIR> d-------- h:\documents and settings\All Users\Application Data\vsosdk
2009-01-06 16:12 . 2009-01-06 16:12 <DIR> d-------- h:\program files\VSO
2009-01-06 16:12 . 2009-01-06 16:13 <DIR> d-------- h:\documents and settings\Owner\Application Data\Vso
2009-01-06 16:12 . 2006-05-11 19:21 626,688 --a------ h:\windows\system32\vp7vfw.dll
2009-01-06 16:12 . 2006-09-29 12:24 217,127 --a------ h:\windows\system32\drv43260.dll
2009-01-06 16:12 . 2006-09-29 12:25 208,935 --a------ h:\windows\system32\drv33260.dll
2009-01-06 16:12 . 2006-09-29 12:26 176,165 --a------ h:\windows\system32\drv23260.dll
2009-01-06 16:12 . 2002-12-10 02:20 102,439 --a------ h:\windows\system32\sipr3260.dll
2009-01-06 16:12 . 2007-03-18 20:37 65,602 --a------ h:\windows\system32\cook3260.dll
2009-01-06 16:12 . 2009-01-06 16:12 47,360 --a------ h:\windows\system32\drivers\pcouffin.sys
2009-01-06 16:12 . 2009-01-06 16:12 47,360 --a------ h:\documents and settings\Owner\Application Data\pcouffin.sys
2009-01-04 18:37 . 2009-01-04 18:37 <DIR> d-------- h:\program files\Visual MP3 Splitter & Joiner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 18:20 --------- d-----w h:\documents and settings\Owner\Application Data\uTorrent
2009-01-30 09:36 --------- d-----w h:\program files\ATI Technologies
2009-01-30 09:29 --------- d-----w h:\program files\Common Files\InstallShield
2009-01-23 20:38 --------- d--h--w h:\program files\InstallShield Installation Information
2009-01-13 09:13 --------- d-----w h:\documents and settings\Owner\Application Data\Winamp
2008-12-14 10:50 --------- d-----w h:\program files\Mediafour
2008-12-14 10:50 --------- d-----w h:\program files\Common Files\Mediafour
2008-12-14 10:50 --------- d-----w h:\documents and settings\All Users\Application Data\Mediafour
2008-12-13 12:13 --------- d-----w h:\program files\Smart Projects
2008-12-11 10:57 333,952 ----a-w h:\windows\system32\drivers\srv.sys
2008-12-08 18:18 --------- d-----w h:\program files\Combined Community Codec Pack
2008-12-08 18:16 --------- d-----w h:\program files\ffdshow
2008-12-08 18:16 --------- d-----w h:\documents and settings\Owner\Application Data\River Past G4
2008-12-08 18:16 --------- d-----w h:\documents and settings\All Users\Application Data\River Past G4
2008-12-08 18:12 163,426 ----a-w h:\windows\Video Cleaner Pro Uninstaller.exe
2008-12-08 18:12 --------- d-----w h:\program files\River Past
2008-12-08 18:12 --------- d-----w h:\program files\Common Files\River Past
2008-12-07 16:42 --------- d-----w h:\program files\PhotomatixPro3
2008-12-07 13:02 --------- d-----w h:\program files\OO Software
2008-12-07 11:23 --------- d-----w h:\program files\Windows Media Connect 2
2008-12-07 11:14 --------- d-----w h:\program files\Ace Utilities
2008-12-07 11:06 --------- d-----w h:\program files\Winamp
2008-12-07 10:07 --------- d-----w h:\documents and settings\Owner\Application Data\vlc
2008-12-07 10:03 --------- d-----w h:\program files\VideoLAN
2008-12-06 21:35 16,608 ----a-w h:\windows\gdrv.sys
2008-12-06 21:29 315,392 ----a-w h:\windows\HideWin.exe
2008-12-06 21:29 --------- d-----w h:\program files\Realtek
2008-12-06 21:03 --------- d-----w h:\program files\AMD
2008-12-06 21:03 --------- d-----w h:\documents and settings\Owner\Application Data\InstallShield
2008-12-06 21:02 --------- d-----w h:\documents and settings\Owner\Application Data\ATI
