PDA

View Full Version : Warning! You have a security problem!



Oldaad
2009-02-24, 17:17
I have read and agree with the "Before you post sticky".

My son picked up malware from a video game cheats site. Red circle with white "x" in task bar with popups for free computer scanning. In history Norton Internet security notes attempts from "trojan.fakeavalert" to access the internet. Scanning with Norton and Spybot (all updated) do not reveal any problems. Please help. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:22 AM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2005\SCActiveBlock.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218850860343
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PSMAntiSpy - Unknown owner - C:\PROGRA~1\PSMKorea\ANTIKE~1\PSMAntiS.exe (file missing)
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8411 bytes

Blade81
2009-02-26, 08:46
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

Oldaad
2009-02-27, 05:12
Thanks, Blade.


DDS (Ver_09-02-01.01) - NTFSx86
Run by The Eldest at 22:06:13.53 on Thu 02/26/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1568 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\The Eldest\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: SpywareBlock Class: {0a87e45f-537a-40b4-b812-e2544c21a09f} - c:\program files\ghostsurf 2005\SCActiveBlock.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [GhostSurfDelSatellite] "c:\program files\ghostsurf 2005\DeleteSatellite.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CTXFIREG] CTxfiReg.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
StartupFolder: c:\docume~1\theeld~1\startm~1\programs\startup\schedu~1.lnk - c:\program files\ghostsurf 2005\Scheduler daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218850860343
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090217.002\IDSxpx86.sys [2009-2-19 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-21 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090226.034\NAVENG.SYS [2009-2-26 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090226.034\NAVEX15.SYS [2009-2-26 876144]
S2 PSMAntiSpy;PSMAntiSpy;c:\progra~1\psmkorea\antike~1\psmantis.exe --> c:\progra~1\psmkorea\antike~1\PSMAntiS.exe [?]
S2 Remote1021;Remote Accoss;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

=============== Created Last 30 ================

2009-02-24 10:03 <DIR> --d----- c:\program files\Trend Micro
2009-02-24 09:58 <DIR> --d----- c:\docume~1\theeld~1\applic~1\Sammsoft
2009-02-24 09:58 <DIR> --d----- c:\program files\Advanced Registry Optimizer

==================== Find3M ====================

2009-01-24 22:12 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-24 22:12 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-01-14 19:15 63,272 a------- c:\docume~1\theeld~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-07 10:52 22,328 a------- c:\docume~1\theeld~1\applic~1\PnkBstrK.sys
2009-01-07 10:52 682,280 a------- c:\windows\system32\pbsvc.exe
2009-01-07 10:52 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-28 12:22 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 15:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe

============= FINISH: 22:06:31.14 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/15/2008 9:14:37 PM
System Uptime: 2/26/2009 9:02:22 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | 'SK8N'
Processor: AMD Athlon(tm) 64 FX-51 Processor | Socket 940 | 2199/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 224 GiB total, 102.746 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP159: 11/28/2008 10:43:54 AM - System Checkpoint
RP160: 11/29/2008 11:37:37 AM - System Checkpoint
RP161: 11/30/2008 11:51:40 AM - System Checkpoint
RP162: 12/1/2008 1:07:22 PM - System Checkpoint
RP163: 12/2/2008 5:58:55 PM - System Checkpoint
RP164: 12/3/2008 6:09:34 PM - System Checkpoint
RP165: 12/4/2008 7:16:05 PM - System Checkpoint
RP166: 12/5/2008 8:12:31 PM - System Checkpoint
RP167: 12/6/2008 10:06:01 PM - System Checkpoint
RP168: 12/8/2008 7:10:06 AM - System Checkpoint
RP169: 12/9/2008 10:43:54 PM - System Checkpoint
RP170: 12/10/2008 11:43:19 PM - System Checkpoint
RP171: 12/12/2008 3:24:41 PM - System Checkpoint
RP172: 12/13/2008 12:36:07 AM - Software Distribution Service 3.0
RP173: 12/14/2008 12:51:41 AM - System Checkpoint
RP174: 12/15/2008 1:13:33 AM - System Checkpoint
RP175: 12/16/2008 1:29:21 AM - System Checkpoint
RP176: 12/17/2008 7:36:54 AM - Installed Java(TM) 6 Update 11
RP177: 12/18/2008 12:14:02 AM - Software Distribution Service 3.0
RP178: 12/19/2008 12:43:13 AM - System Checkpoint
RP179: 12/20/2008 7:40:20 AM - System Checkpoint
RP180: 12/21/2008 8:13:36 AM - System Checkpoint
RP181: 12/22/2008 3:40:25 PM - System Checkpoint
RP182: 12/23/2008 5:12:56 PM - System Checkpoint
RP183: 12/24/2008 5:13:06 PM - System Checkpoint
RP184: 12/25/2008 9:21:14 PM - System Checkpoint
RP185: 12/26/2008 10:20:16 PM - System Checkpoint
RP186: 12/27/2008 3:29:47 PM - Installed Call of Duty(R) - World at War(TM)
RP187: 12/28/2008 9:41:07 AM - Removed ATI AVIVO Codecs
RP188: 12/28/2008 9:41:20 AM - Removed ATI Catalyst Control Center
RP189: 12/28/2008 9:46:06 AM - Installed ATI Catalyst Control Center
RP190: 12/28/2008 10:44:14 AM - Removed Sound Blaster Audigy 2 ZS
RP191: 12/28/2008 10:44:38 AM - Configured Your Application Name
RP192: 12/28/2008 10:44:44 AM - Configured Your Application Name
RP193: 12/28/2008 10:44:49 AM - Configured Your Application Name
RP194: 12/28/2008 10:44:54 AM - Configured Your Application Name
RP195: 12/28/2008 10:45:09 AM - Configured Your Application Name
RP196: 12/28/2008 10:45:18 AM - Removed Your Application Name
RP197: 12/28/2008 10:52:46 AM - Installed Sound Blaster Audigy 2 ZS
RP198: 12/28/2008 10:52:51 AM - Installed Creative MiniDisc Center
RP199: 12/28/2008 10:53:06 AM - Installed Creative Diagnostics
RP200: 12/28/2008 10:53:12 AM - Installed Creative WaveStudio
RP201: 12/28/2008 10:53:17 AM - Installed SoundFont Bank Manager
RP202: 12/28/2008 10:53:22 AM - Installed Speaker Calibrator
RP203: 12/28/2008 10:53:30 AM - Installed EAX Console
RP204: 12/28/2008 10:53:36 AM - Installed Your Application Name
RP205: 12/28/2008 10:53:51 AM - Installed Surround Mixer
RP206: 12/28/2008 10:53:55 AM - Installed Your Application Name
RP207: 12/28/2008 10:54:00 AM - Installed Speaker Settings
RP208: 12/28/2008 10:54:06 AM - Installed Your Application Name
RP209: 12/28/2008 10:54:14 AM - Installed Audio Stream Recorder 2
RP210: 12/28/2008 10:54:19 AM - Installed Your Application Name
RP211: 12/28/2008 10:54:26 AM - Installed Getting Started Demo
RP212: 12/28/2008 10:54:37 AM - Installed Creative Restore Defaults
RP213: 12/28/2008 10:54:41 AM - Installed Creative AudioHQ
RP214: 12/28/2008 10:54:47 AM - Installed Your Application Name
RP215: 12/28/2008 10:54:52 AM - Installed Your Application Name
RP216: 12/28/2008 10:55:00 AM - Installed SoundFont Bank Manager
RP217: 12/28/2008 10:55:08 AM - Installed Your Application Name
RP218: 12/28/2008 10:55:13 AM - Installed Your Application Name
RP219: 12/28/2008 10:56:53 AM - Installed Creative System Information
RP220: 12/28/2008 11:12:26 AM - Restore Operation
RP221: 12/28/2008 11:15:40 AM - Removed Call of Duty(R) - World at War(TM)
