Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help me, my laptop is heavily infected (svchost.exe error)


  • This topic is locked This topic is locked
7 replies to this topic

#1 katsuky

katsuky

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 12 March 2009 - 09:01 PM

Hi, my laptop is infected (i don't know what type of virus though) after I went and visit one website. After I reboot my computer I get this message everytime I open something up "svchost.exe application error", it is really annoying. Also, I can hardly open any programs or software including many antivirus/malware softwares. Now it also disconect from the internet so I cannot download anything. Please help me ASAP. Here is my log.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Duc at 15:51:27.28 on Tue 03/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.261 [GMT -7:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Duc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\duc\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235690742687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.25,85.255.112.165
TCP: {09F193A5-5CF2-4E63-9B96-9C3AD2D48CDB} = 85.255.112.25,85.255.112.165
TCP: {2A835522-A670-48B5-A46A-EF86E49A0B2C} = 85.255.112.25,85.255.112.165
TCP: {ED6BE832-2713-45A4-BF77-B408693FD200} = 85.255.112.25,85.255.112.165
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\duc\applic~1\mozilla\firefox\profiles\5osn7xp8.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
FF - HiddenExtension: XUL Cache: {5E1EA027-60D2-48BD-9786-037EF85896BE} - c:\documents and settings\duc\local settings\application data\{5E1EA027-60D2-48BD-9786-037EF85896BE}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-4 226832]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
S3 GarenaPEngine;GarenaPEngine;c:\docume~1\duc\locals~1\temp\XHI15.tmp [2009-3-9 18704]
S3 XDva226;XDva226;\??\c:\windows\system32\xdva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 XDva238;XDva238;\??\c:\windows\system32\xdva238.sys --> c:\windows\system32\XDva238.sys [?]
S3 XDva248;XDva248;\??\c:\windows\system32\xdva248.sys --> c:\windows\system32\XDva248.sys [?]

=============== Created Last 30 ================

2009-03-09 21:08 <DIR> --d----- c:\program files\DecodingHQ
2009-03-09 21:07 299 -c-shr-- C:\autorun.inf
2009-03-05 19:10 <DIR> -cd----- C:\Uforia
2009-03-03 22:42 <DIR> -cd----- C:\Pink Panther 2.[2009]. DvDrip. XviD. -aXXo
2009-02-28 11:20 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-02-27 20:01 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-27 20:00 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-27 20:00 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-27 20:00 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-27 20:00 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-27 20:00 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-27 20:00 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-27 20:00 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-27 20:00 <DIR> -cd----- C:\262c71590f269e9d5472d31edaaa79
2009-02-27 18:34 <DIR> -cd----- C:\FTV - Alexa 2
2009-02-27 15:41 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-27 15:41 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-26 16:47 <DIR> --d----- c:\program files\Microsoft
2009-02-26 16:45 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-26 16:30 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-26 16:27 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-26 16:03 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-02-26 16:01 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2009-02-25 17:19 <DIR> --d----- c:\docume~1\duc\applic~1\SPORE
2009-02-24 21:19 230,752 a------- c:\windows\patchw32.dll
2009-02-24 21:19 118,176 a------- c:\windows\patchw.dll
2009-02-24 21:14 <DIR> --d----- c:\program files\Outspark
2009-02-24 20:42 <DIR> --d----- c:\program files\DNA
2009-02-24 20:42 <DIR> --d----- c:\docume~1\duc\applic~1\DNA
2009-02-22 22:11 <DIR> -cd----- C:\HKGH
2009-02-21 13:24 <DIR> --d----- c:\program files\Firaxis Games
2009-02-21 13:16 <DIR> -cd----- C:\Pirate
2009-02-19 16:59 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-02-18 22:18 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-02-18 22:18 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-02-18 21:50 <DIR> --d----- c:\windows\system32\scripting
2009-02-18 21:50 <DIR> --d----- c:\windows\system32\en
2009-02-18 21:50 <DIR> --d----- c:\windows\system32\bits
2009-02-18 20:12 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-02-18 17:27 <DIR> --d-h--- c:\windows\PIF
2009-02-18 16:25 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-02-17 16:18 94,820 ac------ C:\ComboFix.zip
2009-02-16 23:03 <DIR> -cd----- C:\Nhac mp3
2009-02-14 21:33 <DIR> acdshr-- C:\cmdcons

