"command service" [Archive] - Safer-Networking Forums

Spywared

2008-01-08, 14:12

Ok i've recently been infected with spyware that gives me pop ups from iexplorer, I've done a bit of searching and found it has been added to my services list on msconfig and several other entries have been created i'm a little unsure of how to procced and would greatly appreciate help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:09:36, on 08/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\?dobe\t?skmgr.exe
C:\Program Files\kernel\kernel.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\kernel\kernel .exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\NOTADM~1\APPLIC~1\MANTEC~1\wucrtupd.exe
C:\DOCUME~1\NOTADM~1\APPLIC~1\MANTEC~1\wucrtupd.exe
C:\DOCUME~1\NOTADM~1\APPLIC~1\MANTEC~1\wucrtupd.exe
C:\DOCUME~1\NOTADM~1\APPLIC~1\MANTEC~1\wucrtupd.exe
C:\DOCUME~1\NOTADM~1\APPLIC~1\MANTEC~1\wucrtupd.exe
C:\DOCUME~1\NOTADM~1\APPLIC~1\MANTEC~1\wucrtupd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F3 - REG:win.ini: load=C:\WINDOWS\system32\mllji.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares .exe" -h
O4 - HKCU\..\Run: [Atqt] C:\WINDOWS\system32\?dobe\t?skmgr.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\progyvaprak.html

--
End of file - 4744 bytes

ken545

2008-01-08, 19:47

Spywared

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You have a host of malware on this system, this is what I suggest you do.

Do this in order please

Download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to your desktop

Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste the files in the quote box including the full path

C:\Program Files\kernel

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer

The thieves that have written Vundo have written it to evade a HJT scan so we need to rename it

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Safer.exe

Let me see the following, you can take as many posts as you need to post it all.

1. OtMoveIt log
2. Vundofix log
3. Combofix log
4. New HJT log renamed to Safer.exe

Spywared

2008-01-08, 21:40

Ok i've followed all of the instructions thus far and load time for start up is noticeably faster, I am very thankful of the help you have given, logs to follow

OTmoveit log
C:\Program Files\kernel moved successfully.

Created on 01/08/2008 19:58:19

Vundofix log

VundoFix V6.7.7

Checking Java version...

Scan started at 20:01:35 08/01/2008

Listing files found while scanning....

C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\iifgefd.dll
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\jkkkjhh.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.exe
C:\WINDOWS\system32\yayyxww.dll

Beginning removal...

Attempting to delete C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifgefd.dll
C:\WINDOWS\system32\iifgefd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\ijllm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkkjhh.dll
C:\WINDOWS\system32\jkkkjhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mllji.exe
C:\WINDOWS\system32\mllji.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayyxww.dll
C:\WINDOWS\system32\yayyxww.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yayyxww.dll
C:\WINDOWS\system32\yayyxww.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...
It would apear a file could not be deleted?

and CC log

ComboFix 08-01-07.5 - NotADMIN! 2008-01-08 20:30:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1708 [GMT 0:00]
Running from: C:\Documents and Settings\NotADMIN!\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt\MovedFiles\Program Files\kernel\kernel .exe
C:\Documents and Settings\NotADMIN!\Application Data\MANTEC~1
C:\Documents and Settings\NotADMIN!\Application Data\MANTEC~1\??mantec\
C:\Documents and Settings\NotADMIN!\Application Data\MANTEC~1\wucrtupd .exe
C:\Documents and Settings\NotADMIN!\Application Data\MANTEC~1\wucrtupd.exe
C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Outerinfo
C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Ares\Ares .exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\Ares\Ares .exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\MSN\lawuhevol.dll
C:\Program Files\MSN\lawuhevol825.dll
C:\Program Files\MSN\lawuhevol878.dll
C:\Program Files\MSN\progyvaprak.html
C:\Program Files\Online Services\holenut4444.dll
C:\Program Files\Online Services\holenut83122.dll
C:\Program Files\outerinfo
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~1\t?skmgr.exe
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCXA.tmp
C:\WINDOWS\system32\wnsinticomsv32.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\rotr.exe
C:\WINDOWS\system32\wnsxs~1\W?nSxS\
C:\WINDOWS\system32\xbc.dll
C:\WINDOWS\system32\yayyxww.dll
C:\WINDOWS\tk58.exe