RP222: 12/28/2008 11:22:52 AM - Restore Operation
RP223: 12/28/2008 11:25:18 AM - Restore Operation
RP224: 12/28/2008 11:32:32 AM - Restore Operation
RP225: 12/28/2008 12:11:14 PM - Removed ATI Catalyst Control Center
RP226: 12/28/2008 12:13:54 PM - Installed ATI Catalyst Control Center
RP227: 12/28/2008 12:23:19 PM - Installed Creative Audio Console
RP228: 12/28/2008 12:32:52 PM - Installed Call of Duty(R) - World at War(TM)
RP229: 12/28/2008 6:38:54 PM - Installed Call of Duty(R) - World at War(TM) 1.1 Patch
RP230: 12/28/2008 6:49:30 PM - Installed DirectX
RP231: 12/29/2008 9:32:22 PM - System Checkpoint
RP232: 12/30/2008 10:37:36 PM - System Checkpoint
RP233: 1/1/2009 8:09:20 AM - System Checkpoint
RP234: 1/1/2009 7:45:09 PM - Installed Medieval II Total War
RP235: 1/1/2009 8:02:43 PM - Installed Medieval II Total War
RP236: 1/2/2009 7:55:07 PM - Installed Medieval II Total War
RP237: 1/2/2009 8:11:59 PM - Installed Medieval II Total War
RP238: 1/3/2009 8:23:56 PM - System Checkpoint
RP239: 1/5/2009 7:18:01 AM - System Checkpoint
RP240: 1/6/2009 11:23:45 AM - System Checkpoint
RP241: 1/6/2009 11:41:50 PM - Removed ATI Catalyst Control Center
RP242: 1/6/2009 11:47:07 PM - Installed ATI Catalyst Control Center
RP243: 1/7/2009 10:31:50 AM - Removed Call of Duty(R) - World at War(TM)
RP244: 1/7/2009 10:56:12 PM - Removed Creative Audio Console
RP245: 1/7/2009 11:02:50 PM - Installed Sound Blaster Audigy 2 ZS
RP246: 1/7/2009 11:02:55 PM - Installed Creative MiniDisc Center
RP247: 1/7/2009 11:03:11 PM - Installed Creative Diagnostics
RP248: 1/7/2009 11:03:17 PM - Installed Creative WaveStudio
RP249: 1/7/2009 11:03:22 PM - Installed SoundFont Bank Manager
RP250: 1/7/2009 11:03:26 PM - Installed Speaker Calibrator
RP251: 1/7/2009 11:03:33 PM - Installed EAX Console
RP252: 1/7/2009 11:03:38 PM - Installed Your Application Name
RP253: 1/7/2009 11:03:52 PM - Installed Surround Mixer
RP254: 1/7/2009 11:03:55 PM - Installed Your Application Name
RP255: 1/7/2009 11:04:01 PM - Installed Speaker Settings
RP256: 1/7/2009 11:04:06 PM - Installed Your Application Name
RP257: 1/7/2009 11:04:12 PM - Installed Audio Stream Recorder 2
RP258: 1/7/2009 11:04:16 PM - Installed Your Application Name
RP259: 1/7/2009 11:04:23 PM - Installed Getting Started Demo
RP260: 1/7/2009 11:04:35 PM - Installed Creative Restore Defaults
RP261: 1/7/2009 11:04:38 PM - Installed Creative AudioHQ
RP262: 1/7/2009 11:04:45 PM - Installed Your Application Name
RP263: 1/7/2009 11:04:53 PM - Installed Your Application Name
RP264: 1/7/2009 11:04:59 PM - Installed SoundFont Bank Manager
RP265: 1/7/2009 11:05:07 PM - Installed Your Application Name
RP266: 1/7/2009 11:05:11 PM - Installed Your Application Name
RP267: 1/7/2009 11:06:53 PM - Installed Creative System Information
RP268: 1/7/2009 11:35:46 PM - Installed WaveStudio 7
RP269: 1/7/2009 11:36:27 PM - Installed Creative MediaSource 5
RP270: 1/7/2009 11:40:18 PM - Configured Your Application Name
RP271: 1/7/2009 11:40:37 PM - Installed Creative MediaSource DVD-Audio Player
RP272: 1/7/2009 11:47:18 PM - Removed Creative MediaSource 5
RP273: 1/7/2009 11:48:01 PM - Removed Creative MediaSource DVD-Audio Player
RP274: 1/7/2009 11:48:40 PM - Removed Sound Blaster Audigy 2 ZS
RP275: 1/7/2009 11:49:03 PM - Configured Your Application Name
RP276: 1/7/2009 11:49:09 PM - Configured Your Application Name
RP277: 1/7/2009 11:49:14 PM - Configured Your Application Name
RP278: 1/7/2009 11:49:20 PM - Configured Your Application Name
RP279: 1/7/2009 11:49:38 PM - Removed Your Application Name
RP280: 1/7/2009 11:59:31 PM - Installed Sound Blaster Audigy 2 ZS
RP281: 1/7/2009 11:59:35 PM - Installed Creative MiniDisc Center
RP282: 1/7/2009 11:59:50 PM - Installed Creative Diagnostics
RP283: 1/7/2009 11:59:55 PM - Installed Creative WaveStudio
RP284: 1/8/2009 - Installed SoundFont Bank Manager
RP285: 1/8/2009 12:00:05 AM - Installed Speaker Calibrator
RP286: 1/8/2009 12:00:12 AM - Installed EAX Console
RP287: 1/8/2009 12:00:18 AM - Installed Your Application Name
RP288: 1/8/2009 12:00:30 AM - Installed Surround Mixer
RP289: 1/8/2009 12:00:34 AM - Installed Your Application Name
RP290: 1/8/2009 12:00:39 AM - Installed Speaker Settings
RP291: 1/8/2009 12:00:44 AM - Installed Your Application Name
RP292: 1/8/2009 12:00:50 AM - Installed Audio Stream Recorder 2
RP293: 1/8/2009 12:00:54 AM - Installed Your Application Name
RP294: 1/8/2009 12:01:01 AM - Installed Getting Started Demo
RP295: 1/8/2009 12:01:11 AM - Installed Creative Restore Defaults
RP296: 1/8/2009 12:01:15 AM - Installed Creative AudioHQ
RP297: 1/8/2009 12:01:20 AM - Installed Your Application Name
RP298: 1/8/2009 12:01:24 AM - Installed Your Application Name
RP299: 1/8/2009 12:01:30 AM - Installed SoundFont Bank Manager
RP300: 1/8/2009 12:01:38 AM - Installed Your Application Name
RP301: 1/8/2009 12:01:42 AM - Installed Your Application Name
RP302: 1/8/2009 12:03:22 AM - Installed Creative System Information
RP303: 1/8/2009 12:21:57 AM - Installed Sound Blaster Audigy 2 ZS
RP304: 1/8/2009 12:22:02 AM - Installed Creative MiniDisc Center
RP305: 1/8/2009 12:22:17 AM - Installed Creative Diagnostics
RP306: 1/8/2009 12:22:23 AM - Installed Creative WaveStudio
RP307: 1/8/2009 12:22:28 AM - Installed SoundFont Bank Manager
RP308: 1/8/2009 12:22:32 AM - Installed Speaker Calibrator
RP309: 1/8/2009 12:22:44 AM - Configured Your Application Name
RP310: 1/8/2009 12:22:47 AM - Installed EAX Console
RP311: 1/8/2009 12:22:52 AM - Installed Your Application Name
RP312: 1/8/2009 12:23:06 AM - Configured Your Application Name
RP313: 1/8/2009 12:23:08 AM - Installed Surround Mixer
RP314: 1/8/2009 12:23:12 AM - Installed Your Application Name
RP315: 1/8/2009 12:23:18 AM - Configured Your Application Name
RP316: 1/8/2009 12:23:20 AM - Installed Speaker Settings
RP317: 1/8/2009 12:23:25 AM - Installed Your Application Name
RP318: 1/8/2009 12:23:32 AM - Configured Your Application Name
RP319: 1/8/2009 12:23:34 AM - Installed Audio Stream Recorder 2
RP320: 1/8/2009 12:23:38 AM - Installed Your Application Name
RP321: 1/8/2009 12:23:45 AM - Installed Getting Started Demo
RP322: 1/8/2009 12:23:55 AM - Installed Creative Restore Defaults
RP323: 1/8/2009 12:24:00 AM - Installed Creative AudioHQ
RP324: 1/8/2009 12:24:06 AM - Configured Your Application Name
RP325: 1/8/2009 12:24:08 AM - Installed Your Application Name
RP326: 1/8/2009 12:24:12 AM - Installed Your Application Name
RP327: 1/8/2009 12:24:18 AM - Installed SoundFont Bank Manager
RP328: 1/8/2009 12:24:23 AM - Configured Your Application Name
RP329: 1/8/2009 12:24:25 AM - Installed Your Application Name
RP330: 1/8/2009 12:24:30 AM - Installed Your Application Name
RP331: 1/8/2009 12:30:09 AM - Removed Sound Blaster Audigy 2 ZS
RP332: 1/8/2009 12:30:33 AM - Configured Your Application Name
RP333: 1/8/2009 12:30:39 AM - Configured Your Application Name
RP334: 1/8/2009 12:30:45 AM - Configured Your Application Name
RP335: 1/8/2009 12:30:50 AM - Configured Your Application Name
RP336: 1/8/2009 12:31:05 AM - Configured Your Application Name
RP337: 1/8/2009 12:31:14 AM - Removed Your Application Name
RP338: 1/8/2009 12:34:45 AM - Installed Sound Blaster Audigy 2 ZS
RP339: 1/8/2009 12:34:52 AM - Installed Creative MiniDisc Center
RP340: 1/8/2009 12:35:07 AM - Installed Creative Diagnostics
RP341: 1/8/2009 12:35:13 AM - Installed Creative WaveStudio
RP342: 1/8/2009 12:35:18 AM - Installed SoundFont Bank Manager
RP343: 1/8/2009 12:35:22 AM - Installed Speaker Calibrator
RP344: 1/8/2009 12:35:29 AM - Installed EAX Console
RP345: 1/8/2009 12:35:34 AM - Installed Your Application Name
RP346: 1/8/2009 12:35:48 AM - Installed Surround Mixer
RP347: 1/8/2009 12:35:52 AM - Installed Your Application Name
RP348: 1/8/2009 12:35:57 AM - Installed Speaker Settings
RP349: 1/8/2009 12:36:01 AM - Installed Your Application Name
RP350: 1/8/2009 12:36:08 AM - Installed Audio Stream Recorder 2
RP351: 1/8/2009 12:36:12 AM - Installed Your Application Name
RP352: 1/8/2009 12:36:19 AM - Installed Getting Started Demo
RP353: 1/8/2009 12:36:30 AM - Installed Creative Restore Defaults
RP354: 1/8/2009 12:36:34 AM - Installed Creative AudioHQ
RP355: 1/8/2009 12:36:40 AM - Installed Your Application Name
RP356: 1/8/2009 12:36:44 AM - Installed Your Application Name
RP357: 1/8/2009 12:36:50 AM - Installed SoundFont Bank Manager
RP358: 1/8/2009 12:36:57 AM - Installed Your Application Name
RP359: 1/8/2009 12:37:01 AM - Installed Your Application Name
RP360: 1/8/2009 12:38:38 AM - Installed Creative System Information
RP361: 1/9/2009 1:34:14 AM - System Checkpoint
RP362: 1/10/2009 6:44:29 AM - System Checkpoint
RP363: 1/11/2009 7:16:23 AM - System Checkpoint
RP364: 1/12/2009 9:25:26 AM - System Checkpoint
RP365: 1/13/2009 9:45:39 AM - System Checkpoint
RP366: 1/14/2009 10:38:20 AM - System Checkpoint
RP367: 1/15/2009 2:04:31 AM - Software Distribution Service 3.0
RP368: 1/16/2009 7:10:53 AM - System Checkpoint
RP369: 1/17/2009 7:47:02 AM - System Checkpoint
RP370: 1/18/2009 8:01:52 AM - System Checkpoint
RP371: 1/19/2009 8:06:24 AM - System Checkpoint
RP372: 1/20/2009 8:55:05 AM - System Checkpoint
RP373: 1/21/2009 9:16:02 AM - System Checkpoint
RP374: 1/23/2009 5:31:25 PM - System Checkpoint
RP375: 1/24/2009 6:20:56 PM - System Checkpoint
RP376: 1/25/2009 7:51:25 PM - System Checkpoint
RP377: 1/26/2009 8:36:07 PM - System Checkpoint
RP378: 1/27/2009 8:40:01 PM - System Checkpoint
RP379: 1/28/2009 8:48:00 PM - System Checkpoint
RP380: 1/29/2009 9:53:55 PM - System Checkpoint
RP381: 1/31/2009 12:05:30 AM - System Checkpoint
RP382: 2/1/2009 10:15:19 AM - System Checkpoint
RP383: 2/2/2009 4:24:23 PM - System Checkpoint
RP384: 2/3/2009 7:35:06 PM - System Checkpoint
RP385: 2/5/2009 7:37:48 AM - System Checkpoint
RP386: 2/6/2009 3:56:14 PM - System Checkpoint
RP387: 2/7/2009 5:08:04 PM - System Checkpoint
RP388: 2/8/2009 6:43:15 PM - System Checkpoint
RP389: 2/10/2009 5:29:56 PM - System Checkpoint
RP390: 2/11/2009 3:00:12 AM - Software Distribution Service 3.0
RP391: 2/12/2009 6:55:54 AM - System Checkpoint
RP392: 2/13/2009 6:59:54 AM - System Checkpoint
RP393: 2/14/2009 7:38:24 AM - System Checkpoint
RP394: 2/15/2009 8:10:16 AM - System Checkpoint
RP395: 2/16/2009 9:29:47 AM - System Checkpoint
RP396: 2/17/2009 9:48:02 AM - System Checkpoint
RP397: 2/18/2009 11:28:34 AM - System Checkpoint
RP398: 2/19/2009 11:32:13 AM - System Checkpoint
RP399: 2/20/2009 12:41:15 PM - System Checkpoint
RP400: 2/21/2009 1:24:37 PM - System Checkpoint
RP401: 2/22/2009 3:34:14 PM - System Checkpoint
RP402: 2/23/2009 5:55:19 PM - System Checkpoint
RP403: 2/24/2009 9:58:23 AM - ADVANCED REGISTRY OPTIMIZER - FIRST RUN
RP404: 2/25/2009 9:01:32 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11
Advanced Registry Optimizer
AIM 6
Apple Mobile Device Support
Apple Software Update
ASUS Probe V2.20.07
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Barbarian Invasion
BiAdmin
Bonjour
Call of Duty(R) - World at War(TM)
Call of Duty(R) - World at War(TM) 1.1 Patch
Call of Duty(R) 4 - Modern Warfare(TM)
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Counter-Strike: Source
Creative System Information
EasyCleaner
Fallout 3
GameSpy Arcade
Garry's Mod
GhostSurf 2005 Platinum
Half-Life 2
Half-Life 2: Deathmatch
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp deskjet 930c series (Remove only)
InterVideo WinDVD 4
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Left 4 Dead
Logitech iTouch Software
Logitech Resource Center
Medieval II Total War
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 6.0 Parser (KB925673)
Norton Internet Security
NVIDIA nForce Drivers
Paint Shop Pro 7 Anniversary Edition
Print Server Driver
PunkBuster Services
QuickTime
Requiem
Rome - Total War(TM)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Shred version 2.0
Skins
Sound Blaster Audigy 2 ZS
Spybot - Search & Destroy
Steam
Stronghold Crusader
Ultimate Ride Coaster Deluxe
Universal Extractor 1.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
WebFldrs XP
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
World of Warcraft
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

2/23/2009 3:17:47 PM, error: Service Control Manager [7023] - The Remote Accoss service terminated with the following error: The specified module could not be found.
2/23/2009 3:17:47 PM, error: Service Control Manager [7000] - The PSMAntiSpy service failed to start due to the following error: The system cannot find the path specified.
2/23/2009 12:56:34 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
2/23/2009 12:56:34 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/23/2009 12:56:34 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
2/19/2009 1:52:07 AM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/24/2009 12:55:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/24/2009 12:55:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2/24/2009 12:56:34 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2009 12:56:34 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2009 12:56:34 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2009 12:56:34 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2009 12:56:34 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2009 12:56:34 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/24/2009 12:56:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 ccHP eeCtrl Fips IDSxpx86 IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SRTSPX SYMTDI Tcpip
2/24/2009 6:35:29 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file userinit.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

==== End Of File ===========================

Blade81
2009-02-27, 09:24
Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Oldaad
2009-02-28, 01:21
Thanks again Blade.

ComboFix 09-02-27.02 - The Eldest 2009-02-27 18:14:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -5:00]
Running from: c:\documents and settings\The Eldest\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\init32.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-24 10:03 . 2009-02-24 10:03 <DIR> d-------- c:\program files\Trend Micro
2009-02-24 09:58 . 2009-02-24 09:58 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-02-24 09:58 . 2009-02-24 09:58 <DIR> d-------- c:\documents and settings\The Eldest\Application Data\Sammsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 14:37 --------- d-----w c:\documents and settings\The Eldest\Application Data\U3
2009-02-23 20:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-19 11:52 --------- d-----w c:\program files\World of Warcraft
2009-01-25 03:12 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-25 03:12 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-23 20:27 --------- d-----w c:\program files\Steam
2009-01-15 00:15 63,272 ----a-w c:\documents and settings\The Eldest\Application Data\GDIPFONTCACHEV1.DAT
2009-01-08 05:39 --------- d-----w c:\program files\Creative
2009-01-08 05:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 05:37 --------- d-----w c:\documents and settings\The Eldest\Application Data\Creative
2009-01-07 15:52 682,280 ----a-w c:\windows\system32\pbsvc.exe
2009-01-07 15:52 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-07 15:52 22,328 ----a-w c:\documents and settings\The Eldest\Application Data\PnkBstrK.sys
2009-01-07 15:36 --------- d-----w c:\program files\Activision
2009-01-07 04:51 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-01-07 04:47 --------- d-----w c:\program files\ATI Technologies
2009-01-03 01:11 --------- d-----w c:\program files\SEGA
2009-01-03 01:07 --------- d-----w c:\documents and settings\The Eldest\Application Data\InstallShield
2008-12-30 00:49 --------- d-----w c:\program files\RealArcade
2008-12-28 17:22 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-28 17:20 --------- d-----w c:\program files\QuickTime
2008-12-28 17:20 --------- d-----w c:\program files\GameSpy Arcade
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 19:35 593,920 ------w c:\windows\system32\ati2sgag.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 196608]
"GhostSurfDelSatellite"="c:\program files\GhostSurf 2005\DeleteSatellite.exe" [2005-01-04 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"CTHelper"="CTHELPER.EXE" [2003-06-19 c:\windows\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 c:\windows\system32\CTASIO.DLL]

c:\documents and settings\The Eldest\Start Menu\Programs\Startup\
Scheduler.lnk - c:\program files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 86133]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-11-04 110592]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090225.002\IDSxpx86.sys [2009-02-27 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-21 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S2 PSMAntiSpy;PSMAntiSpy;c:\progra~1\PSMKorea\ANTIKE~1\PSMAntiS.exe --> c:\progra~1\PSMKorea\ANTIKE~1\PSMAntiS.exe [?]
S2 Remote1021;Remote Accoss;c:\windows\System32\svchost.exe -k netsvcs [2003-03-31 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Remote1021

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6715639b-b4ac-11dd-a241-000c6e8bfb13}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6e7c6a-82b4-11dd-a1b3-000c6e8bfb13}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - The Eldest.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-CTXFIREG - CTxfiReg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 18:15:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-27 18:16:17
ComboFix-quarantined-files.txt 2009-02-27 23:16:12

Pre-Run: 110,322,819,072 bytes free
Post-Run: 110,590,636,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

188 --- E O F --- 2009-02-25 14:01:47


DDS (Ver_09-02-01.01) - NTFSx86
Run by The Eldest at 18:19:51.51 on Fri 02/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1533 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\The Eldest\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: SpywareBlock Class: {0a87e45f-537a-40b4-b812-e2544c21a09f} - c:\program files\ghostsurf 2005\SCActiveBlock.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [GhostSurfDelSatellite] "c:\program files\ghostsurf 2005\DeleteSatellite.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
StartupFolder: c:\docume~1\theeld~1\startm~1\programs\startup\schedu~1.lnk - c:\program files\ghostsurf 2005\Scheduler daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218850860343
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090225.002\IDSxpx86.sys [2009-2-27 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-21 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090227.004\NAVENG.SYS [2009-2-27 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090227.004\NAVEX15.SYS [2009-2-27 876144]
S2 PSMAntiSpy;PSMAntiSpy;c:\progra~1\psmkorea\antike~1\psmantis.exe --> c:\progra~1\psmkorea\antike~1\PSMAntiS.exe [?]
S2 Remote1021;Remote Accoss;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

=============== Created Last 30 ================

2009-02-27 18:13 <DIR> a-dshr-- C:\cmdcons
2009-02-27 18:11 161,792 a------- c:\windows\SWREG.exe
2009-02-27 18:11 98,816 a------- c:\windows\sed.exe
2009-02-27 18:11 <DIR> --d----- C:\ComboFix
2009-02-24 10:03 <DIR> --d----- c:\program files\Trend Micro
2009-02-24 09:58 <DIR> --d----- c:\docume~1\theeld~1\applic~1\Sammsoft
2009-02-24 09:58 <DIR> --d----- c:\program files\Advanced Registry Optimizer

==================== Find3M ====================

2009-01-24 22:12 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-24 22:12 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-01-14 19:15 63,272 a------- c:\docume~1\theeld~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-07 10:52 22,328 a------- c:\docume~1\theeld~1\applic~1\PnkBstrK.sys
2009-01-07 10:52 682,280 a------- c:\windows\system32\pbsvc.exe
2009-01-07 10:52 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-28 12:22 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 15:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe

============= FINISH: 18:20:03.03 ===============

Blade81
2009-02-28, 12:04
Hi again,

Uninstall these old Java versions:
Java(TM) 6 Update 7



Open notepad and copy/paste the text in the quotebox below into it:



DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh dds log and above mentioned ComboFix resultant log.

Oldaad
2009-02-28, 13:04
Blade,

I've tried Kaspersky a number of times without succes. I get a popup that says "ERROR: Invalid file signature...". The running log keeps getting an invalid file signature in "bases/five/avc/base527c.avc" and looks for other download sites but gets the same message. My Norton was disabled for the scan. All java addons are enabled. I've retarted my computer and Kaspersky still will not get past the update phase. I'm including the logs from Combo and DDS anyway. Thanks.

ComboFix 09-02-27.02 - The Eldest 2009-02-28 5:22:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1551 [GMT -5:00]
Running from: c:\documents and settings\The Eldest\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Eldest\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.

2009-02-24 10:03 . 2009-02-24 10:03 <DIR> d-------- c:\program files\Trend Micro
2009-02-24 09:58 . 2009-02-24 09:58 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-02-24 09:58 . 2009-02-24 09:58 <DIR> d-------- c:\documents and settings\The Eldest\Application Data\Sammsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 10:16 --------- d-----w c:\program files\Java
2009-02-24 14:37 --------- d-----w c:\documents and settings\The Eldest\Application Data\U3
2009-02-23 20:17 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-19 11:52 --------- d-----w c:\program files\World of Warcraft
2009-01-25 03:12 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-25 03:12 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-23 20:27 --------- d-----w c:\program files\Steam
2009-01-15 00:15 63,272 ----a-w c:\documents and settings\The Eldest\Application Data\GDIPFONTCACHEV1.DAT
2009-01-08 05:39 --------- d-----w c:\program files\Creative
2009-01-08 05:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-08 05:37 --------- d-----w c:\documents and settings\The Eldest\Application Data\Creative
2009-01-07 15:52 682,280 ----a-w c:\windows\system32\pbsvc.exe
2009-01-07 15:52 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-07 15:52 22,328 ----a-w c:\documents and settings\The Eldest\Application Data\PnkBstrK.sys
2009-01-07 15:36 --------- d-----w c:\program files\Activision
2009-01-07 04:51 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-01-07 04:47 --------- d-----w c:\program files\ATI Technologies
2009-01-03 01:11 --------- d-----w c:\program files\SEGA
2009-01-03 01:07 --------- d-----w c:\documents and settings\The Eldest\Application Data\InstallShield
2008-12-30 00:49 --------- d-----w c:\program files\RealArcade
2008-12-28 17:22 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-28 17:20 --------- d-----w c:\program files\QuickTime
2008-12-28 17:20 --------- d-----w c:\program files\GameSpy Arcade
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 19:35 593,920 ------w c:\windows\system32\ati2sgag.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-27_18.15.37.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-02 23:07:40 1,914,440 ----a-w c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2009-02-27 12:50:45 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-02-28 00:39:53 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-02-28 10:08:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_560.dat
+ 2009-02-28 10:09:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_568.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-05-29 520192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-11 196608]
"GhostSurfDelSatellite"="c:\program files\GhostSurf 2005\DeleteSatellite.exe" [2005-01-04 61440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"CTHelper"="CTHELPER.EXE" [2003-06-19 c:\windows\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-06-19 c:\windows\system32\CTASIO.DLL]

c:\documents and settings\The Eldest\Start Menu\Programs\Startup\
Scheduler.lnk - c:\program files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 86133]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-11-04 110592]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090225.002\IDSxpx86.sys [2009-02-27 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-10-21 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S2 PSMAntiSpy;PSMAntiSpy;c:\progra~1\PSMKorea\ANTIKE~1\PSMAntiS.exe --> c:\progra~1\PSMKorea\ANTIKE~1\PSMAntiS.exe [?]
S2 Remote1021;Remote Accoss;c:\windows\System32\svchost.exe -k netsvcs [2003-03-31 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Remote1021

