Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Major root kit that has haunted me for 7 Years + Please Help !!!!


  • This topic is locked This topic is locked
20 replies to this topic

#1 JohnnySH

JohnnySH

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 28 April 2010 - 06:32 PM

Hello and thank you to all on this site, if anyone can shine any light I will be forever greatful.

The problem I have had over the past 7 or so years I have never got to the bottom of, and boy I have tried

I have learned to live with it knowing deep down that every pc on my network is infected with something more clever than windows and so stealthy that nothing even after a format ever gets rid of it!

New hardware has come and gone I have wiped / formatted / kill disc so many drives

Reinstalled windows so many times and still no joy, I almost feel I need forensic software to look at my hardware as to find out whats wrong ?? and whats going on !


Nothing in windows ever finds the problem, which makes me think this its living outside of window (bios / cmos / MBR) ??

It seems to infect every PC on my network / connect to the internet

This promblem I have stems back 7 or so years when I use to go to bad website ( with keygens / moody software) etc. and I also use to hang about with a computer geek who was a bit of a hacker who I did not trust looking back !!!

So I still not sure he did not plant something on my machines or it may have been from the keygens / moody software etc.

Below is a more detailed account of what happened, but the problems I have been left with on EVERY machine after so many formats and reinstall since killing off the bugs 7 years ago is....


1) Lacking performace on every PC (Video files play choppy on every pc!)
2) Strange event errors after a fresh install of windows
3) P.C.
4) I feel every PC is sluggish and lacking about 35% of its power / performance, though I have lived with this for so long now, I don't know what to think anymore,
5) It seems to infect every PC and no software under windows finds anything ?
6) My machines vary in snappyness, sometimes clicking round windows is much faster that other time for no reason (I have minimal services/apps running) and processor idel is always 99% !
7) This has lived with me over Win 2000, XP, Win7

Its living above windows I feel

I have just built an Intel I7 PC with 6gigs of ddr3 memory and dont feel its running correct, I built this for showing video music files, because I have tried to show video on 3 other high end pc system and still keep runing into problems

On every system including the new I7 PC I get glitchy / Choppy video playback, its like something interupting the hard drive or sucking all the power from the PC

When ever I try to do any multimedia / video / photo shows, etc I keep running into major performace problems on all pc's, yet all my pc's are high spec hardware ??


PLEASE PLEASE PLEASE, can anyone shine any light, years ago when I knew I had this problem, people thought I was mad say all this, but in more recent years clever rootkit have become more understood.

My fear is maybe something clever was planted years ago from my old hacker buddy thats not being deteted as a trojan / rootkit / virius etc. thus why I can never find it. But what could ever survive countless formats etc.

Unless there is some weakness in all windows when updating drivers after an install, But know this nasty is living above windows I feel its inside the machine.


anyway I appreciate any help...... here is the full story of what happened,

Thanks in advance



Hi, I will try to keep this very simple...

About 6 Years ago at the start of windows xp (pre any service packs) I use to down load a lot of software and key gens from bad website, not knowing at the time!!

I fully understand how bad these sites and keygens are!! and I have paid a very heavy price since !

I have learnt my lesson now, and never go to these type of sites, if anything, I am over careful now !! when going to websites

I ended up having my dell server and 5 pc's on my network all infected with multiple infections from keygens and moody software etc.

The infections popped up a count down timer in windows and told me my machine would shut down after so many minutes, because they were all networked,
if more than one machine was on it happened on multiple machines. Once the machine had shut down, when I restarted the server/ PC's, windows would not start, it said missing NTDL on every machine.

The only way to cure this was to replace the NTDL file to get windows back working, I also had funny message left on the desk top like stop using ilegal software and things like that.

It was like a sasa type virus that had been modified, windows XP sp2 seemed to help cure that issue / nasty, but....

I new something was very bad back then, because after reinstalling windows server 2000 on my dell server, I kept getting strange networking event logs like smb errors when accessing a network shares, which never happened prior to this nasty!
I even got other strange windows error event logs after a clean windows format & install

I did not mater how many times I reinstalled the os I could not cure these strange windows event errors and other stange side effects ?

I just new the system did not feel right after a format it felt slugish when clicking arround, almost like someone else was logged in remotly, or something was sucking 30% of the power out of my server / PCs

It did not matter how many times I formated the server still could not get feeling right !!

Since those days I have pulled every machine down one by one copied all data on every drive in all pcs to my NAS linux system (different os to NTFS) and wiped / formated every NTFS drive before reinstalling windows xp / windows 7 / server.