<pre>
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> TeaTimer.exe
C:\_OTMoveIt\MovedFiles\Program Files\kernel\kernel .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-08 20:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 20:01 . 2008-01-08 20:23 <DIR> d-------- C:\VundoFix Backups
2008-01-08 18:06 . 2008-01-08 18:06 329,728 --a------ C:\WINDOWS\system32\RCX111.tmp
2008-01-08 18:00 . 2008-01-08 18:00 <DIR> d-------- C:\Documents and Settings\Unawesomesauce\Application Data\Ventrilo
2008-01-08 13:25 . 2008-01-08 13:25 <DIR> d-------- C:\Documents and Settings\Unawesomesauce\Application Data\Logitech
2008-01-08 13:25 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 13:14 . 2008-01-08 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 12:52 . 2008-01-08 12:52 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-10021102}.BAK
2008-01-08 12:37 . 2008-01-08 12:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-08 12:32 . 2008-01-08 12:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 12:29 . 2008-01-08 12:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\WINDOWS\system32\mi54
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\WINDOWS\system32\lo1
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\Temp\cEeer12
2008-01-08 12:22 . 2008-01-08 20:31 <DIR> d-------- C:\Temp
2008-01-08 12:22 . 2008-01-08 12:24 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-08 12:17 . 2008-01-08 12:17 <DIR> d-------- C:\WINDOWS\Sun
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Miranda IM
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\Miranda
2008-01-07 19:17 . 2008-01-07 19:17 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-07 19:17 . 2008-01-07 19:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 19:12 . 2008-01-07 19:12 <DIR> d-------- C:\Program Files\Java
2008-01-07 19:12 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 19:11 . 2008-01-07 19:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 02:07 . 2008-01-07 22:21 <DIR> d-------- C:\Downloads
2008-01-07 02:07 . 2008-01-07 02:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-01-07 02:06 . 2008-01-06 13:52 <DIR> d-------- C:\Program Files\BitComet
2008-01-06 16:11 . 2004-08-03 23:14 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-01-06 16:11 . 2008-01-06 16:11 359,040 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-01-06 16:11 . 2008-01-06 16:11 359,040 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-12-31 22:08 . 2007-12-31 22:08 <DIR> d-------- C:\Program Files\GCFScape
2007-12-31 20:39 . 2008-01-08 20:31 30,888 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-08 20:31 30,888 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-08 20:31 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-08 20:31 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-08 20:31 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-08 20:31 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2007-12-31 20:39 . 2008-01-08 20:31 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2007-12-31 20:38 . 2008-01-08 12:52 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-10021102}.CDF
2007-12-31 20:38 . 2000-12-05 09:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2007-12-31 20:38 . 2007-12-31 20:38 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-12-31 20:38 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2007-12-31 20:38 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2007-12-31 20:38 . 2006-08-11 14:56 3,072 --a------ C:\WINDOWS\CTXFIRES.DLL
2007-12-31 10:27 . 2008-01-01 00:31 <DIR> d-------- C:\Program Files\Cheat Engine
2007-12-31 10:27 . 2006-09-04 19:16 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-12-31 10:27 . 2006-09-04 19:16 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-12-29 00:23 . 2007-12-29 00:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-29 00:23 . 2007-12-29 00:23 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\AdobeUM
2007-12-29 00:22 . 2007-12-29 00:22 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 00:18 . 2007-12-29 00:18 <DIR> d-------- C:\Program Files\Stardock
2007-12-29 00:18 . 2007-12-29 00:18 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-12-29 00:18 . 2002-01-05 06:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-12-29 00:18 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-12-29 00:18 . 2002-01-05 06:38 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2007-12-29 00:18 . 2000-10-20 00:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-21 16:47 . 2007-10-22 16:47 32 -ra------ C:\Documents and Settings\All Users\hash.dat
2007-12-21 16:39 . 2007-12-21 16:39 <DIR> d-------- C:\Program Files\Three Rings Design
2007-12-21 11:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-21 11:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-19 14:13 . 2007-12-19 14:13 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\uqm
2007-12-18 21:19 . 2007-12-18 21:30 <DIR> d-------- C:\wankstain
2007-12-18 21:13 . 2007-12-18 21:13 <DIR> d---s---- C:\Documents and Settings\NotADMIN!\UserData
2007-12-18 21:11 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-18 20:50 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-18 16:10 . 2007-12-18 16:10 <DIR> d-------- C:\Program Files\Hamachi
2007-12-18 16:10 . 2008-01-08 20:32 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\Hamachi
2007-12-18 16:10 . 2007-12-18 16:10 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-18 00:17 . 2008-01-06 19:08 38 --a------ C:\WINDOWS\avisplitter.INI
2007-12-17 23:39 . 2007-12-17 23:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-17 23:33 . 2007-12-17 23:33 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\vlc
2007-12-17 23:32 . 2007-12-17 23:32 <DIR> d-------- C:\Program Files\VideoLAN
2007-12-17 23:30 . 2008-01-08 20:31 <DIR> d-------- C:\Program Files\Ares
2007-12-17 20:56 . 2007-12-17 20:56 <DIR> d-------- C:\Program Files\Opera
2007-12-17 20:42 . 2007-12-17 20:42 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-17 20:38 . 2007-12-17 20:38 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-17 20:32 . 2007-12-17 20:32 <DIR> d-------- C:\Program Files\Winamp
2007-12-17 20:32 . 2008-01-08 12:37 1,065 --a------ C:\WINDOWS\winamp.ini
2007-12-17 20:24 . 2007-12-17 20:24 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 16:11 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-31 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 20:38 --------- d-----w C:\Program Files\Creative
2007-12-31 20:38 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\Creative
2007-12-31 20:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 18:32 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\Logitech
2007-12-17 18:31 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-17 18:31 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2007-12-17 18:31 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-12-17 18:31 --------- d-----w C:\Program Files\Common Files\Logitech
2007-12-17 18:31 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-12-17 18:31 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\Leadertech
2007-12-17 18:30 --------- d-----w C:\Program Files\Logitech
2007-12-17 18:30 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\InstallShield
2007-12-17 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-12-17 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-12-17 18:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-17 18:12 --------- d-----w C:\Program Files\ATI Technologies
2007-12-17 18:08 --------- d-----w C:\Program Files\Intel
2007-12-17 17:30 --------- d-----w C:\Program Files\microsoft frontpage
2003-07-17 10:26 448,640 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-07-17 10:22 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares .exe" [ ]
"Atqt"="C:\WINDOWS\system32\?dobe\t?skmgr.exe" [ ]
"kernel"="C:\Program Files\kernel\kernel.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-08 20:27 1460560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-12-18 16:10:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-17 18:30:52]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^NotADMIN!^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 10:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)

