Cannot See File [Archive] - Safer-Networking Forums

amdark

2009-05-17, 08:58

Hello,

Can some one please explain to me why i cannot see a file that spybot is telling me is there and is a trojan. I don't get it

I ran spybot and it is telling me i have 4 Win32.TDSS.rtk trojans located here:

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:\WINDOWS\system32\ovfsthbqqjgcewnxbyayonyrredjmyhrqjchnx.dll

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:\WINDOWS\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:\WINDOWS\system32\ovfsthwyyowdppfmpdvglgmsmcdtoswcruiwid.dll

Win32.TDSS.rtk: [SBI $DB1744B9] File (File, nothing done)
C:\WINDOWS\system32\drivers\ovfsthklvnrjcanmqqwabpxnbevshmrxdologc.sys

Now when i go to these directories the file is not there. Whats the deal?

These 4 files are the only things that comes up when i run a scan, therefore i believe this is my infection on my browser which redirects me from time to time during searches. Did not think it was going to be hard to remove since my computer has not been taken over by this thing, just an annoying inconvenience.

Spybot says the files have been fixed but every time i rescan they still appear. Any thoughts?

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:02:50, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\etmin.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA4011] command /c del "C:\WINDOWS\system32\ovfsthbqqjgcewnxbyayonyrredjmyhrqjchnx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4037] cmd /c del "C:\WINDOWS\system32\ovfsthbqqjgcewnxbyayonyrredjmyhrqjchnx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6840] command /c del "C:\WINDOWS\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4349] cmd /c del "C:\WINDOWS\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6062] command /c del "C:\WINDOWS\system32\ovfsthbqqjgcewnxbyayonyrredjmyhrqjchnx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8710] cmd /c del "C:\WINDOWS\system32\ovfsthbqqjgcewnxbyayonyrredjmyhrqjchnx.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8881] command /c del "C:\WINDOWS\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5620] cmd /c del "C:\WINDOWS\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll"
O4 - Startup: etmin.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: w2pxdrv.dll
O10 - Unknown file in Winsock LSP: w2pxdrv.dll
O10 - Unknown file in Winsock LSP: w2pxdrv.dll
O10 - Unknown file in Winsock LSP: w2pxdrv.dll
O10 - Unknown file in Winsock LSP: w2pxdrv.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232441300343
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://play.battlefield-heroes.com/static/updater/BFHUpdater_4.0.15.0.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 8615 bytes

amdark

2009-05-17, 09:24

Was looking at a previous post where someone recommended combo fix.

Identified my problem at least with a few other related files and deleted them.

Running a scan now with spybot to see if that did the trick.

Here's Combo fix log:
ComboFix 09-05-16.05 - Andrew 05/17/2009 3:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2758 [GMT -4:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\arazuzed.ini
c:\windows\system32\drivers\ovfsthklvnrjcanmqqwabpxnbevshmrxdologc.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\ovfsthbqqjgcewnxbyayonyrredjmyhrqjchnx.dll
c:\windows\system32\ovfstheaxwtyehjsursjyixkfsqhxeqbglyhhe.dat
c:\windows\system32\ovfsthombqcrnqayumsxxipoysoltabdyqixoy.dat
c:\windows\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll
c:\windows\system32\ovfsthuakvpxcodlvlrjqdbfsbkjtmfytpqrow.dll_old
c:\windows\system32\ovfsthwyyowdppfmpdvglgmsmcdtoswcruiwid.dll
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthybwuwcmexmafulkmxbfjwbpjpiqqpnvk

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 02:56 . 2009-05-17 02:56 -------- d-----w c:\documents and settings\Andrew\Application Data\Malwarebytes
2009-05-17 02:56 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 02:56 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 02:56 . 2009-05-17 02:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 02:56 . 2009-05-17 02:56 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-16 18:38 . 2009-05-16 18:38 -------- d-----w c:\program files\Trend Micro
2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-04-25 04:39 . 2009-04-25 04:39 -------- d-----w c:\program files\Phantom Fiber Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 19:39 . 2008-11-23 01:56 138512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-16 19:38 . 2008-11-23 01:56 201440 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-16 19:32 . 2009-04-03 04:44 -------- d-----w c:\program files\EA Games
2009-05-09 17:03 . 2008-11-22 02:59 -------- d-----w c:\program files\Xfire
2009-05-08 21:12 . 2009-01-03 05:06 -------- d-----w c:\program files\PlayersOnly Poker
2009-04-22 21:46 . 2009-01-13 09:13 -------- d-----w c:\program files\Steam
2009-04-22 21:36 . 2008-11-23 01:55 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-22 21:03 . 2008-11-22 02:58 -------- d-----w c:\program files\Ventrilo
2009-04-18 21:54 . 2009-03-08 02:35 -------- d-----w c:\program files\World of Warcraft
2009-04-15 02:04 . 2009-04-15 02:04 -------- d-----w c:\program files\Proxy Labs
2009-04-15 02:03 . 2009-04-15 02:03 -------- d-----w c:\program files\SocksCapV2
2009-04-15 02:02 . 2009-04-15 02:02 -------- d-----w c:\program files\Your Freedom
2009-04-05 22:10 . 2009-02-25 02:20 22328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2009-04-05 22:09 . 2009-02-25 02:18 2246144 ----a-w c:\windows\system32\pbsvc.exe
2009-04-02 16:49 . 2008-11-22 02:47 -------- d-----w c:\program files\Interbank FX Trader 4
2009-04-01 03:13 . 2009-04-01 00:22 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-22 04:43 . 2009-03-21 07:58 -------- d-----w c:\program files\Common Files\Real
2009-03-21 21:07 . 2008-11-22 03:03 -------- d-----w c:\program files\mIRC
2009-03-21 07:58 . 2003-10-17 17:44 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-21 02:24 . 2008-11-22 02:57 -------- d-----w c:\program files\Spybot - Search & Destroy
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
etmin.exe [2004-8-13 24064]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^etmin.exe]
path=c:\documents and settings\Andrew\Start Menu\Programs\Startup\etmin.exe
backup=c:\windows\pss\etmin.exeStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3sp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys --> c:\windows\system32\drivers\c6501.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: w2pxdrv.dll
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://play.battlefield-heroes.com/static/updater/BFHUpdater_4.0.15.0.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\1p6mi2tl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?rls=ig&hl=en
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\1p6mi2tl.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 03:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\w2pxdrv.dll

- - - - - - - > 'explorer.exe'(1920)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-17 3:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-17 07:22

Pre-Run: 72,906,006,528 bytes free
Post-Run: 72,851,595,264 bytes free

172

amdark

2009-05-17, 09:36

well that did the trick Spybot picked up nothing this time around.

tashi

2009-05-17, 17:23

FYI to all users who may read this topic:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )