PDA

View Full Version : Major infection - can't run Spybot or HJT - please help! (Resolved)



invisiblegardener
2009-04-07, 06:14
I've been unsuccessfully battling Virtumonde for a few months now, but something recently has kicked the infection into new territory. I've lost the use of one CD drive, and I cannot run Spybot, HJT, or any anti-virus software (I can install new programs but I get a "not a valid win32 application" message when I try to run them). When I try to boot in safe mode I get a blue screen error. This goes for all 3 types of safe mode. I am only able to keep the flood of pop-ups away by killing rundll32 and iexplore processes using Process Explorer. I hope someone can help me. Thanks so much!

katana
2009-04-10, 18:10
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


I've been unsuccessfully battling Virtumonde for a few months now,
You should have come here sooner, Vundo regularly calls in a whole host of other infections if it is active for any length of time.



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

invisiblegardener
2009-04-11, 01:41
Thanks for your help, Katana. I downloaded ComboFix to my desktop, but when I run it, I get an error message: "...\Desktop\ComboFix.exe is not a valid Win32 application".

katana
2009-04-11, 03:22
Please try this instead ...



Download and Run ComboFix
----------------------------------------------------------------------------------------

Download Combofix from the link below. Save it to your desktop.

> Link Removed <

--------------------------------------------------------------------

Double click on CleanMe.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

invisiblegardener
2009-04-11, 04:22
It seems ComboFix will work this way. However, I declined to run the scan because CF told me that Kaspersky Anti-Virus was running, and I could not see any indication that it was running, or find any way to stop it. There is no tray icon, and no running processes that seem related. I didn't know if it would be recommended to proceed with the CF scan.

katana
2009-04-11, 04:31
Ignore the Kaspersky warning for the moment, just run Combofix (CleanMe) and post the log

invisiblegardener
2009-04-11, 05:56
The second time I tried to run CleanMe, it told me I needed to rename the file. So I did, and the scan ran successfully. The log was too big to paste, so I have zipped and attached it. Thanks for all your help!!


ComboFix 09-04-04.01 - Matt 2009-04-10 21:09:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1190 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\CF.exe
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
.
ADS - svchost.exe: deleted 32768 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Matt\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Matt\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Matt\Application Data\drivers\downld
c:\documents and settings\Matt\Application Data\drivers\downld\1002312.exe
2332 drivers\downld\XXXXXXX.exe removed
c:\documents and settings\Matt\Application Data\drivers\downld\999453.exe
c:\documents and settings\Matt\Application Data\drivers\srosa2.sys
c:\documents and settings\Matt\Application Data\drivers\wfsintwq.sys
c:\documents and settings\Matt\Application Data\drivers\winupgro.exe
c:\documents and settings\Matt\Application Data\m
131 files removed from \m
c:\program files\steam\steam.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\abedewud.ini
c:\windows\system32\abosanap.ini
c:\windows\system32\aemhxv.dll
c:\windows\system32\agezosih.ini
c:\windows\system32\akowomer.ini
c:\windows\system32\aojtps.dll
c:\windows\system32\apupcj.dll
c:\windows\system32\aquxqb.dll
c:\windows\system32\arotevew.ini
c:\windows\system32\arubugaz.ini
c:\windows\system32\asirevuv.ini
c:\windows\system32\asxgfp.dll
c:\windows\system32\atepeyay.ini
c:\windows\system32\atodgi.dll
c:\windows\system32\bajiyise.dll
c:\windows\system32\bakedosu.dll
c:\windows\system32\bewihafe.dll
c:\windows\system32\bezuyiza.dll
c:\windows\system32\bihonede.dll
c:\windows\system32\bisepufi.dll
c:\windows\system32\bmcomn.dll
c:\windows\system32\cqsori.dll
c:\windows\system32\cucqoh.dll
c:\windows\system32\dafamupu.dll
c:\windows\system32\dafirulo.dll
c:\windows\system32\devopaha.dll
c:\windows\system32\deyaluhu.dll
c:\windows\system32\dipitiwo.dll
c:\windows\system32\dobojobe.dll
c:\windows\system32\doguzeri.dll
c:\windows\system32\dorulelo.dll
c:\windows\system32\drivers\down
c:\windows\system32\drivers\down\1013515.exe
c:\windows\system32\drivers\down\1481375.exe
c:\windows\system32\drivers\down\1551718.exe
c:\windows\system32\dsbjuw.dll
c:\windows\system32\dtizlb.dll
c:\windows\system32\duvafiyi.dll
c:\windows\system32\duwedeba.dll
c:\windows\system32\duyagawe.dll
c:\windows\system32\elukapid.ini
c:\windows\system32\emujatev.ini
c:\windows\system32\enniph.dll
c:\windows\system32\evahafem.ini
c:\windows\system32\expicv.dll
c:\windows\system32\faebbbdacdecbfecb.dll
c:\windows\system32\fapiruda.dll
c:\windows\system32\feluniko.dll
c:\windows\system32\fetutupi.dll
c:\windows\system32\fhmxpm.dll
c:\windows\system32\fqbdqo.dll
c:\windows\system32\fujegifu.dll
c:\windows\system32\fumugatu.dll
c:\windows\system32\futewege.dll
c:\windows\system32\ganjpn.dll
c:\windows\system32\garowori.dll
c:\windows\system32\gatinuro.dll
c:\windows\system32\gebuhobo.dll
c:\windows\system32\gezimihe.dll
c:\windows\system32\gibuyata.dll.tmp
c:\windows\system32\gluykq.dll
c:\windows\system32\gomukamu.dll
c:\windows\system32\gonaludu.dll
c:\windows\system32\gopikobi.dll
c:\windows\system32\gudasene.dll
c:\windows\system32\gurelido.dll
c:\windows\system32\hdbxye.dll
c:\windows\system32\hekazezi.dll
c:\windows\system32\hevotuza.dll
c:\windows\system32\hhxhcp.dll
c:\windows\system32\hikagazu.dll
c:\windows\system32\hisozega.dll
c:\windows\system32\hofugubi.dll
c:\windows\system32\hokxky.dll
c:\windows\system32\hsf73ikmdf3f.dll
c:\windows\system32\huverego.dll
c:\windows\system32\irebizuz.ini
c:\windows\system32\iziboyow.ini
c:\windows\system32\jaduzumi.dll
c:\windows\system32\jelukahu.dll
c:\windows\system32\jihofoju.dll
c:\windows\system32\jofoliyo.dll
c:\windows\system32\jovivumo.dll
c:\windows\system32\jtryxb.dll
c:\windows\system32\jugusaja.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\jupujunu.dll
c:\windows\system32\kanolalo.dll
c:\windows\system32\kegezadu.dll
c:\windows\system32\kenahapu.dll
c:\windows\system32\kibivegi.dll
c:\windows\system32\kiduruka.dll
c:\windows\system32\kihuseku.dll
c:\windows\system32\kirasahi.dll
c:\windows\system32\kivigoru.dll
c:\windows\system32\kogujiru.dll.tmp
c:\windows\system32\kohuhoro.dll
c:\windows\system32\kokemabo.dll
c:\windows\system32\kolojebe.dll
c:\windows\system32\kosuyapu.dll
c:\windows\system32\kotafeka.dll
c:\windows\system32\kshygn.dll
c:\windows\system32\kubuyula.dll
c:\windows\system32\kumeliyu.dll
c:\windows\system32\kumiberu.dll
c:\windows\system32\kunobesi.dll
c:\windows\system32\kuwibipa.dll
c:\windows\system32\kuzeyogi.dll
c:\windows\system32\lelizomo.dll
c:\windows\system32\livoguyi.dll
c:\windows\system32\ljkngn.dll
c:\windows\system32\lujetifi.dll
c:\windows\system32\lujivoni.dll
c:\windows\system32\lutovute.dll
c:\windows\system32\lxvcxq.dll
c:\windows\system32\lzkest.dll
c:\windows\system32\marokeru.dll
c:\windows\system32\mavywp.dll
c:\windows\system32\mazileve.dll
c:\windows\system32\mdelk.exe
c:\windows\system32\melidawa.dll
c:\windows\system32\mijejabe.dll
c:\windows\system32\miliyepa.dll
c:\windows\system32\mlcbki.dll
c:\windows\system32\mmyczl.dll
c:\windows\system32\mukmil.dll
c:\windows\system32\nadojizu.dll
c:\windows\system32\nadusifa.dll
c:\windows\system32\nanenipu.dll
c:\windows\system32\nazesuna.dll
c:\windows\system32\nekols.dll
c:\windows\system32\nenunizo.dll.tmp
c:\windows\system32\nijufuvu.dll
c:\windows\system32\nikarili.dll
c:\windows\system32\nubamiko.dll
c:\windows\system32\nukiyofi.dll
c:\windows\system32\nusayuta.dll
c:\windows\system32\oizuuh.dll
c:\windows\system32\olukonir.ini
c:\windows\system32\oluwijew.ini
c:\windows\system32\opinomab.ini
c:\windows\system32\oraravuz.ini
c:\windows\system32\ostrav.dll
c:\windows\system32\otimahef.ini
c:\windows\system32\pafigewi.dll
c:\windows\system32\penipure.dll
c:\windows\system32\peyumama.dll
c:\windows\system32\pimehori.dll
c:\windows\system32\pinapuwe.dll
c:\windows\system32\piseraho.dll.tmp
c:\windows\system32\piwihivo.dll
c:\windows\system32\piyadayi.dll
c:\windows\system32\povufuyu.dll
c:\windows\system32\ptrtcs.dll
c:\windows\system32\pufupode.dll
c:\windows\system32\puhudw.dll
c:\windows\system32\qhvfht.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\reezod.dll
c:\windows\system32\remowoka.dll
c:\windows\system32\rilihoki.dll
c:\windows\system32\rivenape.dll
c:\windows\system32\rosnry.dll
c:\windows\system32\rosotuse.dll
c:\windows\system32\rruxdk.dll
c:\windows\system32\ruludoji.dll
c:\windows\system32\rulufutu.dll
c:\windows\system32\runivito.dll
c:\windows\system32\ruvaluno.dll
c:\windows\system32\ruyugapi.dll
c:\windows\system32\sejezeni.dll
c:\windows\system32\sejuvoma.dll
c:\windows\system32\siqtgw.dll
c:\windows\system32\sirifiwi.dll
c:\windows\system32\sopbdv.dll
c:\windows\system32\soruhuma.dll.tmp
c:\windows\system32\sosafimi.dll
c:\windows\system32\srnqzb.dll
c:\windows\system32\stfiyp.dll
c:\windows\system32\stjjea.dll
c:\windows\system32\sujibiwi.dll
c:\windows\system32\suwunahe.dll
c:\windows\system32\svgtjz.dll
c:\windows\system32\tadofuvo.dll
c:\windows\system32\tatetimo.dll
c:\windows\system32\tayanage.dll
c:\windows\system32\tazeyubo.dll
c:\windows\system32\tefifohi.dll
c:\windows\system32\tijebevi.dll
c:\windows\system32\towozoha.dll.tmp
c:\windows\system32\ubjkqi.dll
c:\windows\system32\udufuned.ini
c:\windows\system32\udukesup.ini
c:\windows\system32\ukesuhik.ini
c:\windows\system32\usajuhig.ini
c:\windows\system32\usodekab.ini
c:\windows\system32\uwigaruz.ini
c:\windows\system32\vamibedi.dll
c:\windows\system32\varayihe.dll
c:\windows\system32\vatimete.dll
c:\windows\system32\vboppf.dll
c:\windows\system32\vedilune.dll
c:\windows\system32\vejopine.dll
c:\windows\system32\vetaweyo.dll
c:\windows\system32\viriteda.dll
c:\windows\system32\visujowo.dll
c:\windows\system32\volorume.dll
c:\windows\system32\volosejo.dll
c:\windows\system32\vonibusa.dll.vir
c:\windows\system32\vonowiya.dll.tmp
c:\windows\system32\vovuhinu.dll
c:\windows\system32\vpvkyx.dll
c:\windows\system32\vulakiye.dll
c:\windows\system32\vuverisa.dll
c:\windows\system32\wedijuzo.dll
c:\windows\system32\weluyiki.dll
c:\windows\system32\wevetora.dll
c:\windows\system32\whzwho.dll
c:\windows\system32\wintems.exe
c:\windows\system32\witukezo.dll
c:\windows\system32\wiwifezi.dll.vir
c:\windows\system32\wiwuzoza.dll
c:\windows\system32\wopowupa.dll
c:\windows\system32\woyadolu.dll
c:\windows\system32\woyobizi.dll
c:\windows\system32\wuleluzu.dll
c:\windows\system32\wuwasomo.dll
c:\windows\system32\wztkco.dll
c:\windows\system32\xocand.dll
c:\windows\system32\xsnlns.dll
c:\windows\system32\xyfref.dll
c:\windows\system32\yavawoji.dll
c:\windows\system32\yirumuno.dll
c:\windows\system32\yivoboki.dll
c:\windows\system32\yofolufe.dll
c:\windows\system32\yoharaje.dll
c:\windows\system32\yubiyufo.dll
c:\windows\system32\zakupuju.dll
c:\windows\system32\zarebeba.dll
c:\windows\system32\zatoyale.dll
c:\windows\system32\zelokore.dll
c:\windows\system32\zepuwuvi.dll
c:\windows\system32\zetoyago.dll
c:\windows\system32\ziyewila.dll
c:\windows\system32\zodavula.dll
c:\windows\system32\zomisula.dll
c:\windows\system32\zuragiwu.dll
c:\windows\system32\zuvararo.dll
c:\windows\system32\zuziberi.dll
c:\windows\system32\zwwlro.dll
c:\windows\Temp\tmp3.tmp