R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63ba4b42-b4e4-11dc-bf50-000ea60716d8}]
\Shell\AutoRun\command - I:\NoAutoRun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:32:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-08 20:33:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-08 20:33:04

Spywared

2008-01-08, 21:41

and hijackthis log after renamed the executable

And the hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:37:13, on 08/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares .exe" -h
O4 - HKCU\..\Run: [Atqt] C:\WINDOWS\system32\?dobe\t?skmgr.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 4383 bytes

ken545

2008-01-09, 00:33

Hello,

One of the infections you have is a Vundo File Infector, this infection infects legitimate files on your system, this is what we need to do.

Spybot Search and Destroy is infected so uninstall the program via the Add Remove Programs in the Control Panel.

Reboot after you uninstall it.

Some of the entries where not removed so run this again.

Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.

Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer

Internet Explorer is needed to run this properly.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKCU\..\Run: [Atqt] C:\WINDOWS\system32\?dobe\t?skmgr.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\WINDOWS\mrofinu572.exe.tmp

Folder::
C:\VundoFix Backups
C:\Program Files\kernel

RenV::
C:\Program Files\Messenger\msmsgs .exe ---> QooBox
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> TeaTimer.exe
C:\_OTMoveIt\MovedFiles\Program Files\kernel\kernel .exe ---> QooBox