==================== Find3M ====================

2009-03-09 21:23 5,469,216 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-09 21:23 852,000 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-09 21:23 43,808 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-09 21:23 3,992 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-02-18 21:53 86,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-16 16:25 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-02-16 16:25 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-02-16 16:25 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-02-06 20:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-04 16:52 263 ac-shr-- C:\autorun.inf.vir
2009-02-03 16:35 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-24 13:34 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-24 13:34 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-24 13:34 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-24 13:34 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-23 22:32 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 02:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 02:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 22:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 22:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 03:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 15:51:41.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:49 AM

Posted 14 March 2009 - 04:12 PM

Hello Katsuky and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 katsuky

katsuky
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 14 March 2009 - 08:57 PM

Hello thunder, I did all the steps. Things looked much better. Svchost.exe error did not pop up anymore. And I can now connect to the internet. Here are my logs.

GooredFix v1.92 by jpshortstuff
Log created at 18:35 on 14/03/2009 running Option #2 (Duc)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{5E1EA027-60D2-48BD-9786-037EF85896BE}"="C:\Documents and Settings\Duc\Local Settings\Application Data\{5E1EA027-60D2-48BD-9786-037EF85896BE}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Duc\Local Settings\Application Data\{5E1EA027-60D2-48BD-9786-037EF85896BE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