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6715639b-b4ac-11dd-a241-000c6e8bfb13}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6e7c6a-82b4-11dd-a1b3-000c6e8bfb13}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - The Eldest.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 05:23:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-28 5:24:38
ComboFix-quarantined-files.txt 2009-02-28 10:24:34
ComboFix2.txt 2009-02-27 23:16:19

Pre-Run: 110,518,554,624 bytes free
Post-Run: 110,759,579,648 bytes free

179 --- E O F --- 2009-02-25 14:01:47



DDS (Ver_09-02-01.01) - NTFSx86
Run by The Eldest at 5:54:37.96 on Sat 02/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1649 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Documents and Settings\The Eldest\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: SpywareBlock Class: {0a87e45f-537a-40b4-b812-e2544c21a09f} - c:\program files\ghostsurf 2005\SCActiveBlock.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AROReminder] c:\program files\advanced registry optimizer\aro.exe -rem
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [GhostSurfDelSatellite] "c:\program files\ghostsurf 2005\DeleteSatellite.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\theeld~1\startm~1\programs\startup\schedu~1.lnk - c:\program files\ghostsurf 2005\Scheduler daemon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
Trusted Zone: aol.com\free
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218850860343
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.2.0.7\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-10 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-10 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090225.002\IDSxpx86.sys [2009-2-27 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-10 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-21 24652]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
S2 PSMAntiSpy;PSMAntiSpy;c:\progra~1\psmkorea\antike~1\psmantis.exe --> c:\progra~1\psmkorea\antike~1\PSMAntiS.exe [?]
S2 Remote1021;Remote Accoss;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090227.050\NAVENG.SYS [2009-2-28 89104]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090227.050\NAVEX15.SYS [2009-2-28 876144]

=============== Created Last 30 ================

2009-02-28 05:21 <DIR> --d----- C:\ComboFix
2009-02-27 18:13 <DIR> a-dshr-- C:\cmdcons
2009-02-27 18:11 161,792 a------- c:\windows\SWREG.exe
2009-02-27 18:11 98,816 a------- c:\windows\sed.exe
2009-02-24 10:03 <DIR> --d----- c:\program files\Trend Micro
2009-02-24 09:58 <DIR> --d----- c:\docume~1\theeld~1\applic~1\Sammsoft
2009-02-24 09:58 <DIR> --d----- c:\program files\Advanced Registry Optimizer

==================== Find3M ====================

2009-01-24 22:12 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-24 22:12 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-01-14 19:15 63,272 a------- c:\docume~1\theeld~1\applic~1\GDIPFONTCACHEV1.DAT
2009-01-07 10:52 22,328 a------- c:\docume~1\theeld~1\applic~1\PnkBstrK.sys
2009-01-07 10:52 682,280 a------- c:\windows\system32\pbsvc.exe
2009-01-07 10:52 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-28 12:22 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-01 15:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 15:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 15:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 15:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 15:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 15:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 15:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 15:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 15:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 15:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 15:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 15:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 15:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 15:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 15:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 14:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 14:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 14:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 14:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 14:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 14:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 14:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 14:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe

============= FINISH: 5:54:55.17 ===============

Blade81
2009-02-28, 13:26
Hi again,

Let's see if you can make F-Secure scanner work :)

Please run the
F-Secure
Online Scanner (http://support.f-secure.com/enu/home/ols.shtml)

Note: This Scanner is for Internet Explorer
Only!
Follow the Instruction
Here (http://support.f-secure.com/enu/home/ols.shtml)
for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning
(recommended) button.
Click the Show Report button and Copy&Paste the entire report
in your next reply.

Oldaad
2009-02-28, 14:07
Blade,

Here is the FSecure report.

Scanning Report
Saturday, February 28, 2009 06:31:40 - 06:55:38
Computer name: ABS
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 23645
System: 3286
Not scanned: 11
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\THE ELDEST\MY DOCUMENTS\MY GAMES\REQUIEMCLIENT.ZIP
C:\DOCUMENTS AND SETTINGS\THE ELDEST\MY DOCUMENTS\DEMOS\AA282FULLINSTALLER.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-02-27
F-Secure AVP: 7.0.171, 2009-02-27
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Oldaad
2009-02-28, 17:48
Blade, I did get Kaspersky to run as well. It did not find anything.
Thanks.

Blade81
2009-02-28, 19:13
Hi Oldaad

How's the system running? Anymore problems?

Oldaad
2009-02-28, 19:42
Blade,

The fake warnings seem to have stopped. There are five computers in our family and this old gaming computer is the only one that gets hit! I keep warning my son to watch out where he clicks.

Thanks again for your help. You helped clear a bunch of malware from this computer in April of '08. I appreciate it.

Ted

Blade81
2009-02-28, 20:56
You're welcome Ted :)


Lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK


After that you may also delete DDS related logs and dds.scr file itself.

Blade81
2009-03-06, 23:11
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.