I just never feel any machine I have here is running correctly, they all feel sluggish and under powered, I often get strange problems ocour and its almost as if there is some other file system running outside of windows thats sucking all my power, and causing strange things to occour. Its like windows is under someone elses or somethings control !!

And no matter what I do or try to install to find the problem, Nothing, I mean Nothing will find It !

I have run so many virus checkers and programs to try to detect this nasty but nothing ever finds it !! I just know there is somthing living on every PC that I just can not get rid of.

Now 6/7 years have passed after the keygen infection, when I raised these points on some spyware forum 6 years ago, people though I was mad, they said after you wipe the hard drive nothing can live !!!

reading you forums with some of these rootkits, this is not so, I have know this is my heart eversince my first major keygen infection

At the time I wondered if the nasty could live in the hardware, motherboard bios, graphics card etc.

All I know is 7 years later and I still know something is not right with all my existing and new machines on my network, I have just built an intel I7 2.7ghz pc windows 7 with 6gigs ddr3, and when playing videos files, they play very glitchy on every machine I have here, I send the same file to a friends pc and it plays pefectly?

again its like something is interupting my hard drives or pc when trying to play this video file and causing glitchy video playback. (i know it this rootkit sucking my power)

All I know is this thing has driven me crazy for years and I can not get to the bottom of it, I have formated every machine so many times, but never feel they are right

I also notice on all my machines that sometimes the machines feel snappier than at other times for no reason, its almost as if this is a very clever root kit that is totally stealth, and infects every machine and has lived or evolved over the past 7 or so years and has its own controlled opperating system above windows or any installed os ?

Its almost as if it kicks in before windows even loads after a fresh install/format and sucks 30% of my processing power up on every pc, but nothing is detectable in windows.

I don't know if any of my data is infected, nothing ever shows up, I use NOD antivrus, I do not know how to try to sniff this thing out, though I am willing to try anything, this thing has haunted me for years I have tried your programs before, yet again it finds nothing in windows,

Can it be in the hardware ? in the bios ? Hidden in my harddrives after a format ?

If nothing can detect it!.... how can I find it and kill it ?, but I know somethings there causing me problems on every machine.

I have even wondered if its microsoft when doing driver update after a clean install


Please, please please can you shine any light, I have lived with this thing for so long and don't thing any one is clever enough to..
1) detect it
2) kill it!
3) or who else to talk to about killing this thing

as my machines get faster with newer hardware it seems to get less noticable, but I know its is there!

Any help would be very much appreciated other than taking a pc to a forensic lab I don't know what else to do

I await your reply, Thanks in advance


Kind Regards

Edited by Orange Blossom, 28 April 2010 - 08:19 PM.
Move to AII as no logs posted. ~ OB


BC AdBot (Login to Remove)

 


#2 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 09:24 AM

Hello

I have done everything thats been asked on this forum in reply to rootkit removal, please see info below for results.

I have no attachment area to upload my files so I will paste them as text in this reply. If any helper would like me to send them some other way please let me know

Ok I choose one of the the PC's on my network that I know deep down has never been right after many hardrive wipes / (Kill disk / Fdisk / Format) with multiple reinstalls of windows

After running GMER and doing a full scan which took ages, my computer was unuseable,
Ultra Slow, I.E. locked up with a white screen whilst loading, ???? not a good sign....

I shut down PC and reluanched windows xp ~?? and lots of hard drive activity when it started (ultra slow for about 1 min, but now pc is back to as it was ... useable again)

I am not expecting these results to show anything as I think my nasty is living outside of Windows and has Windows in its full control !! this thing is so steathy, but the big question is where is it living and why is it sucking up lots of my pc performace and whats is it doing in the background ?? I have had it for 7 years and never came close to getting rid of it !

Nothing in the past in the way of antivirus, anti trojan, anti spyware etc. has ever shown up !! But I know the machines are not right !!

This thing infects new pcs added to my network and seems to out live muliple hard drive wipes and new installs of all windows OS ???

It a crazy thing..

anyway here are the results...