ComboFix 09-03-13.02 - Duc 2009-03-14 18:42:23.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.284 [GMT -7:00]
Running from: c:\documents and settings\Duc\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *disabled*
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\recycler\S-4-9-57-100000219-100016759-100023106-5533.com
c:\windows\system32\drivers\gaopdxyxdqcmoynmosxsneeddnjpqwyovickbg.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxrgeatvyrxxejtrbdkgeualdwodxcolox.dll
D:\Autorun.inf
d:\recycler\S-4-9-57-100000219-100016759-100023106-5533.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-13 20:03 . 2009-03-13 20:03 <DIR> d-------- c:\documents and settings\Thao\Application Data\Yahoo!
2009-03-09 21:08 . 2009-03-10 15:25 <DIR> d-------- c:\program files\DecodingHQ
2009-03-05 19:10 . 2009-03-05 19:10 <DIR> d----c--- C:\Uforia
2009-03-03 22:42 . 2009-03-09 21:09 <DIR> d----c--- C:\Pink Panther 2.[2009]. DvDrip. XviD. -aXXo
2009-02-28 11:20 . 2009-01-09 12:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- c:\program files\MSBuild
2009-02-27 20:00 . 2009-02-27 20:01 <DIR> d----c--- C:\262c71590f269e9d5472d31edaaa79
2009-02-27 20:00 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-27 20:00 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-27 20:00 . 2008-07-06 03:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-27 20:00 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-27 20:00 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-27 20:00 . 2008-07-06 05:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-27 20:00 . 2008-07-06 05:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-27 18:34 . 2009-03-01 16:10 <DIR> d----c--- C:\FTV - Alexa 2
2009-02-27 15:41 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-27 15:41 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-26 16:47 . 2009-02-26 16:47 <DIR> d-------- c:\program files\Microsoft
2009-02-26 16:45 . 2009-02-26 16:45 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-26 16:30 . 2009-02-26 16:30 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-26 16:27 . 2009-02-26 16:27 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-26 16:03 . 2009-02-26 16:03 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-02-26 16:01 . 2009-02-26 17:13 <DIR> d-------- c:\program files\Windows Live
2009-02-26 16:01 . 2009-02-26 16:03 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2009-02-26 16:01 . 2009-02-26 16:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2009-02-25 17:19 . 2009-02-25 17:20 <DIR> d-------- c:\documents and settings\Duc\Application Data\SPORE
2009-02-25 16:33 . 2009-02-25 16:33 <DIR> d-------- c:\program files\Electronic Arts
2009-02-24 21:19 . 2008-09-27 00:00 230,752 --a------ c:\windows\patchw32.dll
2009-02-24 21:19 . 2008-09-27 00:00 118,176 --a------ c:\windows\patchw.dll
2009-02-24 21:14 . 2009-03-13 20:08 <DIR> d-------- c:\program files\Outspark
2009-02-24 20:42 . 2009-03-14 18:49 <DIR> d-------- c:\program files\DNA
2009-02-24 20:42 . 2009-03-14 18:49 <DIR> d-------- c:\documents and settings\Duc\Application Data\DNA
2009-02-22 22:11 . 2009-02-23 22:31 <DIR> d----c--- C:\HKGH
2009-02-21 13:24 . 2009-02-21 13:24 <DIR> d-------- c:\program files\Firaxis Games
2009-02-21 13:16 . 2009-02-21 13:22 <DIR> d----c--- C:\Pirate
2009-02-19 16:59 . 2009-02-19 16:59 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-02-19 11:05 . 2009-02-19 11:05 <DIR> d-------- c:\documents and settings\An\Application Data\AdobeUM
2009-02-18 22:18 . 2008-06-13 04:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-02-18 22:18 . 2008-05-08 07:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-02-18 21:50 . 2009-02-18 21:50 <DIR> d-------- c:\windows\system32\scripting
2009-02-18 21:50 . 2009-02-18 21:50 <DIR> d-------- c:\windows\system32\en
2009-02-18 21:50 . 2009-02-18 21:50 <DIR> d-------- c:\windows\system32\bits
2009-02-18 20:14 . 2009-02-18 20:14 <DIR> d-------- c:\documents and settings\Duc\Application Data\Sonic
2009-02-18 20:14 . 2009-02-18 20:14 <DIR> d-------- c:\documents and settings\Duc\Application Data\Leadertech
2009-02-18 20:12 . 2009-02-19 16:57 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2009-02-18 17:27 . 2009-02-18 17:27 <DIR> d--h----- c:\windows\PIF
2009-02-17 16:18 . 2009-02-17 16:18 94,820 --a--c--- C:\ComboFix.zip
2009-02-16 23:03 . 2009-02-16 23:03 <DIR> d----c--- C:\Nhac mp3
2009-02-16 01:02 . 2009-02-16 01:02 <DIR> d-------- c:\documents and settings\An\Application Data\Netscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 01:46 852,000 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-15 01:46 5,469,216 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-15 01:46 43,808 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-15 01:46 3,992 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-15 01:17 --------- d-----w c:\program files\HPQ
2009-03-14 03:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-14 03:00 --------- d-----w c:\program files\HP
2009-03-14 03:00 --------- d-----w c:\program files\Hamachi
2009-03-12 04:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 22:53 --------- d-----w c:\documents and settings\Duc\Application Data\Hamachi
2009-03-10 03:53 --------- d-----w c:\program files\Warcraft III 1.22
2009-03-09 22:28 --------- d-----w c:\program files\Garena