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Spywared

2008-01-09, 02:04

ComboFix 08-01-09.2 - NotADMIN! 2008-01-09 0:59:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1706 [GMT 0:00]
Running from: C:\Documents and Settings\NotADMIN!\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NotADMIN!\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\mrofinu572.exe.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\iifgefd.dll.bad
C:\VundoFix Backups\ijllm.ini.bad
C:\VundoFix Backups\ijllm.ini2.bad
C:\VundoFix Backups\jkkkjhh.dll.bad
C:\VundoFix Backups\mllji.dll.bad
C:\VundoFix Backups\mllji.exe.bad
C:\VundoFix Backups\mrofinu572.exe.bad
C:\VundoFix Backups\yayyxww.dll.bad
C:\WINDOWS\mrofinu572.exe.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 22:15 . 2008-01-08 22:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-08 20:29 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 18:06 . 2008-01-08 18:06 329,728 --a------ C:\WINDOWS\system32\RCX111.tmp
2008-01-08 18:00 . 2008-01-08 18:00 <DIR> d-------- C:\Documents and Settings\Unawesomesauce\Application Data\Ventrilo
2008-01-08 13:25 . 2008-01-08 13:25 <DIR> d-------- C:\Documents and Settings\Unawesomesauce\Application Data\Logitech
2008-01-08 13:25 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-08 13:14 . 2008-01-09 00:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 12:52 . 2008-01-08 12:52 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-10021102}.BAK
2008-01-08 12:37 . 2008-01-08 12:37 <DIR> d-------- C:\Program Files\CCleaner
2008-01-08 12:32 . 2008-01-08 12:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 12:29 . 2008-01-08 12:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\WINDOWS\system32\mi54
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\WINDOWS\system32\lo1
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2008-01-08 12:22 . 2008-01-08 12:22 <DIR> d-------- C:\Temp\cEeer12
2008-01-08 12:22 . 2008-01-08 20:31 <DIR> d-------- C:\Temp
2008-01-08 12:17 . 2008-01-08 12:17 <DIR> d-------- C:\WINDOWS\Sun
2008-01-07 22:21 . 2008-01-07 22:21 <DIR> d-------- C:\Program Files\Miranda IM
2008-01-07 22:21 . 2008-01-08 21:46 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\Miranda
2008-01-07 19:17 . 2008-01-07 19:17 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-07 19:17 . 2008-01-07 19:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 19:12 . 2008-01-07 19:12 <DIR> d-------- C:\Program Files\Java
2008-01-07 19:12 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-07 19:11 . 2008-01-07 19:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 02:07 . 2008-01-07 22:21 <DIR> d-------- C:\Downloads
2008-01-07 02:07 . 2008-01-07 02:07 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-01-07 02:06 . 2008-01-06 13:52 <DIR> d-------- C:\Program Files\BitComet
2008-01-06 16:11 . 2004-08-03 23:14 359,040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-01-06 16:11 . 2008-01-06 16:11 359,040 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-01-06 16:11 . 2008-01-06 16:11 359,040 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-12-31 22:08 . 2007-12-31 22:08 <DIR> d-------- C:\Program Files\GCFScape
2007-12-31 20:39 . 2008-01-09 00:55 31,056 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-09 00:55 31,056 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-09 00:55 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-09 00:55 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-09 00:55 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-10021102}.rfx
2007-12-31 20:39 . 2008-01-09 00:55 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2007-12-31 20:39 . 2008-01-09 00:55 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2007-12-31 20:38 . 2008-01-08 12:52 4,958,588 --a------ C:\WINDOWS\{00000002-00000000-0000000C-00001102-00000004-10021102}.CDF
2007-12-31 20:38 . 2000-12-05 09:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2007-12-31 20:38 . 2007-12-31 20:38 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-12-31 20:38 . 2006-08-11 15:14 86,446 --a------ C:\WINDOWS\system32\instwdm.ini
2007-12-31 20:38 . 2006-08-11 14:55 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2007-12-31 20:38 . 2006-08-11 14:56 3,072 --a------ C:\WINDOWS\CTXFIRES.DLL
2007-12-31 10:27 . 2008-01-01 00:31 <DIR> d-------- C:\Program Files\Cheat Engine
2007-12-31 10:27 . 2006-09-04 19:16 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-12-31 10:27 . 2006-09-04 19:16 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-12-29 00:23 . 2007-12-29 00:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-29 00:23 . 2007-12-29 00:23 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\AdobeUM
2007-12-29 00:22 . 2007-12-29 00:22 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 00:18 . 2007-12-29 00:18 <DIR> d-------- C:\Program Files\Stardock
2007-12-29 00:18 . 2007-12-29 00:18 <DIR> d-------- C:\Program Files\Common Files\Stardock
2007-12-29 00:18 . 2002-01-05 06:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-12-29 00:18 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-12-29 00:18 . 2002-01-05 06:38 54,784 --a------ C:\WINDOWS\system32\msvci70.dll
2007-12-29 00:18 . 2000-10-20 00:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-21 16:47 . 2007-10-22 16:47 32 -ra------ C:\Documents and Settings\All Users\hash.dat
2007-12-21 16:39 . 2007-12-21 16:39 <DIR> d-------- C:\Program Files\Three Rings Design
2007-12-21 11:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-21 11:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-19 14:13 . 2007-12-19 14:13 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\uqm
2007-12-18 21:19 . 2007-12-18 21:30 <DIR> d-------- C:\wankstain
2007-12-18 21:13 . 2007-12-18 21:13 <DIR> d---s---- C:\Documents and Settings\NotADMIN!\UserData
2007-12-18 21:11 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-12-18 20:50 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-12-18 16:10 . 2007-12-18 16:10 <DIR> d-------- C:\Program Files\Hamachi
2007-12-18 16:10 . 2008-01-09 00:57 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\Hamachi
2007-12-18 16:10 . 2007-12-18 16:10 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-12-18 00:17 . 2008-01-06 19:08 38 --a------ C:\WINDOWS\avisplitter.INI