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA
-------\Legacy_ICF
-------\Legacy_SK9OU0S
-------\Service_ICF
-------\Service_sK9Ou0s


((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 20:44 . 2009-04-10 20:45 <DIR> d-------- C:\xiFobmoC
2009-04-10 20:23 . 2009-04-10 20:26 <DIR> d-------- C:\CleanMe
2009-04-08 17:07 . 2009-04-08 16:10 578,560 --a------ c:\windows\system32\glzeyhf
2009-04-08 16:57 . 2009-04-10 19:51 1,420 --a------ c:\windows\Ojiwafabipe.dat
2009-04-08 16:57 . 2009-04-10 16:40 16 --a------ c:\windows\Nqufuruya.bin
2009-04-08 16:11 . 2009-04-10 15:55 144,384 --a------ C:\lrkl.exe
2009-04-08 16:11 . 2009-04-08 16:11 30,208 --a------ C:\onspqrnk.exe
2009-04-08 16:11 . 2009-04-10 15:56 22,016 --a------ C:\fkajlvl.exe
2009-04-08 16:11 . 2009-04-08 16:11 705 --a------ C:\ovmhmkie.exe
2009-04-08 16:11 . 2009-04-08 16:11 0 --a------ c:\windows\mqcd.dbt
2009-04-08 16:10 . 2009-04-08 16:10 249,856 --a------ c:\windows\system32\nvtpm32.dll
2009-04-08 16:10 . 2009-04-08 17:07 125,440 --a------ C:\wlct.exe
2009-04-08 16:10 . 2009-04-08 17:07 125,440 --a------ c:\windows\system32\azton.mt
2009-04-08 16:10 . 2009-04-08 16:10 77,312 --a------ c:\windows\system32\er3r.pxf
2009-04-08 16:10 . 2009-04-10 15:54 43,520 --a------ C:\jurj.exe
2009-04-08 16:10 . 2009-04-08 16:10 32,768 --a------ c:\windows\system32\kei1w.an
2009-04-08 16:10 . 2009-04-08 16:10 32,768 --a------ c:\windows\system32\fe3.wa
2009-04-08 16:10 . 2009-04-08 16:10 28,672 --a------ c:\windows\system32\kdoqmn.sr
2009-04-08 16:10 . 2009-04-08 16:10 28,672 --a------ c:\windows\system32\doqkm.zt
2009-04-08 16:10 . 2009-04-10 15:54 7,680 --a------ C:\kgqxi.exe
2009-04-08 16:10 . 2009-04-10 15:55 2 --a------ C:\10334752
2009-04-08 16:09 . 2009-04-10 15:53 9,216 --a------ c:\windows\instsp2.exe
2009-04-06 21:46 . 2009-04-06 21:46 <DIR> d-------- c:\program files\ERUNT
2009-04-06 20:59 . 2009-04-06 20:59 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-27 22:26 . 2009-03-29 13:41 <DIR> d-------- c:\documents and settings\Matt\Application Data\HouseCall 6.6
2009-03-27 17:53 . 2009-03-09 14:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-27 17:44 . 2009-03-27 17:44 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-27 17:43 . 2009-03-27 17:43 <DIR> d-------- c:\program files\Lavasoft
2009-03-25 00:31 . 2009-04-10 21:18 <DIR> d--h----- c:\documents and settings\Matt\Application Data\drivers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 02:20 --------- d-----w c:\program files\Steam
2009-04-08 21:10 159,232 ----a-w c:\windows\ofevehamirolu.dll
2009-03-27 21:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-26 05:26 688,416 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:26 66,656 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-26 05:26 315,320 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-26 05:26 23,229,728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-26 02:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-23 21:58 --------- d-----w c:\program files\Google
2009-04-10 21:48 66,576 ----a-w c:\program files\mozilla firefox\components\bdfcfabdecfdbba.dll
2009-01-10 06:02 2,713 --sh--w c:\windows\system32\kujonage.dll
2008-12-09 17:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120920081210\index.dat
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes )
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"PeerGuardian"="g:\program files\PeerGuardian2\pg2.exe" [2009-04-10 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-31 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"Whopucizepu"="c:\windows\ofevehamirolu.dll" [2009-04-08 159232]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-01-13 169472]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-29 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.dvacm"= dvacm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli dtigopx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Program Files\\Gmail Notifier\\gnotify.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28570:TCP"= 28570:TCP:eMule TCP
"9469:UDP"= 9469:UDP:eMule UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-27 64160]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\Si3112r.sys [2007-06-04 84529]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2000-06-05 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2001-09-03 19534]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2003-12-19 12160]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-20 33752]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys --> c:\windows\system32\DRIVERS\klim5.sys [?]
S3 lac97inf;lac97inf;\??\c:\docume~1\Matt\LOCALS~1\Temp\lac97inf.sys --> c:\docume~1\Matt\LOCALS~1\Temp\lac97inf.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F3-42BD-F434-2604812C8954} - c:\windows\system32\hsf73ikmdf3f.dll
BHO-{cafd22b3-e5fd-416e-bd0d-21033455b078} - c:\windows\system32\lujetifi.dll
HKCU-Run-Steam - c:\program files\steam\steam.exe
HKCU-Run-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
HKLM-Run-009db28f - c:\windows\system32\gihujasu.dll
SharedTaskScheduler-{B2BA40A2-74F3-42BD-F434-2604812C8954} - c:\windows\system32\hsf73ikmdf3f.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kiduruka.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xanga.com/private/yourhome.aspx?user=pimpin_potter
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/197327f80eb305cb8306/netzip/RdxIE601.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\jwjue9jy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?p=303311#post303311
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\components\bdfcfabdecfdbba.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: g:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 21:27:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys 39936 bytes executable
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\111965fe3459b78cacf1ed4d883df843]
"ImagePath"="system32\111965fe3459b78cacf1ed4d883df843.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,fc,bd,91,37,73,
a7,8f,c2,c8,28,51,af,b0,29,a3,98,c1,ac,66,f0,3c,67,fd,50,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,95,5c,67,fb,b7,
d4,0f,0f,71,3b,04,66,8b,46,0d,96,e8,37,b4,be,66,e5,9e,5f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4d,7e,96,96,41,
aa,67,68,25,da,ec,7e,55,20,c9,26,11,4b,19,74,c9,0b,96,42,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,51,f7,8d,05,75,
2f,8e,77,3e,1e,9e,e0,57,5a,93,61,da,57,62,6b,47,68,bc,83,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ff,5d,d3,01,e9,
ba,9e,b5,cd,44,cd,b9,a6,33,6c,cd,74,6d,84,01,9f,c7,14,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,53,d8,68,3c,71,
fc,16,58,b0,18,ed,a7,3f,8d,37,a4,7e,54,05,37,f2,f6,5d,08,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,ed,c5,32,cc,5c,
ff,ae,eb,31,77,e1,ba,b1,f8,68,02,25,7e,03,43,88,2f,df,33,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,31,a0,3c,57,33,
37,c7,c7,83,6c,56,8b,a0,85,96,ab,4a,bc,6a,36,97,5b,95,1c,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,68,31,e6,f9,c6,
67,0f,12,51,fa,6e,91,28,9e,14,cc,35,3a,3d,06,d3,ea,12,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ab,b9,b3,fb,46,
eb,96,55,b1,cd,45,5a,a8,c4,f8,b9,df,38,07,23,16,4e,3d,aa,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e0,87,01,cb,7b,
ce,6c,92,e3,0e,66,d5,eb,bc,2f,6b,a9,5e,31,69,51,b2,b8,c7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,de,75,72,90,38,
20,86,97,fa,ea,66,7f,d4,3b,6b,70,e8,53,bf,49,80,1a,8a,ef,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(860)
c:\windows\dtigopx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-04-10 21:46:07 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2009-04-11 02:46:04