Thanks in advance for any help in this matter


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 1:15:06.37 on 29/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2045.1101 [GMT 1:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5452} - hxxp://www.wowweesupport.com/download/rovio/WebSee_v1.0.0.6.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.09/uploader2.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\rrdr2iw8.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-4-28 30320]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-4-28 6364992]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-4-28 54920]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-4-28 24400]

=============== Created Last 30 ================

2010-04-29 00:09:27 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-28 22:28:33 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-04-28 22:28:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:28:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-28 03:00:20 60928 ----a-w- c:\windows\system32\PxSecure.dll
2010-04-28 03:00:20 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-28 03:00:20 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-28 03:00:19 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-28 03:00:19 0 d-----w- c:\program files\Prevx
2010-04-28 03:00:14 51 ----a-w- c:\windows\wininit.ini
2010-04-28 03:00:14 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-04-27 18:30:40 673949136 ----a-w- C:\office cd.img
2010-04-27 18:30:40 27508128 ----a-w- C:\office cd.sub
2010-04-27 18:30:38 772 ----a-w- C:\office cd.ccd
2010-04-24 22:57:05 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-17 13:54:10 0 d-----w- c:\program files\Compaq
2010-04-17 13:54:02 0 d-----w- C:\CPQSYSTEM
2010-04-13 15:36:38 597375 ----a-w- C:\IMG_0100.JPG
2010-04-13 15:35:57 741662 ----a-w- C:\IMG_0069.JPG
2010-04-13 15:35:24 611427 ----a-w- C:\IMG_0157.JPG
2010-04-13 15:34:49 592855 ----a-w- C:\IMG_0151.JPG
2010-04-13 15:34:04 602565 ----a-w- C:\IMG_0231.JPG

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 1:15:20.93 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 25/09/2009 05:16:32
System Uptime: 28/04/2010 12:49:05 (13 hours ago)

Motherboard: Intel Corporation | | D955XBK
Processor: Intel® Pentium® 4 CPU 3.40GHz | J3E1 | 3400/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 69 GiB total, 22.478 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acoustica CD/DVD Label Maker
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Artisteer 2
Box Shot 3D
Camtasia Studio 6
cdrLabel 7.1
CloneCD
Cover Commander 3.1.1 by Insofta Development
Creative Audio Console
Exact Audio Copy 0.99pb4
First Names
FLAC 1.2.1b (remove only)
FlashFXP v3
Google Talk (remove only)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Install Network Printer Wizard
ieSpell
Intel® Network Connections 15.0.4.0
IrfanView (remove only)
Jasc Paint Shop Pro 9
Java™ 6 Update 7
K-Lite Codec Pack 5.2.0 (Standard)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Expression Design 2
Microsoft Expression Studio 2
Microsoft Expression Web 2
Microsoft Expression Web 2 MUI (English)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.7)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Premium
neroxml
Notepad++
NVIDIA Drivers
NVIDIA nView Desktop Manager
OGA Notifier 2.0.0048.0
On This Day in History
Personalised Letters
Prevx
Registry Mechanic 8.0
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SnagIt 8
Snagit 9.1.3
Sothink DHTML Menu 8
Sothink DHTML Menu 9
Sothink JWScroller
Sothink SWF Easy
Sothink SWF Quicker
Sothink Tree Menu
Style Master 4.6 Demo
Tag&Rename 3.5.3
UltraISO Premium V9.32
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Expression Web 2 (KB957827)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Virtual DJ - Atomix Productions
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Xara3D6
XML Paper Specification Shared Components Pack 1.0

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 13:52:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgdorpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xB42A558E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xB42A55C8]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xB42A53B0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xB42A5428]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xB42A58DC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xB42A57B8]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xB42A5654]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xB42A5550]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xB42A54B6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xB42A5A10]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xB42A56D8]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xB42A5710]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6A6F380, 0x3DF545, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 03EC65A6 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\WINDOWS\Explorer.EXE[1864] kernel32.dll!CreateThread 7C8106D7 2 Bytes JMP 03EC5BFC C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\WINDOWS\Explorer.EXE[1864] kernel32.dll!CreateThread + 3 7C8106DA 2 Bytes [6B, 87]
.text C:\WINDOWS\Explorer.EXE[1864] USER32.dll!SetWindowTextW 7E42960E 5 Bytes JMP 03EC629F C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

---- EOF - GMER 1.0.15 ----

Edited by JohnnySH, 29 April 2010 - 11:31 AM.


#3 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:38 AM

Posted 29 April 2010 - 11:53 AM

Greetings JohnnySH and Welcome to the forums,

Wow lol you sure have a lot to say...
Please allow me some time to go over your logs and I will have some suggestions for you in a short while. Thanks for your patience!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#4 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 12:40 PM

Thank you


I await your reply


kind regards

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:38 AM

Posted 29 April 2010 - 12:55 PM

Let me fist comment on a few things you have to say here:
QUOTE
...I have learned to live with it knowing deep down that every pc on my network is infected with something more clever than windows and so stealthy that nothing even after a format ever gets rid of it!