2007-12-17 23:39 . 2007-12-17 23:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-17 23:33 . 2007-12-17 23:33 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\vlc
2007-12-17 23:32 . 2007-12-17 23:32 <DIR> d-------- C:\Program Files\VideoLAN
2007-12-17 23:30 . 2008-01-08 20:31 <DIR> d-------- C:\Program Files\Ares
2007-12-17 20:56 . 2007-12-17 20:56 <DIR> d-------- C:\Program Files\Opera
2007-12-17 20:42 . 2007-12-17 20:42 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-12-17 20:38 . 2007-12-17 20:38 646,392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-17 20:32 . 2007-12-17 20:32 <DIR> d-------- C:\Program Files\Winamp
2007-12-17 20:32 . 2008-01-08 12:37 1,065 --a------ C:\WINDOWS\winamp.ini
2007-12-17 20:24 . 2007-12-17 20:24 <DIR> d-------- C:\Documents and Settings\NotADMIN!\Application Data\Ventrilo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 16:11 359,040 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-12-31 20:38 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-31 20:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-31 20:38 --------- d-----w C:\Program Files\Creative
2007-12-31 20:38 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\Creative
2007-12-31 20:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-17 18:32 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\Logitech
2007-12-17 18:31 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-17 18:31 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2007-12-17 18:31 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-12-17 18:31 --------- d-----w C:\Program Files\Common Files\Logitech
2007-12-17 18:31 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-12-17 18:31 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\Leadertech
2007-12-17 18:30 --------- d-----w C:\Program Files\Logitech
2007-12-17 18:30 --------- d-----w C:\Documents and Settings\NotADMIN!\Application Data\InstallShield
2007-12-17 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-12-17 18:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-12-17 18:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-17 18:12 --------- d-----w C:\Program Files\ATI Technologies
2007-12-17 18:08 --------- d-----w C:\Program Files\Intel
2007-12-17 17:30 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-02 04:57 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-11-02 04:24 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-11-02 04:10 364,544 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-11-02 04:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-11-02 04:01 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-11-02 04:01 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-11-02 04:00 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-11-02 04:00 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-11-02 03:59 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-11-02 03:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-11-02 03:35 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-11-02 03:26 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-11-02 03:24 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-11-02 03:22 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-11-01 21:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-10-22 03:39 267,272 ----a-w C:\WINDOWS\system32\xactengine2_10.dll
2007-10-22 03:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 15:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 15:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2003-07-17 10:26 448,640 ----a-w C:\WINDOWS\inf\EL2K_N64.sys
2003-07-17 10:22 147,328 ----a-w C:\WINDOWS\inf\EL2K_XP.sys
2003-06-03 15:47 147,328 ----a-w C:\WINDOWS\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-08_20.32.55.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-09 00:59:05 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-09 00:59:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-09 00:59:05 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-09 00:59:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-09 00:59:06 4,644,864 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-09 00:59:06 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Startup\
hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-12-18 16:10:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-12-17 18:30:52]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^NotADMIN!^Start Menu^Programs^Startup^Product Registration.lnk]
path=C:\Documents and Settings\NotADMIN!\Start Menu\Programs\Startup\Product Registration.lnk
backup=C:\WINDOWS\pss\Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 10:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)

R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63ba4b42-b4e4-11dc-bf50-000ea60716d8}]
\Shell\AutoRun\command - I:\NoAutoRun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 00:59:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-09 1:00:12
ComboFix-quarantined-files.txt 2008-01-09 01:00:04
ComboFix2.txt 2008-01-08 20:33:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:02:11, on 09/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares .exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 3337 bytes

Spywared

2008-01-09, 02:05

My sincere thanks for the help that has been given I truly apreciate it :)

ken545

2008-01-09, 03:01

My sincere thanks for the help that has been given I truly apreciate it Not a problem, that's why where here.

Your log looks fine , how are things running now ??

Spywared

2008-01-09, 12:44

appears to be running fine no pop ups, and it's running at it's old speed again :) once again thanks for the help :)

ken545

2008-01-09, 13:04

Thats great :beerbeerb:

ComboFix /u <-- Highlight this with your mouse and right click and select Copy
Go to start > run and paste in the field:
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Here is some reading for you with tips and free tools to help keep you more secure in the future.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

If you install Spyware Blaster and Spyware Guard, do not enable the Tea Timer in Spybot Search and Destroy or they will conflict.
Here are some free programs to install, don't leave home without them

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.

Glad we could help. Stay well.

Safe Surfn
Ken