Pre-Run: 1,148,157,952 bytes free
Post-Run: 2,083,098,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

3002 --- E O F --- 2008-12-18 04:55:08

katana
2009-04-11, 13:13
Well, that certainly cleared a lot :)

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


----------------------------------------------------------- -----------------------------------------------------------
Step 2

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


http://forums.spybot.info/showthread.php?p=304254#post304254
Comment:: Katana
Suspect::[4]
c:\windows\system32\glzeyhf
c:\windows\Ojiwafabipe.dat
c:\windows\Nqufuruya.bin
C:\lrkl.exe
C:\onspqrnk.exe
C:\fkajlvl.exe
C:\ovmhmkie.exe
c:\windows\mqcd.dbt
c:\windows\system32\nvtpm32.dll
C:\wlct.exe
c:\windows\system32\azton.mt
c:\windows\system32\er3r.pxf
C:\jurj.exe
c:\windows\system32\kei1w.an
c:\windows\system32\fe3.wa
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
C:\kgqxi.exe
C:\10334752
c:\windows\instsp2.exe
c:\windows\ofevehamirolu.dll
c:\Program Files\mozilla firefox\components\bdfcfabdecfdbba.dll
c:\windows\system32\kujonage.dll
c:\windows\dtigopx.dll
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
File::
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir
c:\windows\dtigopx.dll
c:\windows\system32\glzeyhf
c:\windows\Ojiwafabipe.dat
c:\windows\Nqufuruya.bin
C:\lrkl.exe
C:\onspqrnk.exe
C:\fkajlvl.exe
C:\ovmhmkie.exe
c:\windows\mqcd.dbt
c:\windows\system32\nvtpm32.dll
C:\wlct.exe
c:\windows\system32\azton.mt
c:\windows\system32\er3r.pxf
C:\jurj.exe
c:\windows\system32\kei1w.an
c:\windows\system32\fe3.wa
c:\windows\system32\kdoqmn.sr
c:\windows\system32\doqkm.zt
C:\kgqxi.exe
C:\10334752
c:\windows\instsp2.exe
c:\windows\ofevehamirolu.dll
c:\Program Files\mozilla firefox\components\bdfcfabdecfdbba.dll
c:\windows\system32\kujonage.dll
Folder::
Driver::
Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\111965fe3459b78cacf1ed4d883df843]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Whopucizepu"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"28570:TCP"=-
"9469:UDP"=-
ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. (CleanMe)
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.
Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

Installed Programs

Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 5

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
Combofix Log
Installed Programs List
Kaspersky Log
How are things running now ?

invisiblegardener
2009-04-12, 03:14
Okay, here we go. Once again the logs were too long to paste, so all four are in the attached zip file.

Things are running a lot better now. I haven't had a pop-up or redirection and I can run programs that had been blocked. I still get an I/O device error every time I try to use one of my CD/DVD drives. I suppose this could be unrelated but the timing seemed very suspicious. What anti-malware program is the best to keep running continuously from now on? Thanks again!

katana
2009-04-12, 13:12
Please open LINK >>> THIS PAGE (http://www.bleepingcomputer.com/submit-malware.php?channel=4) <<<LINK in a new window.

In the box marked Link to topic where this file was requested: please put this text

http://forums.spybot.info/showthread.php?p=304469#post304469

In the box marked Browse to the file you want to submit: please put this text

C:\Qoobox\Quarantine\[4]-Submit_2009-04-11@12.49.zip

In the Largest box please put

File Requested By Katana
Failed CF Submit
Finally click SendFile



Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
C:\WINDOWS\system32\gesudofi.exe
C:\WINDOWS\system32\vufurajo.exe
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
c:\windows\system32\Suspect_111965fe3459b78cacf1ed4d883df843.sys.vir
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\111965fe3459b78cacf1ed4d883df843]

ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper






----------------------------------------------------------- -----------------------------------------------------------



Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts


Older versions of Java have vulnerabilities that malware can use to infect your system.


Now download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location. (You don't need to post it)


You can delete JavaRa (zip and exe)


Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.

Adobe Reader 7.1.0

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

Now close the Control Panel.




----------------------------------------------------------- -----------------------------------------------------------


Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.





Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
RSIT logs
How are things running now ?

invisiblegardener
2009-04-12, 22:23
Three logs attached. Things are still running great. Still nothing from the CD/DVD drive. Thanks for all your help.

katana
2009-04-12, 22:57
Let's try that again

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



Rootkit::
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
c:\windows\system32\Suspect_111965fe3459b78cacf1ed4d883df843.sys.vir
c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\111965fe3459b78cacf1ed4d883df843]
ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

invisiblegardener
2009-04-12, 23:52
ComboFix 09-04-13.04 - Matt 2009-04-12 15:38.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1128 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\Combo.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_111965fe3459b78cacf1ed4d883df843.sys_.vir
c:\windows\system32\111965fe3459b78cacf1ed4d883df843.sys
c:\windows\system32\Suspect_111965fe3459b78cacf1ed4d883df843.sys.vir