2008-12-06 20:47 --------- d-----w h:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MacDrive7.0.6TimeOutPatch"="h:\program files\Mediafour\MacDrive 7\TimeOutPatch.EXE" [2008-06-01 55399]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m|\" [X]
"WinampAgent"="h:\program files\Winamp\winampa.exe" [2008-03-27 36352]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="h:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-05-01 176128]
"MDGetStarted.exe"="h:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-03-27 139264]
"MacDrive7.0.6TimeOutPatch"="h:\program files\Mediafour\MacDrive 7\TimeOutPatch.EXE" [2008-06-01 55399]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"NeroFilterCheck"="h:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="h:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-02 1601304]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-14 h:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MacDrive7.0.6TimeOutPatch"="h:\program files\Mediafour\MacDrive 7\TimeOutPatch.EXE" [2008-06-01 55399]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 14:42 10520 h:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe"=
"h:\\WINDOWS\\system32\\mmc.exe"=
"h:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"h:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"h:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;h:\windows\system32\drivers\avgrkx86.sys [2009-02-01 12552]
R0 MDFSYSNT;MacDrive file system driver;h:\windows\system32\drivers\MDFSYSNT.SYS [2007-05-14 274048]
R0 MDPMGRNT;MDPMGRNT;h:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2009-02-01 325128]
R1 AvgTdiX;AVG8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2009-02-01 107272]
R2 avg8emc;AVG8 E-mail Scanner;h:\progra~1\AVG\AVG8\avgemc.exe [2009-02-01 903960]
R2 avg8wd;AVG8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]
R2 MacDriveService;MacDriveService;h:\program files\Mediafour\MacDrive 7\MacDriveService.exe [2007-05-01 143360]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;h:\windows\system32\drivers\AtiHdmi.sys [2009-01-30 89600]
S3 cg300;cg300VidCap;h:\windows\system32\drivers\cg300vc.sys [2007-11-04 13468]
S3 cg300Au;cg300 Audio Capture;h:\windows\system32\drivers\cg300Au.sys [2007-11-04 17167]
S3 getPlus® Helper;getPlus® Helper;h:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-19 33752]
S3 SDDrv;SDDrv;h:\windows\system32\drivers\SDDrv.sys [2009-01-18 40816]
S3 SureThing Labelflash service;SureThing Labelflash service;h:\program files\Common Files\SureThing Shared\stllssvr.exe [2009-01-31 74384]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"h:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{2A2462BA-8A0D-436E-8811-66E69AD36B7D} - h:\windows\system32\ljJASmjg.dll
ShellIconOverlayIdentifiers-MacDrive Volume Icons - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - h:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
ShellExecuteHooks-{2A2462BA-8A0D-436E-8811-66E69AD36B7D} - h:\windows\system32\ljJASmjg.dll
Notify-ljJASmjg - ljJASmjg.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - h:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\93v73ooa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 10:07:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{698C276B-51C1-57EA-687B-FCB8E1A16D08}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iajjfjkkfhpbfnkbgh"=hex:6b,61,68,63,64,6c,70,70,6f,70,67,61,6e,63,67,62,62,65,
6e,6a,6f,67,00,00
"haljlhpehaicemei"=hex:6b,61,68,63,64,6c,70,70,6f,70,67,61,6e,63,67,62,62,65,
6e,6a,6f,67,00,00