You have to ask yourself the question, If this were true, why would the whole world not be talking about this discovery? I'm afraid I must tell you, there is no such thing. Another point to ponder...if it were true, then you must be aware that every single cyber criminal would always be successful all the time and never be exposed, so with that in mind, you must also know, every single criminal enterprise in the world would jump into the mix and pilfer through all the infected computers on the web that have anything left to sift through lol...Still not convinced? Well then, there just may be no convincing you. Personally, I think your 7 years of worry and reformatting/reinstalling have all been for naught.

Next, you describe here some of the symptoms even after reformatting and reinstalling windows:
QUOTE
1) Lacking performace on every PC (Video files play choppy on every pc!)
Terms you use, such as "lacking performance" are relative. You need to tell me in comparison to what.

2) Strange event errors after a fresh install of windows
Calling an event in the log "strange" is something you might do since you should know what is out or place. I wouldn't know that...so, you would do better to just detail what the event log says and anything that is "strange" about it should be a determination one of us can make.

3) P.C.
Huh?

4) I feel every PC is sluggish and lacking about 35% of its power / performance, though I have lived with this for so long now, I don't know what to think anymore,
...ok, again, 35% of it's power performance as compared to what?

5) It seems to infect every PC and no software under windows finds anything ?
If an infection is present, we will find it.

6) My machines vary in snappyness, sometimes clicking round windows is much faster that other time for no reason (I have minimal services/apps running) and processor idel is always 99% !
Well, there is really nothing odd about this observation. Windows will step it up at times, and slow down a bit at other times. Nothing out of the ordinary there.

7) This has lived with me over Win 2000, XP, Win7
Has it really...or has it just been a gnawing suspicion?

Some thoughts about all this...you confessed earlier that you downloaded keygen/crackware or something of the like years ago. It's my suspicion that you still have the software perhaps on a disk. Is it likely that you reinstall those ill-gotten programs/files/videos/songs each time you reformat and reinstall windows? If so, you may experience odd issues from the poorly coded material.

Also, you said something curious here:
QUOTE
The infections popped up a count down timer in windows and told me my machine would shut down after so many minutes, because they were all networked,

I've not heard of this infection if one exists, but your description does sound closely related to a normal windows function. There is indeed such a message that windows itself will present if you have scheduled a shutdown via a system command.

And here:
QUOTE
windows would not start, it said missing NTDL on every machine.

...I think you mean, NTLDR? Regardless, it seems you were able to fix that issue.

This statement is the most important one I could find:
QUOTE
I also had funny message left on the desk top like stop using ilegal software and things like that.

...If this is something that has happened recently, and if you still have the message handy, I'd like to see it. Is the message in a balloon style or is it a text message left in a notepad document?
There are such messages that individual ISP providers will push onto your system if their logs indicate that your system has been downloading pirated software.

Now, on to business...I found just a few items in your log regarding out dated software:
Java™ 6 Update 7
Mozilla Thunderbird (2.0.0.23)
Mozilla Firefox (3.5.7)

...so I should ask, how often do you allow your software to update? The Mozilla products by default, will auto-update...or, that is to say, they will automatically look for updates and tell you about them. Do you now allow them to update? If so, why?

Please address these concerns so I will know how to proceed next.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 01:06 PM

I appreciate your reply and thank you, I hoped deep down it would not end up making me look mad, as I think this reply has

I know something is wrong on all of these machines deep down...

And as I am sure you will know, there are some very clever rootkits that can survive muliple hard drive wipes and re installs !! and virtually be non traceable by hooking on to other files etc.

so I can only assume this is where it will end in my quest to try to get to the bottom of this in this forum.... is correct ? I was hoping not ?

Ok ruling out everything I said, did my test results show anything odd,

I found it quite strange why after doing GMER root kit scan on my pc the system locked up ?? and I had to re boot pc to start using it again, even that seems wierd




once again I say thank you for your time

Edited by JohnnySH, 29 April 2010 - 01:12 PM.


#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:38 AM

Posted 29 April 2010 - 01:34 PM

Are you saying my reply made you mad, as in "angry"? If so, I apologize. Certainly had no intention of doing so. If you mean it made it appear as though you were mad, as in "crazy", then I should say it's also nothing intended...perhaps you are just concerned more than is warranted.