2009-03-09 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-08 08:12 --------- d-----w c:\documents and settings\Duc\Application Data\uTorrent
2009-02-19 23:59 --------- d-----w c:\documents and settings\Duc\Application Data\DAEMON Tools
2009-02-19 00:24 --------- d-----w c:\program files\Webtools
2009-02-16 23:39 --------- d-----w c:\program files\Norton Security Scan
2009-02-16 23:25 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-16 23:25 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-02-11 17:51 --------- d-----w c:\documents and settings\An\Application Data\Yahoo!
2009-02-09 07:36 --------- d-----w c:\documents and settings\Phuc\Application Data\Simply Super Software
2009-02-09 07:11 --------- d-----w c:\documents and settings\Phuc\Application Data\Yahoo!
2009-02-08 22:53 --------- d-----w c:\documents and settings\Duc\Application Data\Chessmaster Challenge
2009-02-07 03:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 00:47 --------- d-----w c:\program files\Trend Micro
2009-02-05 04:07 --------- d-----w c:\program files\Kaspersky Lab
2009-02-05 03:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-05 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 03:28 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-04 23:52 263 -csha-r C:\autorun.inf.vir
2009-02-03 23:43 --------- d-----w c:\documents and settings\Duc\Application Data\DAEMON Tools Pro
2009-02-03 23:43 --------- d-----w c:\documents and settings\Duc\Application Data\DAEMON Tools Lite
2009-02-03 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-03 23:35 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-01 23:21 --------- d-----w c:\documents and settings\An\Application Data\vlc
2009-02-01 23:20 --------- d-----w c:\documents and settings\An\Application Data\Apple Computer
2009-01-31 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-31 03:23 --------- d-----w c:\documents and settings\Duc\Application Data\Yahoo!
2009-01-31 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-26 04:26 --------- d-----w c:\documents and settings\Duc\Application Data\AdobeUM
2009-01-24 21:06 --------- d-----w c:\documents and settings\Duc\Application Data\Apple Computer
2009-01-24 20:57 --------- d-----w c:\program files\QuickTime
2009-01-24 20:34 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-24 20:34 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-24 20:34 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-24 20:34 --------- d-----w c:\program files\Symantec
2009-01-24 08:33 --------- d-----w c:\program files\MSXML 4.0
2009-01-24 05:32 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-01-24 05:01 --------- d-----w c:\documents and settings\Duc\Application Data\Netscape
2009-01-23 22:16 --------- d-----w c:\documents and settings\Duc\Application Data\vlc
2009-01-23 18:07 --------- d-----w c:\program files\Quickensetup
2009-01-23 18:06 --------- d-----w c:\program files\Quicken
2009-01-23 18:04 --------- d-----w c:\program files\music_now
2009-01-23 18:04 --------- d-----w c:\program files\MSN Encarta Plus
2009-01-23 18:04 --------- d-----w c:\program files\Microsoft Works
2009-01-23 18:03 --------- d-----w c:\program files\Microsoft Office Trial Wizard
2009-01-23 18:02 --------- d-----w c:\program files\HP Rhapsody
2009-01-23 18:01 --------- d-----w c:\program files\Google
2009-01-23 18:00 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-01-23 18:00 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-01-23 18:00 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-23 17:59 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-23 17:56 --------- d-----w c:\documents and settings\Thao\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\Phuc\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\Duc\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\An\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-01-23 17:49 --------- d-----w c:\documents and settings\An Vu\Application Data\uTorrent
2009-01-23 17:48 --------- d-----w c:\documents and settings\An Vu\Application Data\Hamachi
2009-01-23 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-22 05:28 --------- d-----w c:\documents and settings\An Vu\Application Data\Chessmaster Challenge
2009-01-21 03:05 --------- d-----w c:\program files\Warcraft III
2009-01-16 21:26 --------- d-----w c:\program files\Common Files\Apple
2009-01-16 21:23 --------- d-----w c:\program files\Apple Software Update
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-24 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-16 206088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Duc\LOCALS~1\Temp\XHI15.tmp --> c:\docume~1\Duc\LOCALS~1\Temp\XHI15.tmp [?]
S3 XDva226;XDva226;\??\c:\windows\system32\XDva226.sys --> c:\windows\system32\XDva226.sys [?]
S3 XDva238;XDva238;\??\c:\windows\system32\XDva238.sys --> c:\windows\system32\XDva238.sys [?]
S3 XDva248;XDva248;\??\c:\windows\system32\XDva248.sys --> c:\windows\system32\XDva248.sys [?]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Duc\Application Data\Mozilla\Firefox\Profiles\5osn7xp8.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-14 18:49:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Duc\LOCALS~1\Temp\XHI15.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1408)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-03-14 18:52:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 01:52:29