[HKEY_USERS\S-1-5-21-1645522239-1935655697-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:4d,0c,82,b6,3b,cf,b9,d0,19,d7,fe,ab,1f,7b,f5,3e,c0,c8,60,73,48,
d3,3a,d9,97,46,73,c0,6a,50,a2,f3,9f,57,f3,f7,63,be,a4,6d,6b,e6,49,0c,e8,c7,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG06.00.00.01WORKSTATION"="BD98983BB8761C3EE054463A2839982AED621322E3FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79339DB7CE019D40AA5C8EDD5E5BE2F6E6674FF4D73B8E807D026319B7EBE9F868E6723311ED30EC41A8FD68F681A00DA1053E4CFC0204857ABDA5526A30B4D5171678858B5AC1F3B199F29B08469DBD92310346CEF458C3C61189EE91B2F1D7DD6E35244CF6B775BF8764706316B2F28EFE22714A40A60A98FDA74943531EA95AB5F1D323790E1992A16D3AB09C7FF1639EA8CC8FA3CDDB075B1A2DB6867A2B8D887B4FFEAB073D34E5AA403A186432469823CB61F4716E8FD4825CCA580B6F5DD6A343F76C28F0132ABEBD705E89E3CDC3A4D6A71BF8AC1267838C7EE3173E92643DD3C7AF39F902984F62E45457667550C449EF928E3552E7C465785CAB92DBC722164BF847CEB72D83CECD777D511BBE9DF4E76CA2DAF97BF1040184971D48EE2F1306E2A49DCC370D9C08D46D6C04654D9C654CE723159EBAF984B770404F9743CA9B1EE647C15D9AD4118F5DB5D7EDF7F7DFE9D449939ED2CC14618D144A5644AC58E9655FF69763788CE147DEA05542337112A4BC4A1EF2F465858B64F5931B22299FBE2DB4332079419369CD4E6E586F5CA6D61EF01554DF50B6C9B0728934829F275430A34F0F3E9907461BB55EE7C00499AF46264DB76ED11F6E2B484A009CF17EC99654E3F02225ADA2168B9FA4AC6FF234BDE666E1748BFCDEBD5EB773B2793A8846B7368CF4170F0BBE6C7FC4324B51314399D1993CC1A04981020A067B357FBED6A465ABF8C4454B4A581F03BFE663B5C906582A035EEF1D47664DB69FC5085D9555619AE6A982F723B2759D3A366D13F8D913E3F8ECE20E122061833DF1221903E66E2B66668764E6C1CC5777D1C8632924719A439F87959A28F873E6A3316BD2DE273499BBACAC6632BFF646F5E0FE6AD9B6247BC9006FCADB1D0E2368AA906E21F50F13125DAEA712C3C66680B687FED3F8DEAEE5019AC37DAADFEAF2988BF0781D98D772980C64561D968A76DCDD5DCC22A8DC8F53DBD6B2CEF9AC9719A0AC143133E40EF0AB88D5E4385B81FDAAAFE672667C09543C0F038DEFCA51E0D7A5051B4528B68FB7B8CB0A82F36A545854267CFDF536768624DCC05C1BBE33FE944417B60662AD9DC756CDCE66A33096DE72A65C259F3D4C081392D9679FEA28E429B675D4AD9B0F40FA467DB43FF75715982C705D73425FDC58038A6E5C77283773DDF3DE56BC83DF20DB71D776A2D3F1489B2FE082345BFAC7661361FD5A97E1464528644087B41891CE8F3B25BB06A317570E6CC05499EDDEE41BE531AAD36BA6F98A167188200E7E2F44BF49642D8C7C160B2947753B75FEF8CF974891FE1180DD991F15"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
h:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-03 10:07:52
ComboFix-quarantined-files.txt 2009-02-03 10:07:50