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-13 20:44 . 2009-04-13 20:44 11564 ----a-w c:\windows\system32\DVCState-{00000001-00000000-00000007-00001102-00000004-10021102}.rfx
2009-04-13 19:10 . 2009-04-13 19:24 -------- d-----w C:\rsit
2009-04-12 18:17 . 2009-04-12 18:17 -------- d-----w c:\documents and settings\Matt\Application Data\Foxit
2009-04-11 17:37 . 2009-04-11 17:37 -------- d-----w C:\CF
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes
2009-04-11 15:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 15:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 03:06 . 2009-04-11 03:06 19526 ----a-w C:\ComboFix.zip
2009-04-11 01:44 . 2009-04-11 01:45 -------- d-----w C:\xiFobmoC
2009-04-11 01:23 . 2009-04-11 01:26 -------- d-----w C:\CleanMe
2009-04-08 21:57 . 2009-04-08 21:57 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\{E0019759-D443-4CCD-B77F-D712A400474C}
2009-04-07 01:59 . 2009-04-07 01:59 -------- d-----w c:\windows\system32\NtmsData
2009-03-28 03:26 . 2009-03-29 18:41 -------- d-----w c:\documents and settings\Matt\Application Data\HouseCall 6.6
2009-03-27 22:53 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-27 22:44 . 2009-03-27 22:44 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-25 05:31 . 2009-04-11 02:18 -------- d--h--w c:\documents and settings\Matt\Application Data\drivers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 19:03 . 2003-12-30 21:04 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 18:38 . 2009-04-12 18:37 3029 ----a-w C:\JavaRa.log
2009-04-12 18:37 . 2005-02-14 01:32 -------- d-----w c:\program files\Java
2009-04-12 18:14 . 2003-12-22 04:59 -------- d-----w c:\program files\Common Files\Adobe
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:45 . 2009-04-11 15:44 2967800 ----a-w c:\program files\mbam-setup.exe
2009-04-11 15:41 . 2009-04-11 15:41 -------- d-----w c:\program files\Trend Micro
2009-04-11 02:20 . 2005-01-18 05:24 -------- d-----w c:\program files\Steam
2009-04-10 20:54 . 2001-08-23 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-10 20:53 . 2009-01-10 20:53 63488 --sha-w c:\windows\system32\reguligu.exe
2009-04-08 22:06 . 2009-01-08 22:06 61440 --sha-w c:\windows\system32\bodalene.exe
2009-04-08 21:09 . 2009-01-08 21:09 61440 --sha-w c:\windows\system32\fugudipi.exe
2009-04-07 02:46 . 2009-04-07 02:46 -------- d-----w c:\program files\ERUNT
2009-04-07 02:44 . 2009-04-07 02:44 791393 ----a-w c:\program files\erunt-setup.exe
2009-03-28 05:41 . 2009-03-28 05:41 812344 ----a-w c:\program files\HJTInstall.exe
2009-03-28 02:11 . 2009-01-14 07:22 441 ----a-w C:\VundoFix.txt
2009-03-27 22:43 . 2009-03-27 22:43 -------- d-----w c:\program files\Lavasoft
2009-03-27 21:57 . 2005-09-17 02:11 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-26 05:26 . 2008-12-09 04:09 688416 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:26 . 2008-12-09 04:09 66656 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-26 05:26 . 2008-12-09 04:09 315320 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-26 05:26 . 2008-12-09 04:09 23229728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-25 05:07 . 2006-04-15 22:46 0 ----a-w C:\CreateMarkers.log
2009-03-09 10:19 . 2009-01-11 07:17 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-25 02:48 . 2009-02-25 02:40 108032 ----a-w c:\windows\system32\zoyulolu.dll
2009-02-23 22:48 . 2009-02-23 22:48 2713 --sh--w c:\windows\system32\hulubera.dll
2009-02-23 21:58 . 2004-10-05 02:25 -------- d-----w c:\program files\Google
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2008-12-04 02:27 . 2003-12-19 16:53 85776 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-05 00:27 . 2007-06-05 00:27 127 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\fusioncache.dat
2009-04-08 22:06 . 2009-01-08 22:06 61440 --sha-w c:\windows\system32\bodalene.exe
2009-04-08 21:09 . 2009-01-08 21:09 61440 --sha-w c:\windows\system32\fugudipi.exe
2009-02-23 22:48 . 2009-02-23 22:48 2713 --sh--w c:\windows\system32\hulubera.dll
2009-04-10 20:53 . 2009-01-10 20:53 63488 --sha-w c:\windows\system32\reguligu.exe
2009-03-26 05:26 . 2008-12-09 04:09 23229728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-26 05:26 . 2008-12-09 04:09 688416 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-13_13.57.28.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 20:48 . 2009-04-13 20:48 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
+ 2003-12-20 04:44 . 2007-04-09 17:21 22528 c:\windows\system32\sfman32.dll
+ 2009-04-12 19:54 . 2003-03-13 11:10 15840 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\pfmodnt.sys
+ 2009-04-12 19:54 . 2003-03-25 12:22 53674 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctdaught.dat
+ 2009-04-12 19:54 . 2003-03-25 11:14 49152 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctcoinst.dll
+ 2009-04-12 19:54 . 2008-04-14 00:12 23552 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\wdmaud.drv
+ 2009-04-12 19:54 . 2008-04-13 18:45 49408 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\stream.sys
+ 2009-04-12 19:54 . 2008-04-13 18:45 60160 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\drmk.sys
+ 2009-04-12 19:54 . 2001-08-17 08:35 36864 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Common\sfman32.dll
+ 2009-04-12 19:54 . 2003-03-25 12:05 65536 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Common\a3d.dll
+ 2003-12-20 04:44 . 2007-04-09 17:21 48128 c:\windows\system32\regplib.exe
+ 2007-04-09 17:32 . 2007-04-09 17:32 38400 c:\windows\system32\readreg.exe
+ 2007-04-09 17:32 . 2007-04-09 17:32 37888 c:\windows\system32\psconv.exe
+ 2003-12-20 04:44 . 2007-04-09 17:21 81920 c:\windows\system32\piaproxy.dll
+ 2003-12-20 04:44 . 2007-04-09 17:19 10240 c:\windows\system32\killapps.exe
+ 2007-04-09 17:33 . 2007-04-09 17:33 11776 c:\windows\system32\inres.dll
+ 2003-12-20 04:44 . 2001-07-11 07:51 77824 c:\windows\system32\eaxac3.dll
- 2003-12-20 04:44 . 2001-07-11 04:51 77824 c:\windows\system32\EAXAC3.DLL
- 2003-12-20 03:51 . 2008-04-13 18:45 49408 c:\windows\system32\drivers\stream.sys
+ 2003-12-20 03:51 . 2008-04-13 17:45 49408 c:\windows\system32\drivers\stream.sys
+ 2003-12-20 04:44 . 2007-04-10 09:32 16168 c:\windows\system32\drivers\pfmodnt.sys
+ 2003-12-20 04:44 . 2007-04-10 09:28 92968 c:\windows\system32\drivers\emupia2k.sys
- 2003-12-20 04:44 . 2008-04-13 18:45 60160 c:\windows\system32\drivers\drmk.sys
+ 2003-12-20 04:44 . 2008-04-13 17:45 60160 c:\windows\system32\drivers\drmk.sys
+ 2003-12-20 04:44 . 2007-04-10 09:25 14632 c:\windows\system32\drivers\ctprxy2k.sys
+ 2003-12-20 03:51 . 2008-04-13 17:45 49408 c:\windows\system32\dllcache\stream.sys
+ 2003-12-20 04:44 . 2008-04-13 17:45 60160 c:\windows\system32\dllcache\drmk.sys
+ 2003-12-20 04:44 . 2007-04-09 17:32 34816 c:\windows\system32\dllcache\a3d.dll
+ 2007-04-09 17:19 . 2007-04-09 17:19 48640 c:\windows\system32\devreg.dll
+ 2007-04-09 17:19 . 2007-04-09 17:19 26783 c:\windows\system32\Data\ctd20x.dat
+ 2007-04-09 17:32 . 2007-04-09 17:32 46592 c:\windows\system32\CTxfiSpk.dll
+ 2007-04-09 17:29 . 2007-04-09 17:29 43520 c:\windows\system32\Ctxfireg.exe
+ 2007-04-09 17:32 . 2007-04-09 17:32 19968 c:\windows\system32\Ctxfihlp.exe
+ 2007-04-09 17:32 . 2007-04-09 17:32 35840 c:\windows\system32\CTxfiBtn.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 69632 c:\windows\system32\ctthxcal.dll
+ 2003-12-20 04:44 . 2007-04-09 17:32 45568 c:\windows\system32\ctspkhlp.dll
+ 2003-12-20 04:44 . 2007-04-09 17:32 78336 c:\windows\system32\ctscal.dll
+ 2006-11-14 14:01 . 2006-11-14 14:01 58104 c:\windows\system32\ctpxinst.exe
+ 2007-04-09 16:25 . 2007-04-09 16:25 45568 c:\windows\system32\ctppld.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 56832 c:\windows\system32\CTpcmcia.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 12800 c:\windows\system32\ctmmep.dll
+ 2005-06-16 15:17 . 2005-06-16 15:17 71680 c:\windows\system32\ctmmactl.dll
+ 2007-04-12 13:10 . 2007-04-12 13:10 66816 c:\windows\system32\CTHWIUT.DLL
+ 2003-12-20 04:44 . 2007-04-09 17:32 19456 c:\windows\system32\CtHelper.exe
+ 2007-04-12 13:10 . 2007-04-12 13:10 94976 c:\windows\system32\CTERFXFX.DLL
+ 2007-04-09 17:22 . 2007-04-09 17:22 50176 c:\windows\system32\ctedasio.dll
+ 2003-12-20 04:44 . 2007-04-09 17:22 76800 c:\windows\system32\ctdproxy.dll
+ 2007-04-09 17:24 . 2007-04-09 17:24 46273 c:\windows\system32\ctdnlstr.dat
+ 2007-04-09 17:32 . 2007-04-09 17:32 10240 c:\windows\system32\ctdcres.dll
+ 2003-12-20 04:44 . 2007-04-09 17:19 53932 c:\windows\system32\ctdaught.dat
+ 2003-12-20 04:44 . 2007-04-09 17:33 86016 c:\windows\system32\ctcoinst.dll
+ 2007-04-09 17:33 . 2007-04-09 17:33 43520 c:\windows\system32\CTBurst.dll
+ 2003-12-20 04:44 . 2007-04-09 17:22 79872 c:\windows\system32\ctasio.dll
+ 2007-04-09 17:29 . 2007-04-09 17:29 10752 c:\windows\system32\Ct20xspi.dll
+ 2003-12-20 04:44 . 2007-04-18 13:59 98600 c:\windows\system32\COMMONFX.DLL
+ 2007-04-09 16:25 . 2007-04-09 16:25 48400 c:\windows\system32\AddCat.exe
+ 2003-12-20 04:44 . 2007-04-09 17:32 27648 c:\windows\system32\ac3api.dll
+ 2003-12-20 04:44 . 2007-04-09 17:32 34816 c:\windows\system32\a3d.dll
+ 2009-04-12 19:54 . 2003-03-25 12:13 6144 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctprxy2k.sys
+ 2009-04-12 19:54 . 2008-04-14 00:11 4096 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ksuser.dll
+ 2003-12-20 03:51 . 2008-04-13 23:11 4096 c:\windows\system32\ksuser.dll
- 2003-12-20 03:51 . 2008-04-14 00:11 4096 c:\windows\system32\ksuser.dll
+ 2007-04-09 17:19 . 2007-04-09 17:19 5120 c:\windows\system32\enlocstr.exe
+ 2003-12-20 03:51 . 2008-04-13 23:11 4096 c:\windows\system32\dllcache\ksuser.dll
+ 2007-04-09 17:19 . 2007-04-09 17:19 2091 c:\windows\system32\Data\cts20x.dat
+ 2007-04-09 17:32 . 2007-04-09 17:32 9216 c:\windows\system32\ctpres.dll
+ 2003-12-20 04:44 . 2007-04-09 17:32 8704 c:\windows\system32\ctagent.dll
+ 2003-12-20 04:44 . 2007-04-09 17:21 130048 c:\windows\system32\sfms32.dll
+ 2009-04-12 19:54 . 2003-04-01 12:07 142752 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\haP16v2k.sys
+ 2009-04-12 19:54 . 2003-04-03 02:59 850880 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ha10kx2k.sys
+ 2009-04-12 19:54 . 2003-03-25 12:13 144736 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\emupia2k.sys
+ 2009-04-12 19:54 . 2003-03-25 12:27 270745 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctstatic.dat
+ 2009-04-12 19:54 . 2003-03-25 12:13 135696 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctsfm2k.sys
+ 2009-04-12 19:54 . 2003-03-25 12:37 250284 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctsbas2w.dat
+ 2009-04-12 19:54 . 2003-03-25 12:12 190176 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctoss2k.sys
+ 2009-04-12 19:54 . 2003-03-27 04:58 287920 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctdvda2k.sys
+ 2009-04-12 19:54 . 2003-03-25 12:37 200089 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctdlang.dat
+ 2009-04-12 19:54 . 2003-03-25 12:37 139067 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctbas2w.dat
+ 2009-04-12 19:54 . 2003-04-11 05:32 502160 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctaud2k.sys
+ 2009-04-12 19:54 . 2003-03-25 12:11 134656 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Win2K_XP\ctac32k.sys
+ 2009-04-12 19:54 . 2008-04-13 19:19 146048 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\portcls.sys
+ 2009-04-12 19:54 . 2008-04-13 19:16 141056 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\ks.sys
+ 2009-04-12 19:54 . 2003-04-11 09:52 598016 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Common\ctsblfx.dll
+ 2009-04-12 19:54 . 2003-04-11 09:50 446464 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Common\ctaudfx.dll
+ 2009-04-12 19:54 . 2003-03-25 12:19 114688 c:\windows\system32\ReinstallBackups\0008\DriverFiles\Common\commonfx.dll
+ 2006-11-23 05:55 . 2006-11-23 05:55 782336 c:\windows\system32\OALInst.exe
+ 2003-12-20 04:44 . 2008-04-13 18:19 146048 c:\windows\system32\drivers\portcls.sys
- 2003-12-20 04:44 . 2008-04-13 19:19 146048 c:\windows\system32\drivers\portcls.sys
+ 2003-12-20 03:51 . 2008-04-13 18:16 141056 c:\windows\system32\drivers\ks.sys
- 2003-12-20 03:51 . 2008-04-13 19:16 141056 c:\windows\system32\drivers\ks.sys
+ 2007-04-10 09:32 . 2007-04-10 09:32 189736 c:\windows\system32\drivers\haP17v2k.sys
+ 2003-12-20 04:44 . 2007-04-10 09:31 163112 c:\windows\system32\drivers\haP16v2k.sys
+ 2003-12-20 04:44 . 2007-04-10 09:29 797992 c:\windows\system32\drivers\ha10kx2k.sys
+ 2003-12-20 04:44 . 2007-04-10 11:00 157480 c:\windows\system32\drivers\ctsfm2k.sys
+ 2003-12-20 04:44 . 2007-04-10 10:59 126760 c:\windows\system32\drivers\ctoss2k.sys
+ 2003-12-20 04:44 . 2007-04-10 09:21 347128 c:\windows\system32\drivers\ctdvda2k.sys
+ 2003-12-20 04:44 . 2007-04-10 09:20 520488 c:\windows\system32\drivers\ctaud2k.sys
+ 2003-12-20 04:44 . 2007-04-10 09:19 511272 c:\windows\system32\drivers\ctac32k.sys
+ 2003-12-20 04:44 . 2008-04-13 18:19 146048 c:\windows\system32\dllcache\portcls.sys
+ 2003-12-20 03:51 . 2008-04-13 18:16 141056 c:\windows\system32\dllcache\ks.sys