Pre-Run: 39,445,069,824 bytes free
Post-Run: 40,015,495,168 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
258

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:49 AM

Posted 15 March 2009 - 07:20 AM

Hello Katsuky,

Definitely looking better. :thumbup2:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\autorun.inf.vir
Driver::
XDva226
XDva238
XDva248

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update12.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windowsi586-p.exe to install the newest version.
I see you have an outdated Kaspersky Internet Security pack on your system, alongside Norton Internet Security 2006 ?
Please remove one of them through Control Panel > Software.
Never run more than one (up-to-date) antivirus program on your system to avoid interference.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 katsuky

katsuky
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 15 March 2009 - 12:17 PM

This is my Combofix log

ComboFix 09-03-13.02 - Duc 2009-03-15 10:04:26.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.218 [GMT -7:00]
Running from: c:\documents and settings\Duc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Duc\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *disabled*
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
C:\autorun.inf.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf.vir

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA226
-------\Legacy_XDVA238
-------\Legacy_XDVA248
-------\Service_XDva226
-------\Service_XDva238
-------\Service_XDva248


((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))
.

2009-03-13 20:03 . 2009-03-13 20:03 <DIR> d-------- c:\documents and settings\Thao\Application Data\Yahoo!
2009-03-09 21:08 . 2009-03-10 15:25 <DIR> d-------- c:\program files\DecodingHQ
2009-03-05 19:10 . 2009-03-05 19:10 <DIR> d----c--- C:\Uforia
2009-03-03 22:42 . 2009-03-09 21:09 <DIR> d----c--- C:\Pink Panther 2.[2009]. DvDrip. XviD. -aXXo
2009-02-28 11:20 . 2009-01-09 12:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-27 20:01 . 2009-02-27 20:01 <DIR> d-------- c:\program files\MSBuild
2009-02-27 20:00 . 2009-02-27 20:01 <DIR> d----c--- C:\262c71590f269e9d5472d31edaaa79
2009-02-27 20:00 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-27 20:00 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-27 20:00 . 2008-07-06 03:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-27 20:00 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-27 20:00 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-27 20:00 . 2008-07-06 05:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-27 20:00 . 2008-07-06 05:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-27 18:34 . 2009-03-01 16:10 <DIR> d----c--- C:\FTV - Alexa 2
2009-02-27 15:41 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-27 15:41 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-26 16:47 . 2009-02-26 16:47 <DIR> d-------- c:\program files\Microsoft
2009-02-26 16:45 . 2009-02-26 16:45 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-26 16:30 . 2009-02-26 16:30 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-26 16:27 . 2009-02-26 16:27 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-26 16:03 . 2009-02-26 16:03 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2009-02-26 16:01 . 2009-02-26 17:13 <DIR> d-------- c:\program files\Windows Live
2009-02-26 16:01 . 2009-02-26 16:03 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2009-02-26 16:01 . 2009-02-26 16:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2009-02-25 17:19 . 2009-02-25 17:20 <DIR> d-------- c:\documents and settings\Duc\Application Data\SPORE
2009-02-25 16:33 . 2009-02-25 16:33 <DIR> d-------- c:\program files\Electronic Arts
2009-02-24 21:19 . 2008-09-27 00:00 230,752 --a------ c:\windows\patchw32.dll
2009-02-24 21:19 . 2008-09-27 00:00 118,176 --a------ c:\windows\patchw.dll
2009-02-24 21:14 . 2009-03-13 20:08 <DIR> d-------- c:\program files\Outspark
2009-02-24 20:42 . 2009-03-15 10:10 <DIR> d-------- c:\program files\DNA
2009-02-24 20:42 . 2009-03-15 10:10 <DIR> d-------- c:\documents and settings\Duc\Application Data\DNA
2009-02-22 22:11 . 2009-02-23 22:31 <DIR> d----c--- C:\HKGH
2009-02-21 13:24 . 2009-02-21 13:24 <DIR> d-------- c:\program files\Firaxis Games
2009-02-21 13:16 . 2009-02-21 13:22 <DIR> d----c--- C:\Pirate
2009-02-19 16:59 . 2009-02-19 16:59 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-02-19 11:05 . 2009-02-19 11:05 <DIR> d-------- c:\documents and settings\An\Application Data\AdobeUM
2009-02-18 22:18 . 2008-06-13 04:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-02-18 22:18 . 2008-05-08 07:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-02-18 21:50 . 2009-02-18 21:50 <DIR> d-------- c:\windows\system32\scripting
2009-02-18 21:50 . 2009-02-18 21:50 <DIR> d-------- c:\windows\system32\en
2009-02-18 21:50 . 2009-02-18 21:50 <DIR> d-------- c:\windows\system32\bits
2009-02-18 20:14 . 2009-02-18 20:14 <DIR> d-------- c:\documents and settings\Duc\Application Data\Sonic
2009-02-18 20:14 . 2009-02-18 20:14 <DIR> d-------- c:\documents and settings\Duc\Application Data\Leadertech
2009-02-18 20:12 . 2009-02-19 16:57 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2009-02-18 17:27 . 2009-02-18 17:27 <DIR> d--h----- c:\windows\PIF
2009-02-17 16:18 . 2009-02-17 16:18 94,820 --a--c--- C:\ComboFix.zip