Pre-Run: 164,168,343,552 bytes free
Post-Run: 164,235,472,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

237 --- E O F --- 2009-01-31 08:10:30

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:17 PM

Posted 03 February 2009 - 05:23 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Filelook::
h:\windows\system32\drivers\SDDrv.sys
Regnull::
[HKEY_USERS\S-1-5-21-1645522239-1935655697-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{698C276B-51C1-57EA-687B-FCB8E1A16D08}*]
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 tritonr1

tritonr1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 03 February 2009 - 05:28 AM

ComboFix 09-02-02.04 - Owner 2009-02-03 10:26:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2760 [GMT 0:00]
Running from: h:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 18:40 . 2009-02-02 18:40 <DIR> d-------- h:\windows\system32\NtmsData
2009-02-02 18:32 . 2009-02-02 18:32 <DIR> d-------- h:\program files\Spybot - Search & Destroy
2009-02-02 18:32 . 2009-02-03 09:42 <DIR> d-------- h:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-01 08:30 . 2009-02-01 12:00 <DIR> d--h----- H:\$AVG8.VAULT$
2009-02-01 08:27 . 2009-02-03 09:43 <DIR> d-------- h:\windows\system32\drivers\Avg
2009-02-01 08:27 . 2009-02-01 08:27 <DIR> d-------- h:\program files\AVG
2009-02-01 08:27 . 2009-02-02 14:42 <DIR> d-------- h:\documents and settings\All Users\Application Data\avg8
2009-02-01 08:27 . 2009-02-02 14:42 325,128 --a------ h:\windows\system32\drivers\avgldx86.sys
2009-02-01 08:27 . 2009-02-02 14:41 107,272 --a------ h:\windows\system32\drivers\avgtdix.sys
2009-02-01 08:27 . 2009-02-02 14:41 12,552 --a------ h:\windows\system32\drivers\avgrkx86.sys
2009-02-01 08:27 . 2009-02-02 14:42 10,520 --a------ h:\windows\system32\avgrsstx.dll
2009-01-31 18:21 . 2009-01-31 18:21 <DIR> d-------- h:\documents and settings\Owner\Application Data\Nero
2009-01-31 18:20 . 2009-01-31 18:20 <DIR> d-------- h:\program files\Nero
2009-01-31 18:20 . 2009-01-31 18:20 <DIR> d-------- h:\program files\Common Files\Nero
2009-01-31 18:20 . 2009-01-31 18:20 <DIR> d-------- h:\documents and settings\All Users\Application Data\Nero
2009-01-31 08:10 . 2009-01-31 08:10 <DIR> d-------- h:\program files\MSXML 4.0
2009-01-31 00:15 . 2009-01-31 00:16 <DIR> d-------- h:\program files\SureThing CD Labeler 5
2009-01-31 00:15 . 2009-01-31 00:15 <DIR> d-------- h:\program files\Common Files\SureThing Shared
2009-01-31 00:15 . 2006-09-21 08:42 487,424 --a------ h:\windows\system32\msvcp70.dll
2009-01-31 00:15 . 2006-09-21 08:42 344,064 --a------ h:\windows\system32\msvcr70.dll
2009-01-30 15:39 . 2009-01-30 15:39 <DIR> d--hs---- h:\windows\ftpcache
2009-01-30 15:19 . 2009-01-31 23:22 69 --a------ h:\windows\NeroDigital.ini
2009-01-30 14:16 . 2009-02-01 07:50 <DIR> d-------- h:\documents and settings\All Users\Application Data\LightScribe
2009-01-30 14:14 . 2009-02-01 07:49 <DIR> d-------- h:\program files\Common Files\LightScribe
2009-01-30 14:13 . 2009-01-30 15:19 <DIR> d-------- h:\documents and settings\Owner\Application Data\Ahead
2009-01-30 14:13 . 2009-01-30 14:13 <DIR> d-------- h:\documents and settings\All Users\Application Data\Ahead
2009-01-30 09:41 . 2009-01-30 09:41 <DIR> d-------- h:\documents and settings\All Users\Application Data\ATI
2009-01-30 09:37 . 2009-01-30 09:37 <DIR> d-------- h:\program files\My Company Name
2009-01-30 09:31 . 2009-01-30 09:31 <DIR> d-------- h:\program files\Common Files\ATI Technologies
2009-01-24 13:50 . 2009-01-24 13:50 0 --ah----- h:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-24 13:50 . 2009-01-24 13:50 0 --ah----- h:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-01-23 22:15 . 2009-01-23 22:15 1,700,352 --a------ h:\windows\system32\gdiplus.dll
2009-01-23 22:15 . 2009-01-23 22:15 1,060,864 --a------ h:\windows\system32\mfc71.dll
2009-01-23 22:02 . 2009-01-23 22:02 <DIR> dr-h----- h:\documents and settings\Owner\Application Data\SecuROM
2009-01-23 21:48 . 2009-01-23 21:48 107,888 --a------ h:\windows\system32\CmdLineExt.dll
2009-01-23 21:47 . 2009-01-23 22:02 <DIR> d-------- h:\program files\Microsoft Games for Windows - LIVE
2009-01-23 20:37 . 2009-01-23 20:38 <DIR> d-------- h:\program files\Rockstar Games
2009-01-22 15:07 . 2009-01-22 15:07 <DIR> d-------- h:\program files\Bethesda Softworks
2009-01-22 15:07 . 2009-01-22 15:07 <DIR> d-------- h:\documents and settings\All Users\Application Data\Fallout3
2009-01-22 15:07 . 2008-05-30 14:19 507,400 --a------ h:\windows\system32\XAudio2_1.dll
2009-01-22 15:07 . 2008-05-30 14:18 238,088 --a------ h:\windows\system32\xactengine3_1.dll
2009-01-22 15:07 . 2008-05-30 14:17 65,032 --a------ h:\windows\system32\XAPOFX1_0.dll
2009-01-22 15:07 . 2008-05-30 14:17 25,608 --a------ h:\windows\system32\X3DAudio1_4.dll
2009-01-22 15:06 . 2009-01-22 15:06 <DIR> d-------- h:\program files\MSBuild
2009-01-22 15:05 . 2009-01-22 15:05 <DIR> d-------- h:\windows\system32\XPSViewer
2009-01-22 15:04 . 2009-01-22 15:04 <DIR> d-------- h:\program files\Reference Assemblies
2009-01-22 15:04 . 2006-06-29 13:07 14,048 --------- h:\windows\system32\spmsg2.dll
2009-01-22 15:03 . 2009-01-22 15:03 <DIR> d-------- h:\windows\system32\xlive
2009-01-22 15:03 . 2007-03-12 16:42 3,495,784 --a------ h:\windows\system32\d3dx9_33.dll
2009-01-22 15:03 . 2007-03-12 16:42 1,123,696 --a------ h:\windows\system32\D3DCompiler_33.dll
2009-01-22 15:03 . 2007-03-15 16:57 443,752 --a------ h:\windows\system32\d3dx10_33.dll
2009-01-22 15:03 . 2007-04-04 18:53 81,768 --a------ h:\windows\system32\xinput1_3.dll
2009-01-19 17:27 . 2009-01-19 17:27 <DIR> d-------- h:\program files\NOS
2009-01-19 17:27 . 2009-01-19 17:27 <DIR> d-------- h:\documents and settings\All Users\Application Data\NOS
2009-01-19 17:04 . 2009-01-19 17:04 <DIR> d-------- h:\windows\ConfigKFT
2009-01-19 17:04 . 2009-01-19 17:04 16 --a------ h:\windows\DigiNetc.INI
2009-01-18 21:02 . 2003-09-17 02:27 40,816 --a------ h:\windows\system32\drivers\SDDrv.sys
2009-01-18 19:58 . 2009-01-18 19:58 <DIR> d-------- h:\documents and settings\Owner\WINDOWS
2009-01-18 19:58 . 1997-03-24 17:42 314,368 --a------ h:\windows\IsUninst.exe
2009-01-17 10:30 . 2009-01-17 10:30 <DIR> d-------- h:\program files\Alcohol Soft
2009-01-17 10:27 . 2009-01-17 10:27 717,296 --a------ h:\windows\system32\drivers\sptd.sys
2009-01-17 10:21 . 2009-01-17 10:21 <DIR> d-------- h:\program files\DVD Decrypter
2009-01-13 10:08 . 2009-01-13 10:08 <DIR> d-------- h:\documents and settings\Owner\Application Data\FLV Extract
2009-01-06 19:08 . 2009-01-06 19:08 <DIR> d-------- h:\documents and settings\All Users\Application Data\vsosdk
2009-01-06 16:12 . 2009-01-06 16:12 <DIR> d-------- h:\program files\VSO
2009-01-06 16:12 . 2009-01-06 16:13 <DIR> d-------- h:\documents and settings\Owner\Application Data\Vso
2009-01-06 16:12 . 2006-05-11 19:21 626,688 --a------ h:\windows\system32\vp7vfw.dll
2009-01-06 16:12 . 2006-09-29 12:24 217,127 --a------ h:\windows\system32\drv43260.dll
2009-01-06 16:12 . 2006-09-29 12:25 208,935 --a------ h:\windows\system32\drv33260.dll
2009-01-06 16:12 . 2006-09-29 12:26 176,165 --a------ h:\windows\system32\drv23260.dll
2009-01-06 16:12 . 2002-12-10 02:20 102,439 --a------ h:\windows\system32\sipr3260.dll
2009-01-06 16:12 . 2007-03-18 20:37 65,602 --a------ h:\windows\system32\cook3260.dll
2009-01-06 16:12 . 2009-01-06 16:12 47,360 --a------ h:\windows\system32\drivers\pcouffin.sys
2009-01-06 16:12 . 2009-01-06 16:12 47,360 --a------ h:\documents and settings\Owner\Application Data\pcouffin.sys
2009-01-04 18:37 . 2009-01-04 18:37 <DIR> d-------- h:\program files\Visual MP3 Splitter & Joiner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-02 18:20 --------- d-----w h:\documents and settings\Owner\Application Data\uTorrent
2009-01-30 09:36 --------- d-----w h:\program files\ATI Technologies
2009-01-30 09:29 --------- d-----w h:\program files\Common Files\InstallShield
2009-01-23 20:38 --------- d--h--w h:\program files\InstallShield Installation Information
2009-01-13 09:13 --------- d-----w h:\documents and settings\Owner\Application Data\Winamp
2008-12-14 10:50 --------- d-----w h:\program files\Mediafour
2008-12-14 10:50 --------- d-----w h:\program files\Common Files\Mediafour
2008-12-14 10:50 --------- d-----w h:\documents and settings\All Users\Application Data\Mediafour
2008-12-13 12:13 --------- d-----w h:\program files\Smart Projects
2008-12-11 10:57 333,952 ----a-w h:\windows\system32\drivers\srv.sys
2008-12-08 18:18 --------- d-----w h:\program files\Combined Community Codec Pack
2008-12-08 18:16 --------- d-----w h:\program files\ffdshow
2008-12-08 18:16 --------- d-----w h:\documents and settings\Owner\Application Data\River Past G4
2008-12-08 18:16 --------- d-----w h:\documents and settings\All Users\Application Data\River Past G4
2008-12-08 18:12 163,426 ----a-w h:\windows\Video Cleaner Pro Uninstaller.exe
2008-12-08 18:12 --------- d-----w h:\program files\River Past
2008-12-08 18:12 --------- d-----w h:\program files\Common Files\River Past
2008-12-07 16:42 --------- d-----w h:\program files\PhotomatixPro3
2008-12-07 13:02 --------- d-----w h:\program files\OO Software
2008-12-07 11:23 --------- d-----w h:\program files\Windows Media Connect 2
2008-12-07 11:14 --------- d-----w h:\program files\Ace Utilities
2008-12-07 11:06 --------- d-----w h:\program files\Winamp
2008-12-07 10:07 --------- d-----w h:\documents and settings\Owner\Application Data\vlc
2008-12-07 10:03 --------- d-----w h:\program files\VideoLAN
2008-12-06 21:35 16,608 ----a-w h:\windows\gdrv.sys
2008-12-06 21:29 315,392 ----a-w h:\windows\HideWin.exe
2008-12-06 21:29 --------- d-----w h:\program files\Realtek
2008-12-06 21:03 --------- d-----w h:\program files\AMD
2008-12-06 21:03 --------- d-----w h:\documents and settings\Owner\Application Data\InstallShield
2008-12-06 21:02 --------- d-----w h:\documents and settings\Owner\Application Data\ATI
2008-12-06 20:47 --------- d-----w h:\program files\microsoft frontpage
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- h:\windows\system32\drivers\SDDrv.sys ----
Company: Kodicom Co., Ltd.
File Description: Security Device Driver
File Version: 0, 9, 0020, 0000
Product Name: Kodicom Security Device Driver
Copyright: Copyright © 2002-2003 Kodicom Co., Ltd.
Original file name: SDDrv.sys
MD5: ca95b08609a42f9f9ccda52b42012435


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MacDrive7.0.6TimeOutPatch"="h:\program files\Mediafour\MacDrive 7\TimeOutPatch.EXE" [2008-06-01 55399]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="h:\program files\Winamp\winampa.exe" [2008-03-27 36352]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="h:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-05-01 176128]
"MDGetStarted.exe"="h:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-03-27 139264]
"MacDrive7.0.6TimeOutPatch"="h:\program files\Mediafour\MacDrive 7\TimeOutPatch.EXE" [2008-06-01 55399]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"NeroFilterCheck"="h:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="h:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"AVG8_TRAY"="h:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-02 1601304]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-14 h:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"MacDrive7.0.6TimeOutPatch"="h:\program files\Mediafour\MacDrive 7\TimeOutPatch.EXE" [2008-06-01 55399]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 14:42 10520 h:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe"=
"h:\\WINDOWS\\system32\\mmc.exe"=
"h:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"h:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"h:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=
"h:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"h:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;h:\windows\system32\drivers\avgrkx86.sys [2009-02-01 12552]
R0 MDFSYSNT;MacDrive file system driver;h:\windows\system32\drivers\MDFSYSNT.SYS [2007-05-14 274048]
R0 MDPMGRNT;MDPMGRNT;h:\windows\system32\drivers\MDPMGRNT.sys [2007-02-28 19072]
R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2009-02-01 325128]
R1 AvgTdiX;AVG8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2009-02-01 107272]
R2 avg8emc;AVG8 E-mail Scanner;h:\progra~1\AVG\AVG8\avgemc.exe [2009-02-01 903960]
R2 avg8wd;AVG8 WatchDog;h:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-01 298264]
R2 MacDriveService;MacDriveService;h:\program files\Mediafour\MacDrive 7\MacDriveService.exe [2007-05-01 143360]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;h:\windows\system32\drivers\AtiHdmi.sys [2009-01-30 89600]
S3 cg300;cg300VidCap;h:\windows\system32\drivers\cg300vc.sys [2007-11-04 13468]
S3 cg300Au;cg300 Audio Capture;h:\windows\system32\drivers\cg300Au.sys [2007-11-04 17167]
S3 getPlus® Helper;getPlus® Helper;h:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-19 33752]
S3 SDDrv;SDDrv;h:\windows\system32\drivers\SDDrv.sys [2009-01-18 40816]
S3 SureThing Labelflash service;SureThing Labelflash service;h:\program files\Common Files\SureThing Shared\stllssvr.exe [2009-01-31 74384]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"h:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - h:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\93v73ooa.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: h:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 10:27:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1645522239-1935655697-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:4d,0c,82,b6,3b,cf,b9,d0,19,d7,fe,ab,1f,7b,f5,3e,c0,c8,60,73,48,