There are still some things I inquired of in my last reply that you have not addressed. Can you please address them in your next response?

I'd also like to point out, while there are indeed such maliciously coded software/scripts that can survive a reformat, there would also be evidence of it in one or more of the scan logs produced. Your concern, by the way, about the gmer scan having caused your system to freeze is actually quit common. Same thing happens when I run it. Without having to reveal too much information about that, I will simply say...you can relax if that is something that added to your worries.

Although, you should probably still be worried to some extent if indeed your system is harboring one or more pieces of pirated software...or ill-gotten video/music files. That was one of my concerns I mentioned in my last post, but you failed to address it.

I said earlier if an infection is present, we will find it. As you mentioned the system is networked, you are aware of course that you need to isolate the computer being worked on so that there is no other means by which an infection can propagate.

Let's take a deeper look at things:
Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall



Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 01:40 PM

No please do miss understand me..

I ment most people would read my post and thing I am going crazy... I am an electronics engineer myself and 2+2 should always = 4

In in the last few years with my network and computers this has not been so..

And it all seems to stem back to the major infection I had years ago
though at the time I got rid of all the problems by pulling each machine down one by one
wiping windows, and starting a fresh etc 7 years ago


since then I feel there has been something left behind that I just can not get rid of..

but thanks for your reply, and no you have not upset me, but I can understand how people could think I am going mad/crazy

Thank you for your sugestions,

1) thank you for info with gmer, I will forget about that problem

2) my days of ill-gotten software are long gone 7 years ago
I have purcahsed all software I intend to use to rule out these problems !

3) I will continue with your combo fix


Thank you for your help

regards

Edited by JohnnySH, 29 April 2010 - 01:49 PM.


#9 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 02:13 PM

Hi

Please see my Combofix logs below


ComboFix 10-04-29.01 - Administrator 29/04/2010 20:02:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2045.1664 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\SDM-2.3.2-877-c870-advipservicesk9-mz.124-15.T1.bin
c:\windows\system32\_000011_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-29 00:09 . 2010-04-29 00:09 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-28 22:28 . 2010-04-28 22:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-28 22:28 . 2010-04-29 00:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:28 . 2010-04-28 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-28 03:00 . 2010-04-28 03:00 60928 ----a-w- c:\windows\system32\PxSecure.dll
2010-04-28 03:00 . 2010-04-28 03:00 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-28 03:00 . 2010-04-28 03:00 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-28 03:00 . 2010-04-28 03:00 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-28 03:00 . 2010-04-28 03:00 -------- d-----w- c:\program files\Prevx
2010-04-28 03:00 . 2010-04-29 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-24 22:57 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-17 13:54 . 2010-04-18 15:31 -------- d-----w- c:\program files\Compaq
2010-04-17 13:54 . 2010-04-17 13:54 -------- d-----w- C:\CPQSYSTEM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 12:30 . 2009-09-28 16:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 23:00 . 2009-09-28 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 05:07 . 2009-11-29 06:17 7128392 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

------- Sigcheck -------

[-] 2010-01-03 04:35 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\ctfmon.exe
[-] 2010-01-03 04:35 . C3A2915C71AE6F225EB906C25CCD29B5 . 24064 . . [1.0.0.5] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D72956-317C-44bd-B369-8E44D4EF9801}]
2010-04-28 03:00 60928 ----a-w- c:\windows\system32\PxSecure.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DevconDefaultDB]
c:\windows\READREG [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2010-01-03 04:35 24064 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 07:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-09-11 11:31 2836440 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 03:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [28/04/2010 04:00 30320]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [28/04/2010 04:00 54920]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [28/04/2010 04:00 24400]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [28/04/2010 04:00 6364992]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5452} - hxxp://www.wowweesupport.com/download/rovio/WebSee_v1.0.0.6.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.09/uploader2.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rrdr2iw8.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 20:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,f7,59,40,51,81,c0,45,83,4c,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,f7,59,40,51,81,c0,45,83,4c,a0,\
.
Completion time: 2010-04-29 20:10:16
ComboFix-quarantined-files.txt 2010-04-29 19:10

Pre-Run: 24,066,330,624 bytes free
Post-Run: 24,178,429,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7E47157B716EF05C281D1B78E6015FEE




#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:38 AM

Posted 29 April 2010 - 03:27 PM

According to (any of) the logs, you have no antivirus or firewall installed. What they also show is some remnant of a previous installation of trend micro which needs to be removed. You have prevx but I wouldn't use it if that's any good at helping you decide to uninstall it. Can you tell me what you had been relying on to defend that system?