2009-02-16 23:03 . 2009-02-16 23:03 <DIR> d----c--- C:\Nhac mp3
2009-02-16 01:02 . 2009-02-16 01:02 <DIR> d-------- c:\documents and settings\An\Application Data\Netscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 17:08 852,000 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-15 17:08 5,469,216 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-15 17:08 43,808 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-15 17:08 3,992 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-15 05:08 --------- d-----w c:\program files\Warcraft III 1.22
2009-03-15 03:10 --------- d-----w c:\program files\Garena
2009-03-15 01:17 --------- d-----w c:\program files\HPQ
2009-03-14 03:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-14 03:00 --------- d-----w c:\program files\HP
2009-03-14 03:00 --------- d-----w c:\program files\Hamachi
2009-03-12 04:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-10 22:53 --------- d-----w c:\documents and settings\Duc\Application Data\Hamachi
2009-03-09 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-08 08:12 --------- d-----w c:\documents and settings\Duc\Application Data\uTorrent
2009-02-19 23:59 --------- d-----w c:\documents and settings\Duc\Application Data\DAEMON Tools
2009-02-19 00:24 --------- d-----w c:\program files\Webtools
2009-02-16 23:39 --------- d-----w c:\program files\Norton Security Scan
2009-02-16 23:25 89,601 ----a-w c:\windows\system32\drivers\klick.dat
2009-02-16 23:25 101,287 ----a-w c:\windows\system32\drivers\klin.dat
2009-02-11 17:51 --------- d-----w c:\documents and settings\An\Application Data\Yahoo!
2009-02-09 07:36 --------- d-----w c:\documents and settings\Phuc\Application Data\Simply Super Software
2009-02-09 07:11 --------- d-----w c:\documents and settings\Phuc\Application Data\Yahoo!
2009-02-08 22:53 --------- d-----w c:\documents and settings\Duc\Application Data\Chessmaster Challenge
2009-02-07 03:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 00:47 --------- d-----w c:\program files\Trend Micro
2009-02-05 04:07 --------- d-----w c:\program files\Kaspersky Lab
2009-02-05 03:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-05 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 03:28 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-03 23:43 --------- d-----w c:\documents and settings\Duc\Application Data\DAEMON Tools Pro
2009-02-03 23:43 --------- d-----w c:\documents and settings\Duc\Application Data\DAEMON Tools Lite
2009-02-03 23:42 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-03 23:35 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-01 23:21 --------- d-----w c:\documents and settings\An\Application Data\vlc
2009-02-01 23:20 --------- d-----w c:\documents and settings\An\Application Data\Apple Computer
2009-01-31 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-31 03:23 --------- d-----w c:\documents and settings\Duc\Application Data\Yahoo!
2009-01-31 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-26 04:26 --------- d-----w c:\documents and settings\Duc\Application Data\AdobeUM
2009-01-24 21:06 --------- d-----w c:\documents and settings\Duc\Application Data\Apple Computer
2009-01-24 20:57 --------- d-----w c:\program files\QuickTime
2009-01-24 20:34 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-24 20:34 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-24 20:34 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-24 20:34 --------- d-----w c:\program files\Symantec
2009-01-24 08:33 --------- d-----w c:\program files\MSXML 4.0
2009-01-24 05:32 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-01-24 05:01 --------- d-----w c:\documents and settings\Duc\Application Data\Netscape
2009-01-23 22:16 --------- d-----w c:\documents and settings\Duc\Application Data\vlc
2009-01-23 18:07 --------- d-----w c:\program files\Quickensetup
2009-01-23 18:06 --------- d-----w c:\program files\Quicken
2009-01-23 18:04 --------- d-----w c:\program files\music_now
2009-01-23 18:04 --------- d-----w c:\program files\MSN Encarta Plus
2009-01-23 18:04 --------- d-----w c:\program files\Microsoft Works
2009-01-23 18:03 --------- d-----w c:\program files\Microsoft Office Trial Wizard
2009-01-23 18:02 --------- d-----w c:\program files\HP Rhapsody
2009-01-23 18:01 --------- d-----w c:\program files\Google
2009-01-23 18:00 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-01-23 18:00 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-01-23 18:00 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-23 17:59 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-23 17:56 --------- d-----w c:\documents and settings\Thao\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\Phuc\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\Duc\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\An\Application Data\Intuit
2009-01-23 17:56 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-01-23 17:49 --------- d-----w c:\documents and settings\An Vu\Application Data\uTorrent
2009-01-23 17:48 --------- d-----w c:\documents and settings\An Vu\Application Data\Hamachi
2009-01-23 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-22 05:28 --------- d-----w c:\documents and settings\An Vu\Application Data\Chessmaster Challenge
2009-01-21 03:05 --------- d-----w c:\program files\Warcraft III
2009-01-16 21:26 --------- d-----w c:\program files\Common Files\Apple
2009-01-16 21:23 --------- d-----w c:\program files\Apple Software Update
.