d3,3a,d9,97,46,73,c0,6a,50,a2,f3,9f,57,f3,f7,63,be,a4,6d,6b,e6,49,0c,e8,c7,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG06.00.00.01WORKSTATION"="BD98983BB8761C3EE054463A2839982AED621322E3FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79339DB7CE019D40AA5C8EDD5E5BE2F6E6674FF4D73B8E807D026319B7EBE9F868E6723311ED30EC41A8FD68F681A00DA1053E4CFC0204857ABDA5526A30B4D5171678858B5AC1F3B199F29B08469DBD92310346CEF458C3C61189EE91B2F1D7DD6E35244CF6B775BF8764706316B2F28EFE22714A40A60A98FDA74943531EA95AB5F1D323790E1992A16D3AB09C7FF1639EA8CC8FA3CDDB075B1A2DB6867A2B8D887B4FFEAB073D34E5AA403A186432469823CB61F4716E8FD4825CCA580B6F5DD6A343F76C28F0132ABEBD705E89E3CDC3A4D6A71BF8AC1267838C7EE3173E92643DD3C7AF39F902984F62E45457667550C449EF928E3552E7C465785CAB92DBC722164BF847CEB72D83CECD777D511BBE9DF4E76CA2DAF97BF1040184971D48EE2F1306E2A49DCC370D9C08D46D6C04654D9C654CE723159EBAF984B770404F9743CA9B1EE647C15D9AD4118F5DB5D7EDF7F7DFE9D449939ED2CC14618D144A5644AC58E9655FF69763788CE147DEA05542337112A4BC4A1EF2F465858B64F5931B22299FBE2DB4332079419369CD4E6E586F5CA6D61EF01554DF50B6C9B0728934829F275430A34F0F3E9907461BB55EE7C00499AF46264DB76ED11F6E2B484A009CF17EC99654E3F02225ADA2168B9FA4AC6FF234BDE666E1748BFCDEBD5EB773B2793A8846B7368CF4170F0BBE6C7FC4324B51314399D1993CC1A04981020A067B357FBED6A465ABF8C4454B4A581F03BFE663B5C906582A035EEF1D47664DB69FC5085D9555619AE6A982F723B2759D3A366D13F8D913E3F8ECE20E122061833DF1221903E66E2B66668764E6C1CC5777D1C8632924719A439F87959A28F873E6A3316BD2DE273499BBACAC6632BFF646F5E0FE6AD9B6247BC9006FCADB1D0E2368AA906E21F50F13125DAEA712C3C66680B687FED3F8DEAEE5019AC37DAADFEAF2988BF0781D98D772980C64561D968A76DCDD5DCC22A8DC8F53DBD6B2CEF9AC9719A0AC143133E40EF0AB88D5E4385B81FDAAAFE672667C09543C0F038DEFCA51E0D7A5051B4528B68FB7B8CB0A82F36A545854267CFDF536768624DCC05C1BBE33FE944417B60662AD9DC756CDCE66A33096DE72A65C259F3D4C081392D9679FEA28E429B675D4AD9B0F40FA467DB43FF75715982C705D73425FDC58038A6E5C77283773DDF3DE56BC83DF20DB71D776A2D3F1489B2FE082345BFAC7661361FD5A97E1464528644087B41891CE8F3B25BB06A317570E6CC05499EDDEE41BE531AAD36BA6F98A167188200E7E2F44BF49642D8C7C160B2947753B75FEF8CF974891FE1180DD991F15"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
h:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-03 10:27:46
ComboFix-quarantined-files.txt 2009-02-03 10:27:44
ComboFix2.txt 2009-02-03 10:07:53

Pre-Run: 164,239,732,736 bytes free
Post-Run: 164,225,363,968 bytes free

223 --- E O F --- 2009-01-31 08:10:30

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:17 PM

Posted 03 February 2009 - 05:35 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then,
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 tritonr1

tritonr1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 03 February 2009 - 05:39 AM

:thumbup2: thanks a million :)

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:17 PM

Posted 03 February 2009 - 06:14 AM

You're most welcome :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:17 PM

Posted 05 February 2009 - 07:01 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users