+ 2007-04-09 17:19 . 2007-04-09 17:19 233684 c:\windows\system32\Data\CTPM002W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTPDXW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 232158 c:\windows\system32\Data\CTP4893W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 232158 c:\windows\system32\Data\CTP4891W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 232158 c:\windows\system32\Data\CTP4890W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4875W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4872W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4871W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4870W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4850W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 232158 c:\windows\system32\Data\CTP4840W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4832W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4831W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4830W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 267599 c:\windows\system32\Data\CTP4820W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 232158 c:\windows\system32\Data\CTP4790W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4780W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4760W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4670W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233024 c:\windows\system32\Data\CTP4620W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 233684 c:\windows\system32\Data\CTP1140W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 268778 c:\windows\system32\Data\CTP0930W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 269402 c:\windows\system32\Data\CTP0773W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 263543 c:\windows\system32\Data\CTP0760W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 265966 c:\windows\system32\Data\CTP073AW.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 265966 c:\windows\system32\Data\CTP0730W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 345761 c:\windows\system32\Data\CTP0679W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 345761 c:\windows\system32\Data\CTP0678W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 319757 c:\windows\system32\Data\CTP0669W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 319757 c:\windows\system32\Data\CTP0610W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 319757 c:\windows\system32\Data\CTP0600W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264060 c:\windows\system32\Data\CTP055AW.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264388 c:\windows\system32\Data\CTP0550W.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 321377 c:\windows\system32\Data\CTP0531W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 232116 c:\windows\system32\Data\CTP0531L.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 321377 c:\windows\system32\Data\CTP0530W.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 232116 c:\windows\system32\Data\CTP0530L.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 263802 c:\windows\system32\Data\CTP046CW.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 263802 c:\windows\system32\Data\CTP046BW.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 263802 c:\windows\system32\Data\CTP046AW.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0469W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0468W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0466W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0465W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0464W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264060 c:\windows\system32\Data\CTP0463W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0462W.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 264130 c:\windows\system32\Data\CTP0460W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 319757 c:\windows\system32\Data\CTP0400W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 320076 c:\windows\system32\Data\CTP0380W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 320076 c:\windows\system32\Data\CTP0360W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 320622 c:\windows\system32\Data\CTP0359W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 321552 c:\windows\system32\Data\CTP0358W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 322194 c:\windows\system32\Data\CTP0355W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 321529 c:\windows\system32\Data\CTP0352W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 323640 c:\windows\system32\Data\CTP0350W.DAT
+ 2003-12-20 04:44 . 2007-04-09 17:19 318254 c:\windows\system32\Data\CTP0320W.DAT
+ 2003-12-20 04:44 . 2007-04-09 17:19 318254 c:\windows\system32\Data\CTP0280W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 318341 c:\windows\system32\Data\CTP0249W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 319730 c:\windows\system32\Data\CTP0246W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 318254 c:\windows\system32\Data\CTP0245W.DAT
+ 2003-12-20 04:44 . 2007-04-09 17:19 319730 c:\windows\system32\Data\CTP0244W.DAT
+ 2003-12-20 04:44 . 2007-04-09 17:19 318800 c:\windows\system32\Data\CTP0243W.DAT
+ 2003-12-20 04:44 . 2007-04-09 17:19 319730 c:\windows\system32\Data\CTP0242W.DAT
+ 2003-12-20 04:44 . 2007-04-09 17:19 319070 c:\windows\system32\Data\CTP0240W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 275517 c:\windows\system32\Data\CTP0238W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 277159 c:\windows\system32\Data\CTP0232W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 275816 c:\windows\system32\Data\CTP0231W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 277159 c:\windows\system32\Data\CTP0230W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 236189 c:\windows\system32\Data\CTP0222W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 236189 c:\windows\system32\Data\CTP0221W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 276738 c:\windows\system32\Data\CTP0192W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 275169 c:\windows\system32\Data\CTP0191W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017HW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017GW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017FW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017EW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017DW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017CW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017BW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CTP017AW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0170W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 276738 c:\windows\system32\Data\CTP0162W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 275427 c:\windows\system32\Data\CTP0161W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 232158 c:\windows\system32\Data\CTP0150W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0105W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0103W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0102W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0101W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0100W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 274587 c:\windows\system32\Data\CTP0095W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 276738 c:\windows\system32\Data\CTP0092W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 275169 c:\windows\system32\Data\CTP0091W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 276738 c:\windows\system32\Data\CTP0090W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 289409 c:\windows\system32\Data\CTP0073W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 289409 c:\windows\system32\Data\CTP0070W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0061W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235259 c:\windows\system32\Data\CTP0060W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 374041 c:\windows\system32\Data\CTEDSPW.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 270927 c:\windows\system32\Data\CTEDSPUW.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 270927 c:\windows\system32\Data\CTEDSPTW.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 330665 c:\windows\system32\Data\CTEDSPPW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 294775 c:\windows\system32\Data\CTEDSPLW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 294775 c:\windows\system32\Data\CTEDSPKW.DAT
+ 2007-04-09 17:20 . 2007-04-09 17:20 348425 c:\windows\system32\Data\CTEDSPHW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 374041 c:\windows\system32\Data\CTEDSP2W.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 201502 c:\windows\system32\Data\CTEAPSW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 235142 c:\windows\system32\Data\CT0060W.DAT
+ 2007-04-09 17:29 . 2007-04-09 17:29 934400 c:\windows\system32\CTxfispi.exe
+ 2003-12-20 04:44 . 2007-04-09 17:19 313207 c:\windows\system32\ctstatic.dat
+ 2005-06-30 12:24 . 2005-06-30 12:24 121856 c:\windows\system32\ctsfinst.dll
+ 2003-12-20 04:44 . 2007-04-12 13:10 560384 c:\windows\system32\CTSBLFX.DLL
+ 2003-12-20 04:44 . 2007-04-09 17:19 274587 c:\windows\system32\ctsbas2w.dat
+ 2003-12-20 04:44 . 2007-04-09 17:21 137728 c:\windows\system32\ctosuser.dll
+ 2003-12-20 04:44 . 2007-04-09 17:24 110080 c:\windows\system32\ctemupia.dll
+ 2007-04-12 13:10 . 2007-04-12 13:10 323328 c:\windows\system32\CTEDSPSY.DLL
+ 2007-04-12 13:10 . 2007-04-12 13:10 128768 c:\windows\system32\CTEDSPIO.DLL
+ 2007-04-12 13:10 . 2007-04-12 13:10 280320 c:\windows\system32\CTEDSPFX.DLL
+ 2007-04-12 13:10 . 2007-04-12 13:10 168192 c:\windows\system32\CTEAPSFX.DLL
+ 2007-04-09 17:33 . 2007-04-09 17:33 163328 c:\windows\system32\ctdvinst.dll
+ 2003-12-20 04:44 . 2007-04-09 17:24 325821 c:\windows\system32\ctdlang.dat
+ 2003-12-20 04:44 . 2007-04-09 17:32 131072 c:\windows\system32\ctdcifce.dll
+ 2003-12-20 04:44 . 2007-04-09 17:32 335872 c:\windows\system32\ctdc0001.dll
+ 2003-12-20 04:44 . 2007-04-09 17:32 227840 c:\windows\system32\ctdc0000.dll
+ 2003-12-20 04:44 . 2007-04-09 17:21 149838 c:\windows\system32\ctbas2w.dat
+ 2003-12-20 04:44 . 2007-04-12 13:10 546048 c:\windows\system32\CTAUDFX.DLL
+ 2007-04-09 16:25 . 2007-04-09 16:25 444928 c:\windows\system32\CTAPO32.dll
+ 2007-04-12 13:10 . 2007-04-12 13:10 164608 c:\windows\system32\CT20XUT.DLL
+ 2007-04-09 17:22 . 2007-04-09 17:22 205312 c:\windows\system32\ct_oal.dll
+ 2007-04-12 13:10 . 2007-04-12 13:10 105728 c:\windows\system32\APOMgrH.dll
- 2009-04-13 18:47 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-13 20:44 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2007-04-10 11:03 . 2007-04-10 11:03 1164072 c:\windows\system32\drivers\ha20x2k.sys
+ 2007-04-12 13:10 . 2007-04-12 13:10 1317632 c:\windows\system32\CTEXFIFX.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"PeerGuardian"="g:\program files\PeerGuardian2\pg2.exe" [2009-04-10 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-31 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-01-13 169472]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-29 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.dvacm"= dvacm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Program Files\\Gmail Notifier\\gnotify.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xanga.com/private/yourhome.aspx?user=pimpin_potter
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\jwjue9jy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?p=303311#post303311
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: g:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 15:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,fc,bd,91,37,73,
a7,8f,c2,c8,28,51,af,b0,29,a3,98,c1,ac,66,f0,3c,67,fd,50,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,95,5c,67,fb,b7,
d4,0f,0f,71,3b,04,66,8b,46,0d,96,e8,37,b4,be,66,e5,9e,5f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4d,7e,96,96,41,
aa,67,68,25,da,ec,7e,55,20,c9,26,11,4b,19,74,c9,0b,96,42,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,51,f7,8d,05,75,
2f,8e,77,3e,1e,9e,e0,57,5a,93,61,da,57,62,6b,47,68,bc,83,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ff,5d,d3,01,e9,
ba,9e,b5,cd,44,cd,b9,a6,33,6c,cd,74,6d,84,01,9f,c7,14,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,53,d8,68,3c,71,
fc,16,58,b0,18,ed,a7,3f,8d,37,a4,7e,54,05,37,f2,f6,5d,08,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,ed,c5,32,cc,5c,
ff,ae,eb,31,77,e1,ba,b1,f8,68,02,25,7e,03,43,88,2f,df,33,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,31,a0,3c,57,33,
37,c7,c7,83,6c,56,8b,a0,85,96,ab,4a,bc,6a,36,97,5b,95,1c,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,68,31,e6,f9,c6,
67,0f,12,51,fa,6e,91,28,9e,14,cc,35,3a,3d,06,d3,ea,12,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ab,b9,b3,fb,46,
eb,96,55,b1,cd,45,5a,a8,c4,f8,b9,df,38,07,23,16,4e,3d,aa,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e0,87,01,cb,7b,
ce,6c,92,e3,0e,66,d5,eb,bc,2f,6b,a9,5e,31,69,51,b2,b8,c7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,de,75,72,90,38,
20,86,97,fa,ea,66,7f,d4,3b,6b,70,e8,53,bf,49,80,1a,8a,ef,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2932)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 15:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 20:54
ComboFix2.txt 2009-04-13 19:00
ComboFix3.txt 2009-04-11 18:03
ComboFix4.txt 2009-04-11 02:46

Pre-Run: 2,674,925,568 bytes free
Post-Run: 2,737,942,528 bytes free

479 --- E O F --- 2009-04-11 03:06

katana
2009-04-13, 00:45
Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
c:\windows\system32\reguligu.exe
c:\windows\system32\bodalene.exe
c:\windows\system32\fugudipi.exe
c:\windows\system32\zoyulolu.dll
c:\windows\system32\hulubera.dll

ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper





How are things now ?

invisiblegardener
2009-04-13, 01:46
Haven't noticed any further changes in performance.


ComboFix 09-04-13.07 - Matt 2009-04-12 17:24.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1130 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\Combo.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\bodalene.exe
c:\windows\system32\fugudipi.exe
c:\windows\system32\hulubera.dll
c:\windows\system32\reguligu.exe
c:\windows\system32\zoyulolu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bodalene.exe
c:\windows\system32\fugudipi.exe
c:\windows\system32\hulubera.dll
c:\windows\system32\reguligu.exe
c:\windows\system32\zoyulolu.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-13 20:44 . 2009-04-13 22:30 11564 ----a-w c:\windows\system32\DVCState-{00000001-00000000-00000007-00001102-00000004-10021102}.rfx
2009-04-13 19:10 . 2009-04-13 19:24 -------- d-----w C:\rsit
2009-04-12 21:36 . 2009-04-12 21:36 1080 ----a-w c:\windows\system32\settingsbkup.sfm
2009-04-12 21:36 . 2009-04-12 21:36 1080 ----a-w c:\windows\system32\settings.sfm
2009-04-12 21:34 . 2006-11-14 12:28 86016 ----a-w c:\windows\system32\cttele.dll
2009-04-12 21:33 . 2009-04-12 21:33 409600 ----a-w c:\windows\system32\wrap_oal.dll
2009-04-12 18:17 . 2009-04-12 18:17 -------- d-----w c:\documents and settings\Matt\Application Data\Foxit
2009-04-11 17:37 . 2009-04-11 17:37 -------- d-----w C:\CF
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes
2009-04-11 15:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 15:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 03:06 . 2009-04-11 03:06 19526 ----a-w C:\ComboFix.zip
2009-04-11 01:44 . 2009-04-11 01:45 -------- d-----w C:\xiFobmoC
2009-04-11 01:23 . 2009-04-11 01:26 -------- d-----w C:\CleanMe
2009-04-08 21:57 . 2009-04-08 21:57 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\{E0019759-D443-4CCD-B77F-D712A400474C}
2009-04-07 01:59 . 2009-04-07 01:59 -------- d-----w c:\windows\system32\NtmsData
2009-03-28 03:26 . 2009-03-29 18:41 -------- d-----w c:\documents and settings\Matt\Application Data\HouseCall 6.6
2009-03-27 22:53 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-27 22:44 . 2009-03-27 22:44 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-25 05:31 . 2009-04-11 02:18 -------- d--h--w c:\documents and settings\Matt\Application Data\drivers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 19:03 . 2003-12-30 21:04 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-12 21:33 . 2003-12-20 04:44 114688 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-12 21:33 . 2003-12-19 16:32 -------- d-----w c:\documents and settings\Matt\Application Data\Creative
2009-04-12 18:38 . 2009-04-12 18:37 3029 ----a-w C:\JavaRa.log
2009-04-12 18:37 . 2005-02-14 01:32 -------- d-----w c:\program files\Java
2009-04-12 18:14 . 2003-12-22 04:59 -------- d-----w c:\program files\Common Files\Adobe
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:45 . 2009-04-11 15:44 2967800 ----a-w c:\program files\mbam-setup.exe
2009-04-11 15:41 . 2009-04-11 15:41 -------- d-----w c:\program files\Trend Micro
2009-04-11 02:20 . 2005-01-18 05:24 -------- d-----w c:\program files\Steam
2009-04-10 20:54 . 2001-08-23 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-07 02:46 . 2009-04-07 02:46 -------- d-----w c:\program files\ERUNT
2009-04-07 02:44 . 2009-04-07 02:44 791393 ----a-w c:\program files\erunt-setup.exe
2009-03-28 05:41 . 2009-03-28 05:41 812344 ----a-w c:\program files\HJTInstall.exe
2009-03-28 02:11 . 2009-01-14 07:22 441 ----a-w C:\VundoFix.txt
2009-03-27 22:43 . 2009-03-27 22:43 -------- d-----w c:\program files\Lavasoft
2009-03-27 21:57 . 2005-09-17 02:11 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-26 05:26 . 2008-12-09 04:09 688416 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:26 . 2008-12-09 04:09 66656 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-26 05:26 . 2008-12-09 04:09 315320 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-26 05:26 . 2008-12-09 04:09 23229728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-25 05:07 . 2006-04-15 22:46 0 ----a-w C:\CreateMarkers.log
2009-03-09 10:19 . 2009-01-11 07:17 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-23 21:58 . 2004-10-05 02:25 -------- d-----w c:\program files\Google
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2008-12-04 02:27 . 2003-12-19 16:53 85776 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-05 00:27 . 2007-06-05 00:27 127 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\fusioncache.dat
2009-03-26 05:26 . 2008-12-09 04:09 23229728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-26 05:26 . 2008-12-09 04:09 688416 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-13_15.53.28.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 22:33 . 2009-04-13 22:33 16384 c:\windows\Temp\Perflib_Perfdata_7d8.dat
- 2003-12-20 04:44 . 2007-04-09 17:21 22528 c:\windows\system32\sfman32.dll
+ 2007-04-09 17:21 . 2007-04-09 17:21 22528 c:\windows\system32\sfman32.dll
- 2003-12-20 04:44 . 2007-04-09 17:21 48128 c:\windows\system32\regplib.exe
+ 2007-04-09 17:21 . 2007-04-09 17:21 48128 c:\windows\system32\regplib.exe
- 2003-12-20 04:44 . 2007-04-09 17:21 81920 c:\windows\system32\piaproxy.dll
+ 2007-04-09 17:21 . 2007-04-09 17:21 81920 c:\windows\system32\piaproxy.dll
+ 2007-04-09 17:19 . 2007-04-09 17:19 28672 c:\windows\system32\MIDIDEF.EXE
- 2003-12-20 04:44 . 2007-04-09 17:19 10240 c:\windows\system32\killapps.exe
+ 2007-04-09 17:19 . 2007-04-09 17:19 10240 c:\windows\system32\killapps.exe
- 2003-12-20 04:44 . 2001-07-11 07:51 77824 c:\windows\system32\eaxac3.dll
+ 2001-07-11 07:51 . 2001-07-11 07:51 77824 c:\windows\system32\eaxac3.dll
+ 2007-04-10 09:32 . 2007-04-10 09:32 16168 c:\windows\system32\drivers\pfmodnt.sys
- 2003-12-20 04:44 . 2007-04-10 09:32 16168 c:\windows\system32\drivers\pfmodnt.sys
- 2003-12-20 04:44 . 2007-04-10 09:28 92968 c:\windows\system32\drivers\emupia2k.sys
+ 2007-04-10 09:28 . 2007-04-10 09:28 92968 c:\windows\system32\drivers\emupia2k.sys
+ 2007-04-10 09:25 . 2007-04-10 09:25 14632 c:\windows\system32\drivers\ctprxy2k.sys
- 2003-12-20 04:44 . 2007-04-10 09:25 14632 c:\windows\system32\drivers\ctprxy2k.sys
+ 2007-04-10 09:21 . 2007-04-10 09:21 19112 c:\windows\system32\drivers\CTGAME.SYS
- 2003-12-20 04:44 . 2007-04-09 17:32 34816 c:\windows\system32\dllcache\a3d.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 34816 c:\windows\system32\dllcache\a3d.dll
+ 2009-04-12 21:34 . 2006-11-14 12:28 86016 c:\windows\system32\cttele.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 45568 c:\windows\system32\ctspkhlp.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 45568 c:\windows\system32\ctspkhlp.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 78336 c:\windows\system32\ctscal.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 78336 c:\windows\system32\ctscal.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 19456 c:\windows\system32\CtHelper.exe
+ 2007-04-09 17:32 . 2007-04-09 17:32 19456 c:\windows\system32\CtHelper.exe
- 2003-12-20 04:44 . 2007-04-09 17:22 76800 c:\windows\system32\ctdproxy.dll
+ 2007-04-09 17:22 . 2007-04-09 17:22 76800 c:\windows\system32\ctdproxy.dll
- 2003-12-20 04:44 . 2007-04-09 17:19 53932 c:\windows\system32\ctdaught.dat
+ 2007-04-09 17:19 . 2007-04-09 17:19 53932 c:\windows\system32\ctdaught.dat
- 2003-12-20 04:44 . 2007-04-09 17:22 79872 c:\windows\system32\ctasio.dll
+ 2007-04-09 17:22 . 2007-04-09 17:22 79872 c:\windows\system32\ctasio.dll
+ 2007-04-18 13:59 . 2007-04-18 13:59 98600 c:\windows\system32\COMMONFX.DLL
- 2003-12-20 04:44 . 2007-04-18 13:59 98600 c:\windows\system32\COMMONFX.DLL
- 2003-12-20 04:44 . 2007-04-09 17:32 27648 c:\windows\system32\ac3api.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 27648 c:\windows\system32\ac3api.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 34816 c:\windows\system32\a3d.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 34816 c:\windows\system32\a3d.dll
+ 2007-04-09 17:33 . 2007-04-09 17:33 11776 c:\windows\INRES.DLL
+ 2007-04-09 17:32 . 2007-04-09 17:32 10240 c:\windows\CTDCRES.DLL
+ 2007-04-09 17:32 . 2007-04-09 17:32 8704 c:\windows\system32\ctagent.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 8704 c:\windows\system32\ctagent.dll
+ 2009-04-12 21:33 . 2009-04-12 21:33 409600 c:\windows\system32\wrap_oal.dll
- 2003-12-20 04:44 . 2007-04-09 17:21 130048 c:\windows\system32\sfms32.dll
+ 2007-04-09 17:21 . 2007-04-09 17:21 130048 c:\windows\system32\sfms32.dll
+ 2003-12-20 04:44 . 2009-04-12 21:33 114688 c:\windows\system32\OpenAL32.dll
- 2003-12-20 04:44 . 2007-04-10 09:31 163112 c:\windows\system32\drivers\haP16v2k.sys
+ 2007-04-10 09:31 . 2007-04-10 09:31 163112 c:\windows\system32\drivers\haP16v2k.sys
+ 2007-04-10 09:29 . 2007-04-10 09:29 797992 c:\windows\system32\drivers\ha10kx2k.sys
- 2003-12-20 04:44 . 2007-04-10 09:29 797992 c:\windows\system32\drivers\ha10kx2k.sys
- 2003-12-20 04:44 . 2007-04-10 11:00 157480 c:\windows\system32\drivers\ctsfm2k.sys
+ 2007-04-10 11:00 . 2007-04-10 11:00 157480 c:\windows\system32\drivers\ctsfm2k.sys
+ 2007-04-10 10:59 . 2007-04-10 10:59 126760 c:\windows\system32\drivers\ctoss2k.sys
- 2003-12-20 04:44 . 2007-04-10 10:59 126760 c:\windows\system32\drivers\ctoss2k.sys
- 2003-12-20 04:44 . 2007-04-10 09:21 347128 c:\windows\system32\drivers\ctdvda2k.sys
+ 2007-04-10 09:21 . 2007-04-10 09:21 347128 c:\windows\system32\drivers\ctdvda2k.sys
- 2003-12-20 04:44 . 2007-04-10 09:20 520488 c:\windows\system32\drivers\ctaud2k.sys
+ 2007-04-10 09:20 . 2007-04-10 09:20 520488 c:\windows\system32\drivers\ctaud2k.sys
- 2003-12-20 04:44 . 2007-04-10 09:19 511272 c:\windows\system32\drivers\ctac32k.sys
+ 2007-04-10 09:19 . 2007-04-10 09:19 511272 c:\windows\system32\drivers\ctac32k.sys
+ 2007-04-09 17:19 . 2007-04-09 17:19 313207 c:\windows\system32\ctstatic.dat
- 2003-12-20 04:44 . 2007-04-09 17:19 313207 c:\windows\system32\ctstatic.dat
+ 2007-04-12 13:10 . 2007-04-12 13:10 560384 c:\windows\system32\CTSBLFX.DLL
- 2003-12-20 04:44 . 2007-04-12 13:10 560384 c:\windows\system32\CTSBLFX.DLL
+ 2007-04-09 17:19 . 2007-04-09 17:19 241084 c:\windows\system32\CTSBASW.DAT
+ 2007-04-09 17:19 . 2007-04-09 17:19 274587 c:\windows\system32\ctsbas2w.dat
- 2003-12-20 04:44 . 2007-04-09 17:19 274587 c:\windows\system32\ctsbas2w.dat
- 2003-12-20 04:44 . 2007-04-09 17:21 137728 c:\windows\system32\ctosuser.dll
+ 2007-04-09 17:21 . 2007-04-09 17:21 137728 c:\windows\system32\ctosuser.dll
+ 2007-04-09 17:24 . 2007-04-09 17:24 110080 c:\windows\system32\ctemupia.dll
- 2003-12-20 04:44 . 2007-04-09 17:24 110080 c:\windows\system32\ctemupia.dll
- 2003-12-20 04:44 . 2007-04-09 17:24 325821 c:\windows\system32\ctdlang.dat
+ 2007-04-09 17:24 . 2007-04-09 17:24 325821 c:\windows\system32\ctdlang.dat
- 2003-12-20 04:44 . 2007-04-09 17:32 131072 c:\windows\system32\ctdcifce.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 131072 c:\windows\system32\ctdcifce.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 335872 c:\windows\system32\ctdc0001.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 335872 c:\windows\system32\ctdc0001.dll
- 2003-12-20 04:44 . 2007-04-09 17:32 227840 c:\windows\system32\ctdc0000.dll
+ 2007-04-09 17:32 . 2007-04-09 17:32 227840 c:\windows\system32\ctdc0000.dll
+ 2007-04-09 17:19 . 2007-04-09 17:19 115166 c:\windows\system32\CTBASICW.DAT
+ 2007-04-09 17:21 . 2007-04-09 17:21 149838 c:\windows\system32\ctbas2w.dat
- 2003-12-20 04:44 . 2007-04-09 17:21 149838 c:\windows\system32\ctbas2w.dat
- 2003-12-20 04:44 . 2007-04-12 13:10 546048 c:\windows\system32\CTAUDFX.DLL
+ 2007-04-12 13:10 . 2007-04-12 13:10 546048 c:\windows\system32\CTAUDFX.DLL
+ 2005-06-07 17:58 . 2005-06-07 17:58 765952 c:\windows\system\CRLDS3D.DLL
+ 2009-04-13 22:29 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 20:44 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2007-04-10 10:58 . 2007-04-10 10:58 1372840 c:\windows\system32\drivers\CTMMFILT.SYS
+ 2007-04-10 10:55 . 2007-04-10 10:55 1366696 c:\windows\system32\drivers\CT0531FL.SYS
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"PeerGuardian"="g:\program files\PeerGuardian2\pg2.exe" [2009-04-10 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-31 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-01-13 169472]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-29 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.dvacm"= dvacm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Program Files\\Gmail Notifier\\gnotify.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 lac97inf;lac97inf; [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-12-10 7808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\si3112r.sys [2002-10-15 84529]
S2 tcaicchg;tcaicchg;c:\windows\System32\tcaicchg.sys [2000-06-05 21233]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
S3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2007-04-10 19112]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xanga.com/private/yourhome.aspx?user=pimpin_potter
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: musicmatch.com\online
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\jwjue9jy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?p=303311#post303311
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: g:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,fc,bd,91,37,73,
a7,8f,c2,c8,28,51,af,b0,29,a3,98,c1,ac,66,f0,3c,67,fd,50,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,95,5c,67,fb,b7,
d4,0f,0f,71,3b,04,66,8b,46,0d,96,e8,37,b4,be,66,e5,9e,5f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4d,7e,96,96,41,
aa,67,68,25,da,ec,7e,55,20,c9,26,11,4b,19,74,c9,0b,96,42,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,51,f7,8d,05,75,
2f,8e,77,3e,1e,9e,e0,57,5a,93,61,da,57,62,6b,47,68,bc,83,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ff,5d,d3,01,e9,
ba,9e,b5,cd,44,cd,b9,a6,33,6c,cd,74,6d,84,01,9f,c7,14,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,53,d8,68,3c,71,
fc,16,58,b0,18,ed,a7,3f,8d,37,a4,7e,54,05,37,f2,f6,5d,08,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,ed,c5,32,cc,5c,
ff,ae,eb,31,77,e1,ba,b1,f8,68,02,25,7e,03,43,88,2f,df,33,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,31,a0,3c,57,33,
37,c7,c7,83,6c,56,8b,a0,85,96,ab,4a,bc,6a,36,97,5b,95,1c,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,68,31,e6,f9,c6,
67,0f,12,51,fa,6e,91,28,9e,14,cc,35,3a,3d,06,d3,ea,12,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ab,b9,b3,fb,46,
eb,96,55,b1,cd,45,5a,a8,c4,f8,b9,df,38,07,23,16,4e,3d,aa,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e0,87,01,cb,7b,
ce,6c,92,e3,0e,66,d5,eb,bc,2f,6b,a9,5e,31,69,51,b2,b8,c7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,de,75,72,90,38,
20,86,97,fa,ea,66,7f,d4,3b,6b,70,e8,53,bf,49,80,1a,8a,ef,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2900)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 17:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 22:40
ComboFix2.txt 2009-04-13 20:56
ComboFix3.txt 2009-04-13 19:00
ComboFix4.txt 2009-04-11 18:03
ComboFix5.txt 2009-04-12 22:23

Pre-Run: 2,693,849,088 bytes free
Post-Run: 2,674,597,888 bytes free

357 --- E O F --- 2009-04-11 03:06

katana
2009-04-13, 12:37
There is no sign of infection now, have you tried reinstalling the drivers for your CD/DVD drive ?




Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.

invisiblegardener
2009-04-15, 09:31
Yes, I tried reinstalling the drivers. I described the problem to my dad and he thinks the drive simply died (it's fairly old).
In any case, I am going to pass it on to him, so if the problem is just with my computer he will be able to get some use from the drive.

From the log attached it looks like some infection has sprung back up. Can you recommend a real-time malware protector?

;*****************************************************************************************************
ANALYSIS: 2009-04-15 00:26:28
PROTECTIONS: 1
MALWARE: 71
SUSPECTS: 3
;*****************************************************************************************************
PROTECTIONS
Description Version Active Updated
;=====================================================================================================
Kaspersky Anti-Virus 7.0.0.125 Yes Yes
;=====================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;=====================================================================================================
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00020302 adware/ncase Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sais
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\matt\favorites\fun & games
00047660 adware/sqwire Adware No 0 Yes No hkey_current_user\software\tsl2
00055151 V6000 Virus No 0 No No C:\Documents and Settings\Matt\Application Data\SecondLife\cache\textures\5\5f214cec-33e6-1fac-c321-568834d31f58
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@tradedoubler[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@mediaplex[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@anm.co[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@revenue[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@yadro[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@xiti[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@gostats[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@azjmp[2].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@statcounter[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[5].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@ad.yieldmanager[4].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@www.burstbeacon[1].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@weborama[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@statse.webtrendslive[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@ads.pointroll[2].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@hc2.humanclick[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@realmedia[1].txt
00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@www5.addfreestats[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@zedo[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@adrevolver[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@adultfriendfinder[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@searchportal.information[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@did-it[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@atwola[1].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@www6.addfreestats[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@ads.addynamix[1].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Matt\Cookies\matt@citi.bridgetrack[2].txt
03378493 Generic Trojan Virus/Trojan No 0 Yes No C:\My Downloads\Hijackthis\bfu.zip[BFU.exe]

;========================================================================================================
SUSPECTS
Sent Location �o
;========================================================================================================
No C:\Documents and Settings\Matt\Desktop\Combo.exe �o
No C:\Qoobox\Quarantine\C\WINDOWS\system32\gesudofi.exe.vir �o
No C:\Qoobox\Quarantine\C\WINDOWS\system32\gonaludu.dll.vir �o
;========================================================================================================
Id Severity Description �o
;========================================================================================================
;========================================================================================================

Qoobox and SysRestore lines removed

katana
2009-04-15, 12:20
Nothing to worry about there, most of what was found has aleady been removed by Combofix.