((((((((((((((((((((((((((((( SnapShot@2009-03-14_18.51.52.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-15 01:46:25 71,864 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-15 17:05:16 71,864 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-15 01:46:25 442,260 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-15 17:05:16 442,260 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-15 17:10:10 16,384 ----atw c:\windows\temp\Perflib_Perfdata_988.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-28 4363504]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-17 490952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-24 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 10:10:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1404)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-03-15 10:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-15 17:13:01
ComboFix2.txt 2009-03-15 01:52:34

Pre-Run: 39,967,674,368 bytes free
Post-Run: 39,967,125,504 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
255


My DDS new log

DDS (Ver_09-02-01.01) - NTFSx86
Run by Duc at 10:14:39.69 on Sun 03/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.209 [GMT -7:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Duc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn2\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart16.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235690742687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-4 227344]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]

=============== Created Last 30 ================

2009-03-14 18:36 161,792 a------- c:\windows\SWREG.exe
2009-03-14 18:36 98,816 a------- c:\windows\sed.exe
2009-03-09 21:08 <DIR> --d----- c:\program files\DecodingHQ
2009-03-05 19:10 <DIR> -cd----- C:\Uforia
2009-03-03 22:42 <DIR> -cd----- C:\Pink Panther 2.[2009]. DvDrip. XviD. -aXXo
2009-02-28 11:20 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-02-27 20:01 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-27 20:00 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-27 20:00 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-27 20:00 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-27 20:00 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-27 20:00 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-27 20:00 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-27 20:00 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-27 20:00 <DIR> -cd----- C:\262c71590f269e9d5472d31edaaa79
2009-02-27 18:34 <DIR> -cd----- C:\FTV - Alexa 2
2009-02-27 15:41 268,648 a------- c:\windows\system32\mucltui.dll
2009-02-27 15:41 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-02-26 16:47 <DIR> --d----- c:\program files\Microsoft
2009-02-26 16:45 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-26 16:30 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-26 16:27 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-26 16:03 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-02-26 16:01 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2009-02-25 17:19 <DIR> --d----- c:\docume~1\duc\applic~1\SPORE
2009-02-24 21:19 230,752 a------- c:\windows\patchw32.dll
2009-02-24 21:19 118,176 a------- c:\windows\patchw.dll
2009-02-24 21:14 <DIR> --d----- c:\program files\Outspark
2009-02-24 20:42 <DIR> --d----- c:\program files\DNA
2009-02-24 20:42 <DIR> --d----- c:\docume~1\duc\applic~1\DNA
2009-02-22 22:11 <DIR> -cd----- C:\HKGH
2009-02-21 13:24 <DIR> --d----- c:\program files\Firaxis Games
2009-02-21 13:16 <DIR> -cd----- C:\Pirate
2009-02-19 16:59 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-02-18 22:18 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-02-18 22:18 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-02-18 21:50 <DIR> --d----- c:\windows\system32\scripting
2009-02-18 21:50 <DIR> --d----- c:\windows\system32\en
2009-02-18 21:50 <DIR> --d----- c:\windows\system32\bits
2009-02-18 20:12 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-02-18 17:27 <DIR> --d-h--- c:\windows\PIF
2009-02-17 16:18 94,820 ac------ C:\ComboFix.zip
2009-02-16 23:03 <DIR> -cd----- C:\Nhac mp3
2009-02-14 21:33 <DIR> acdshr-- C:\cmdcons

==================== Find3M ====================

2009-03-15 10:08 5,469,216 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-15 10:08 852,000 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-15 10:08 43,808 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-15 10:08 3,992 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-02-18 21:53 86,939 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-16 16:25 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-02-16 16:25 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-02-06 20:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-03 16:35 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-24 13:34 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-24 13:34 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-24 13:34 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-24 13:34 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-23 22:32 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 02:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 02:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 22:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 22:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 10:14:49.46 ===============

Attached Files



#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:49 AM

Posted 16 March 2009 - 04:50 PM

Hello Katsuky,

Missed this ? :

I see you have an outdated Kaspersky Internet Security pack on your system, alongside Norton Internet Security 2006 ?
Please remove one of them through Control Panel > Software.
Never run more than one (up-to-date) antivirus program on your system to avoid interference.


You've updated Kaspersky, but still are running both of your security packs ???
Or was your Norton removal unsuccesfull ?

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 katsuky

katsuky
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 16 March 2009 - 09:20 PM

Thank you Thunder, I have no more problems. I also succesfully removed Norton a long time ago; it was just a little bug in the registrykey folder making Norton show up when I use combofix.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:49 AM

Posted 17 March 2009 - 05:39 PM

Glad we could help, Katsuky :thumbup2:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users