The following file failed to pass a signature check:
c:\windows\system32\ctfmon.exe
...and there seems to be none anywhere else on the system where combofix could find a copy that does pass. Your log also shows that you have used the msconfig utility to stop the process from starting...in fact, it shows you've used it to stop quite a few processes from starting. As they all may have some bearing on your issue(s), it might be better if you would return to the msconfig utility and check everything you unchecked...allowing them all to start up. Apply it and ok it, then reboot. When the system comes back up, check the box that says "don't show me this again..."

Do you have your installation cd handy? We will need it to restore the "ctfmon" file. As it is, it has evidently been patched by malware. The same file on my system is quite a bit different in size than the file that combofix reports.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



File::
c:\windows\system32\drivers\tmcomm.sys

Driver::
tmcomm

Reglock::
[HKEY_USERS\S-1-5-21-602162358-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 04:00 PM

OK without sounding mad again here is somthing else to ponder over in relation to my problems......


For the past 3 or 4 years I have been trying to get a DJ video system up and running, I previously have purchased Hi spec motherboards, rapster harddrives, a range of powerful graphics cards etc.

I have never been happy with the video output whilst playing vob video files from my hard drives after ripping the files from my Music video DVD's

they always played choppy and jerky from the hard drive on all my pc's, (this is where I keep moaning about all my systems having performance issues!!)

So a month ago I purchased a top spec Intel I7 system 6gigs of DDR3 etc, etc, so no one could say my hardware was under spec.


now when I played my ripped vob video files on the new system bang still choppy playback and this is on every pc I have Win7/XP

The issues seem more visual with NTSC video files (29 frames)

So I contacted a video company this week who transfer video formats as a service and spoke to a gentleman about my problems)

I sent him the VOB video file that plays Jerky & Choppy on every machine here, he tried it on his vista machine and he tells me it plays perfect. ??

Point 1) I know its Not my Ripp as it played ok on another totally isolatted PC

Point 2) It does not matter what PC here I try it on, It plays Jerky / choppy

Point 3) This is just an extention / side effect to the lack of performance I keep having over the past 6/7 years

Point 4) When ever previously I try and do any multimedia work, slide shows, video etc. I always seem to have problems ??

I then tried another test,

after ripping in my madonna DVD to vob files again this DVD was again was in a NTSC format, the files of the harddrive play jerky & choppy

again bear in mind this is on all opperating system and an all my pc's, the only common thing here is the MAINS POWER / INTERNET / MY LOCAL NETWORK / NTFS ???

So I then tried to put the modonna DVD in my DVD drive and played the same track that I had ripped to my hard drive that played jerky !!

It played perfect from the original DVD in the DVD drive ??? no jerky playback... so what different ?? it a read only file on the DVD !! NOT playing from my hard drives....

So what we have here is......

1) My video files play perfect on someone elses system
2) My video files DO NOT play perfect on any of my machines !
3) Yet if I play from the original DVD it plays ok ?? (READ ONLY FILES !!!, can not be written) maybe a big clue !!!


Its almost like all my files are getting foresically stamped when on my system and only play up / cause problems and performace is bad on my systems only !!

can this be ??

Something that clever enough to cause me and only me problems on all my hardware, yet on a totally 3rd party machine (non infected), the video files plays perfect ??


My problem is almost like a 2 part thing...... one the machine has something very clever on it , and it seem to be on every machine I have.

This clever thing seems to only effect me and me only with my hardware, and if I add any new hardware, thats gets the same treatment, bang bad performance, same problems.

I keep wiping windows and still the same problems, its driving me crazy, is there anything like this out there ???

It seem to stamp or do something to files on my hard drive to hinder overall performance and speed of data off the drives, / system

Yet if you give someone else the same video files on a non infected pc they perform perfect and DO not seem to infect that PC ???? again I think because the other pc does not have master infection


I know this all seems mad, but I have been fighting this for years and can only tell it as it is

This may be the result of running some moody software years ago, keygen I ran years ago or something nasty that someone had put on my system years ago...

It may even be a custom written thing, i.e. not a rootkit or spyware and thats what may make it even harder to find, ??

It may have been some clever custom thing written by a software company to prevent running moody software, but what can be this clever to out live machines / windows / hard drive wipes, It does not seem to have any sinister side effect over the past six years other that cause me performance issues on every pc once connected to my network

anyway these are just some of the very strang problems I am having, this constant problem always seems to be realted to hard drive performance speed issues with my hard drives


My hard drive leds always flicker every second or so, don't know if this has any bearing ??
but it seems windows is always having a lot of harddrive access ??