The only curious one is
C:\Documents and Settings\Matt\Application Data\SecondLife\cache\textures\5\5f214cec-33e6-1fac-c321-568834d31f58

I can't find any info on this one.
I don't know if it is an infection, or just a part of the Second life program




Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



DirLook::
C:\Documents and Settings\Matt\Application Data\SecondLife\cache\textures\5\5f214cec-33e6-1fac-c321-568834d31f58
File::
C:\My Downloads\Hijackthis\bfu.zip
Folder::
c:\documents and settings\matt\favorites\fun & games
Driver::
Registry::
[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer]
[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\sais]
[-hkey_current_user\software\tsl2]

ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

invisiblegardener
2009-04-16, 09:19
ComboFix 09-04-16.02 - Matt 04/16/2009 1:06.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1109 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\Combo.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\my downloads\Hijackthis\bfu.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\matt\favorites\fun & games
c:\my downloads\Hijackthis\bfu.zip

.
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 02:57 . 2009-04-16 03:02 -------- d-----w c:\documents and settings\Matt\Application Data\dvdcss
2009-04-16 02:57 . 2009-04-16 02:59 -------- d-----w c:\documents and settings\Matt\Application Data\vlc
2009-04-14 23:19 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-13 20:44 . 2009-04-16 06:11 11564 ----a-w c:\windows\system32\DVCState-{00000001-00000000-00000007-00001102-00000004-10021102}.rfx
2009-04-13 19:10 . 2009-04-13 19:24 -------- d-----w C:\rsit
2009-04-12 21:36 . 2009-04-12 21:36 1080 ----a-w c:\windows\system32\settingsbkup.sfm
2009-04-12 21:36 . 2009-04-12 21:36 1080 ----a-w c:\windows\system32\settings.sfm
2009-04-12 21:34 . 2006-11-14 12:28 86016 ----a-w c:\windows\system32\cttele.dll
2009-04-12 21:33 . 2009-04-12 21:33 409600 ----a-w c:\windows\system32\wrap_oal.dll
2009-04-12 18:17 . 2009-04-12 18:17 -------- d-----w c:\documents and settings\Matt\Application Data\Foxit
2009-04-11 17:37 . 2009-04-11 17:37 -------- d-----w C:\CF
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\documents and settings\Matt\Application Data\Malwarebytes
2009-04-11 15:47 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 15:47 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-11 03:06 . 2009-04-11 03:06 19526 ----a-w C:\ComboFix.zip
2009-04-11 01:44 . 2009-04-11 01:45 -------- d-----w C:\xiFobmoC
2009-04-11 01:23 . 2009-04-11 01:26 -------- d-----w C:\CleanMe
2009-04-08 21:57 . 2009-04-08 21:57 -------- d-----w c:\documents and settings\Matt\Local Settings\Application Data\{E0019759-D443-4CCD-B77F-D712A400474C}
2009-04-07 01:59 . 2009-04-07 01:59 -------- d-----w c:\windows\system32\NtmsData
2009-03-28 03:26 . 2009-03-29 18:41 -------- d-----w c:\documents and settings\Matt\Application Data\HouseCall 6.6
2009-03-27 22:53 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-27 22:44 . 2009-03-27 22:44 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-25 05:31 . 2009-04-11 02:18 -------- d--h--w c:\documents and settings\Matt\Application Data\drivers

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 03:41 . 2003-12-19 05:12 -------- d-----w c:\program files\Windows Media Bonus Pack for Windows XP
2009-04-16 03:40 . 2005-03-18 20:41 -------- d-----w c:\program files\Soulseek
2009-04-16 03:39 . 2005-09-05 06:45 -------- d-----w c:\documents and settings\Matt\Application Data\Musicmatch
2009-04-16 03:39 . 2004-01-14 04:03 -------- d-----w c:\program files\MUSICMATCH
2009-04-14 23:17 . 2009-04-14 23:17 -------- d-----w c:\program files\Panda Security
2009-04-13 19:03 . 2003-12-30 21:04 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-13 05:06 . 2003-12-19 16:53 87904 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 21:33 . 2003-12-20 04:44 114688 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-12 21:33 . 2003-12-19 16:32 -------- d-----w c:\documents and settings\Matt\Application Data\Creative
2009-04-12 18:38 . 2009-04-12 18:37 3029 ----a-w C:\JavaRa.log
2009-04-12 18:37 . 2005-02-14 01:32 -------- d-----w c:\program files\Java
2009-04-12 18:14 . 2003-12-22 04:59 -------- d-----w c:\program files\Common Files\Adobe
2009-04-11 15:47 . 2009-04-11 15:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 15:45 . 2009-04-11 15:44 2967800 ----a-w c:\program files\mbam-setup.exe
2009-04-11 15:41 . 2009-04-11 15:41 -------- d-----w c:\program files\Trend Micro
2009-04-11 02:20 . 2005-01-18 05:24 -------- d-----w c:\program files\Steam
2009-04-10 20:54 . 2001-08-23 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-07 02:46 . 2009-04-07 02:46 -------- d-----w c:\program files\ERUNT
2009-04-07 02:44 . 2009-04-07 02:44 791393 ----a-w c:\program files\erunt-setup.exe
2009-04-01 01:14 . 2009-04-01 01:14 230 ----a-w C:\Network Security Settings.txt
2009-03-28 05:41 . 2009-03-28 05:41 812344 ----a-w c:\program files\HJTInstall.exe
2009-03-28 02:11 . 2009-01-14 07:22 441 ----a-w C:\VundoFix.txt
2009-03-27 22:43 . 2009-03-27 22:43 -------- d-----w c:\program files\Lavasoft
2009-03-27 21:57 . 2005-09-17 02:11 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-26 05:26 . 2008-12-09 04:09 688416 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:26 . 2008-12-09 04:09 688416 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:26 . 2008-12-09 04:09 66656 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-26 05:26 . 2008-12-09 04:09 315320 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-26 05:26 . 2008-12-09 04:09 23229728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-26 05:26 . 2008-12-09 04:09 23229728 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-25 05:07 . 2006-04-15 22:46 0 ----a-w C:\CreateMarkers.log
2009-03-09 10:19 . 2009-01-11 07:17 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-23 21:58 . 2004-10-05 02:25 -------- d-----w c:\program files\Google
2009-02-09 11:13 . 2001-08-23 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2007-06-05 00:27 . 2007-06-05 00:27 127 ----a-w c:\documents and settings\Matt\Local Settings\Application Data\fusioncache.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Matt\Application Data\SecondLife\cache\textures\5\5f214cec-33e6-1fac-c321-568834d31f58 ----



((((((((((((((((((((((((((((( SnapShot_2009-04-13_17.39.30.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-13 22:33 . 2009-04-13 22:33 16384 c:\windows\Temp\Perflib_Perfdata_7d8.dat
+ 2009-04-16 06:14 . 2009-04-16 06:14 16384 c:\windows\Temp\Perflib_Perfdata_7d8.dat
+ 2009-04-14 23:19 . 2008-06-19 21:24 28544 c:\windows\system32\drivers\pavboot.sys
+ 2009-04-16 06:10 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-13 22:29 . 2005-10-21 01:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"PeerGuardian"="g:\program files\PeerGuardian2\pg2.exe" [2009-04-11 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-31 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2007-04-09 19968]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2008-12-17 748840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-1-13 169472]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-12-29 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"msacm.dvacm"= dvacm.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Program Files\\Gmail Notifier\\gnotify.exe"=
"c:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciCMService.exe"=
"c:\\WINDOWS\\system32\\MsPMSPSv.exe"=

R3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 lac97inf;lac97inf; [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-12-10 7808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\DRIVERS\si3112r.sys [2002-10-16 84529]
S2 tcaicchg;tcaicchg;c:\windows\System32\tcaicchg.sys [2000-06-06 21233]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
S3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2007-04-10 19112]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.xanga.com/private/yourhome.aspx?user=pimpin_potter
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\jwjue9jy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?p=303311#post303311
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: g:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: g:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 01:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,fc,bd,91,37,73,
a7,8f,c2,c8,28,51,af,b0,29,a3,98,c1,ac,66,f0,3c,67,fd,50,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,95,5c,67,fb,b7,
d4,0f,0f,71,3b,04,66,8b,46,0d,96,e8,37,b4,be,66,e5,9e,5f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,4d,7e,96,96,41,
aa,67,68,25,da,ec,7e,55,20,c9,26,11,4b,19,74,c9,0b,96,42,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,51,f7,8d,05,75,
2f,8e,77,3e,1e,9e,e0,57,5a,93,61,da,57,62,6b,47,68,bc,83,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,ff,5d,d3,01,e9,
ba,9e,b5,cd,44,cd,b9,a6,33,6c,cd,74,6d,84,01,9f,c7,14,59,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,53,d8,68,3c,71,
fc,16,58,b0,18,ed,a7,3f,8d,37,a4,7e,54,05,37,f2,f6,5d,08,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,ed,c5,32,cc,5c,
ff,ae,eb,31,77,e1,ba,b1,f8,68,02,25,7e,03,43,88,2f,df,33,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,31,a0,3c,57,33,
37,c7,c7,83,6c,56,8b,a0,85,96,ab,4a,bc,6a,36,97,5b,95,1c,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,68,31,e6,f9,c6,
67,0f,12,51,fa,6e,91,28,9e,14,cc,35,3a,3d,06,d3,ea,12,a2,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ab,b9,b3,fb,46,
eb,96,55,b1,cd,45,5a,a8,c4,f8,b9,df,38,07,23,16,4e,3d,aa,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e0,87,01,cb,7b,
ce,6c,92,e3,0e,66,d5,eb,bc,2f,6b,a9,5e,31,69,51,b2,b8,c7,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,de,75,72,90,38,
20,86,97,fa,ea,66,7f,d4,3b,6b,70,e8,53,bf,49,80,1a,8a,ef,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2712)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2009-04-16 1:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 06:20
ComboFix2.txt 2009-04-13 22:42
ComboFix3.txt 2009-04-13 20:56
ComboFix4.txt 2009-04-13 19:00
ComboFix5.txt 2009-04-16 06:06

Pre-Run: 2,633,457,664 bytes free
Post-Run: 2,615,648,256 bytes free

272 --- E O F --- 2009-04-11 03:06

katana
2009-04-16, 11:15
OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )



:Processes
:Files
C:\Documents and Settings\Matt\Application Data\SecondLife\cache\textures\5\5f214cec-33e6-1fac-c321-568834d31f58



Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.


- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Please let me know as soon as possible if there are any problems with Second Life after you have done the above.

invisiblegardener
2009-04-18, 19:56
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\Matt\Application Data\SecondLife\cache\textures\5\5f214cec-33e6-1fac-c321-568834d31f58 moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04182009_120512


Proceeding to check SecondLife.

invisiblegardener
2009-04-18, 20:21
Actually, SecondLife isn't even installed anymore. I pulled up that Application Data folder and saw subfolders for several other programs I don't use anymore.

katana
2009-04-20, 00:21
Actually, SecondLife isn't even installed anymore
That's fine then :)
Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


Uninstall OTMoveIt
Open OTMoveIt Click Cleanup,
When a box pops up click YES.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details

AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner

Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections

Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

invisiblegardener
2009-04-25, 22:40
Everything is still running great! Spybot is working again and I downloaded Winpatrol. Thanks again for your help!