I have always said I don't feel my hard drives are performaing correctly thus causing performance issues and I think this video problem I keep having is visually showing me this nasty at work!!

Thanks in advance if anyone can shine any light....

Edited by JohnnySH, 29 April 2010 - 04:15 PM.


#12 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 04:32 PM

In reply to your post

thank you for getting back to me,

after installing a fresh a copy of xp windows on a machine I always try to fine tune and turn off unwanted things to give a little more perfomance

I do use msconfig to stop unwanted things from starting at windows start up

I have gone off to microsoft site to try to stop ctfmon service from running as this really seems to slow down my machine

I found a little utility on the net that patches and removes ctfmon Microsoft do say it can be removed I think

But we can put it back I will grab an windows install CD

Windows is informing me my windows firewall is ON !!! are you saying it is not ?

As for anti virus I was using NOD (Eset) and have purchased multi Licences over the past 5 years but as it never finds anything, In the past few days I have just spent about £100 changing over to PrevX which I think you are saying is no good !! I thought it seemed ok, but may be NOT ?

If this is true what anti virus would you recomend without slowing your machine down to much as this is my main problem in the beginning on all my pc's

I did try trend anti rootkit a few days ago in relation to my performance problems, before talking on this forum, it would seem as if did not uninstall corectly ??

I will look in to this

I will follow your post and do combo fix again

thank you

Edited by JohnnySH, 29 April 2010 - 04:37 PM.


#13 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 05:18 PM

Hello

Combo fix seems stuck on blue screen whilst trying to prepair report

What shall I do, do I reset PC


It says preparing log report, do not run any other software


But its just stuck on this blue screen for over 10 mins !!!


Please advise

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:38 AM

Posted 29 April 2010 - 06:17 PM

It seems your main concern is the performance as it relates to the playing of video files. Am I to assume then that there are no other performance issues? Does the computer behave in an acceptable way otherwise? Regardless, this is a malware forum. Let's first remove the malware then we can think about creating a new thread in one of the other appropriate software/hardware forums where other experts can take a look at your issue.

As to the firewall statement I made, I believe what I had mentioned was that there was no evidence of a firewall installed. The Windows Firewall is native and is not considered third party. You would not install it since it comes with Windows XP. Additionally, the Windows Firewall does not appear in any log as to whether it is engaged or not. If you are using Windows Firewall I'd have to say it's better than nothing, but I would recommend a third party software firewall.

Once we finish up cleaning the system of malware, I will recommend antivirus and firewall software that you should use.

Regarding the ctfmon file and your use of some third party software that you downloaded to remove it...can you point me to the web site where you downloaded this removal tool you mention? I would bet it is behind at least a portion of your performance issues. As I stated earlier, the ctfmon file that combofix found did not pass a signature check which means, the file that it DID find has been most likely patched by malware. From the size of the file that combofix reported, it seems to me that it is likely the malware that altered it.

Please allow the scan to complete and as the prompt on the screen says, do not run any programs until the log is produced. Post back THAT log. Thanks.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 JohnnySH

JohnnySH
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:38 PM

Posted 29 April 2010 - 07:25 PM

Hi and thanks for you help again

yes my main problem over the years has been performance all my pc's and strange side effects in windows ??

It not just video file performance !! It everything in all os's, but I just think the video problem is a visual aid/anoyance for seeing the bigger problem thats haunted me for years.

why would my modonna file play perfect on DVD (non writable) yet when I play the same vob from my hard drive glitchy ???

yet the same vob file plays perfect on someone else pc !!!

It always feels that after the major infections years ago, I never cleared it totally and something very clever and stealthy got left behind that has always hindered my performace on every PC.

I don't feel threatend by this thing,

I don't feel hacked either, or that any data is being stollen, not that I have anything to hide either,

It just feels like someone has planted something on my PCs to prevent me from moving on with work and cause maximum headaches and maximum down time in trying to get to the bottom of this problem.

and so far it is exactly that !! I have been 6/7 years trying to find this problem on every machine

I have spent so much money buying new and scrapping old hardware / buying software / reinstalling windows more time than I can remember, in trying to find this thing.

I don't even want to think about the hours I have wasted it must go into months !!!

and still I can't even use any pc to play my video files correctly for argument sake ! and I am sure there is something much deeper here stopping me..

It seems a personal thing to me only and it seem the hardest thing in the world to dectect or remove,
could such a nasty custom thing exist or be created ?

Its almost as if its a custom written thing because in the past I have run some illegal software ? or a keygen

Can software houses (large or small) actually have anything this powerfull to punish people ??


Now after putting all these services back on ctfmon.exe etc. and ticking all the start ups, the pc feels sluggish and slower even more so...


The only reason I removed CTFmon.exe service in the past was to try and improve a little more performance, I only do this on my windows xp machines not on my windows 7 pc's

Yet my video files still play up on all machines, so I don't think patching ctfmon is causing me these major issues but Im happy to put it back. Though my windows 7 machine is still having issues without using the ctf remover when playing video files

here is the website for the ctf remover application
http://www.technixupdate.com/remove-ctfmon...ctfmon-remover/


In relation to my firewall, my router also has an electronic firewall built in, not sure how good it is, but it is there and on!


one other thing that may be relivent....


In trying to get to the bottom of this problem years ago I use to know a buddy that was a bit of a hacker / computer geek

He told me this performance problem I am having could be down to something nasty living in the hidden sectors of the hard drive, and there are certain area of the hard drive that never get wiped even with a Kill disk / Deban / Fdisk / Format / Fix MBR

He told me these hard drive areas are where that the hard drive manufacture configure the drives, he said the first 63 sectors of the drive never get wiped and over written, and something could be hiding ?

Looking back I don't really know how much I can trust him ??

He gave a bootable floppy disk call ZAP Drive, that boots to a dos prompt

At the dos prompt I type 'zap drive 0' or 'zap drive 1' etc. to wipe the 1st 63 sectors of the drive.

now I tend to do this when ever I reinstall windows just to make sure the drive is totally clean before a format and install of windows.

and I would have done this to most of my ide and sata drives

I am just wondering if this ZAP Drive disk is putting something nasty on the drives at dos level before I install windows and not wiping the drive as I think it is,

Then again it maybe wiping the drive and doing as it says. ??

I am just trying to think of something common I am doing for all my machines

I have found a website that talks about this zap util, though I did not get the floppy disk from here
http://www.digitalissues.co.uk/html/os/mis...ml?seenIEPage=1


and all my problems today have always stemmed from the period of time I met this hacker geek and use to go off to bad websites and run keygens etc.


Here is the new combo fix results, thank you again for your time, it is appreciated

regards


ComboFix 10-04-29.01 - Administrator 29/04/2010 23:57:34.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2045.1677 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\tmcomm.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\tmcomm.sys

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-28 22:28 . 2010-04-28 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-28 03:00 . 2010-04-28 03:00 60928 ----a-w- c:\windows\system32\PxSecure.dll
2010-04-28 03:00 . 2010-04-28 03:00 54920 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-28 03:00 . 2010-04-28 03:00 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-28 03:00 . 2010-04-28 03:00 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-28 03:00 . 2010-04-28 03:00 -------- d-----w- c:\program files\Prevx
2010-04-28 03:00 . 2010-04-29 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-04-24 22:57 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-17 13:54 . 2010-04-18 15:31 -------- d-----w- c:\program files\Compaq
2010-04-17 13:54 . 2010-04-17 13:54 -------- d-----w- C:\CPQSYSTEM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 22:33 . 2009-09-28 16:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 23:00 . 2009-09-28 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 05:07 . 2009-11-29 06:17 7128392 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-14 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-04-29_19.07.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 12:00 . 2008-04-14 12:00 15360 c:\windows\system32\dllcache\ctfmon.exe
+ 2008-04-14 12:00 . 2008-04-14 12:00 15360 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D72956-317C-44bd-B369-8E44D4EF9801}]
2010-04-28 03:00 60928 ----a-w- c:\windows\system32\PxSecure.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-09-11 2836440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [28/04/2010 04:00 30320]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [28/04/2010 04:00 54920]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [28/04/2010 04:00 24400]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [28/04/2010 04:00 6364992]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5452} - hxxp://www.wowweesupport.com/download/rovio/WebSee_v1.0.0.6.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/58.09/uploader2.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rrdr2iw8.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 00:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-30 00:03:34
ComboFix-quarantined-files.txt 2010-04-29 23:03

Pre-Run: 24,177,586,176 bytes free
Post-Run: 24,148,783,104 bytes free

- - End Of File - - CEA49B30880FA4A87C2C6455849E61E3

Edited by JohnnySH, 29 April 2010 - 08:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users