Need help with HJT log

[madcat]

We have an XP box that got hit with something nasty - AVG and ZoneAlarm disabled, constant POP-Ups and some BSODs. Based on the ongoing presence of the mlljk.exe file in the systemdir, it looks to be Vundo.

We've tried several removal products, all w/o success. We ran HJT last night, and got the following log. Appreciate any and all help.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:12 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG7\avgcc .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Regular Random Crap\compooter safteh\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190388141718
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySqlMain - Unknown owner - C:\DEVEL\MYSQL\BIN\MYSQLD.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6274 bytes

[Blade81]

Hi

Navigate into C:\Regular Random Crap\compooter safteh folder and rename HijackThis.exe file -> madcat.exe. Post a fresh hjt log after renaming is done.

[madcat]

New HJT log as requested.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:33:15 PM, on 2008-01-03

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Winamp\winamp.exe

C:\Regular Random Crap\compooter safteh\madcat.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {4695AAAF-0803-4CBF-A34D-FDAE34F2DBD2} - C:\WINDOWS\system32\mlljk.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: &Search - ?p=ZJfox000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190388141718

O20 - Winlogon Notify: cbxuuss - cbxuuss.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MySqlMain - Unknown owner - C:\DEVEL\MYSQL\BIN\MYSQLD.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



--

End of file - 6880 bytes

[Blade81]

Hi

I recommend to save/print this set of instructions since you won't be able to access it from safe mode.

Download this file -
combofix.exe to your desktop.

Reboot into safe mode (press F8 before windows starts and select safe mode option).

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

[madcat]

Okay, combofix log below.

Additional note: My nephew tried running Symantec's Fixvundo a second time, (I didn't find that out until he'd already done it) and it looks like it may have removed the Vundo. But one of the current Spyware tools we installed is now reporting PurityScan as present.

thanks again for the help.


ComboFix 07-12-31.4 - Cheshire Cat 2008-01-06 6:53:15.3 - NTFSx86 MINIMAL

Running from: C:\Regular Random Crap\compooter safteh\ComboFix(2).exe

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\Documents and Settings\Cheshire Cat\Start Menu\Programs\Internet Speed Monitor

C:\Documents and Settings\Cheshire Cat\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk

C:\Documents and Settings\Cheshire Cat\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk

C:\Program Files\ISM

C:\Program Files\ISM\ism.exe

C:\Program Files\ISM\Uninstall.exe

C:\Program Files\QdrDrive

C:\Program Files\QdrDrive\QdrDrive9.dll

C:\Program Files\QdrDrive\qdrloader.exe

C:\Program Files\QdrModule

C:\Program Files\QdrModule\QdrModule11 .exe

C:\WINDOWS\system32\mcrh.tmp



.

((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))

.



2008-01-06 06:35 . 2008-01-06 06:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Program Files\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\Cheshire Cat\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-01-04 05:31 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll

2008-01-04 05:31 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2008-01-04 05:31 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2008-01-04 05:31 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2008-01-04 05:31 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

2008-01-03 21:26 . 2008-01-03 21:36 <DIR> d-------- C:\VundoFix Backups

2007-12-31 22:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-12-31 16:47 . 2007-03-09 00:02 919,280 --a------ C:\notwhatyouwant.exe

2007-12-31 13:57 . 2007-12-31 13:58 <DIR> d-------- C:\Die vundo die

2007-12-31 00:23 . 2007-12-31 00:24 14,651,520 --a------ C:\ssftrialsnrsetup1_23282812.exe

2007-12-30 22:20 . 2007-12-30 22:21 194 --a------ C:\WINDOWS\wininit.ini

2007-12-30 21:59 . 2007-12-31 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-29 07:46 . 2008-01-01 16:22 <DIR> d-------- C:\Documents and Settings\Uhanimar\Application Data\AVG7

2007-12-29 04:39 . 2007-12-29 04:39 <DIR> d-------- C:\Program Files\RADVideo

2007-12-28 21:08 . 2007-12-28 21:08 <DIR> d-------- C:\Program Files\SpywareBlaster

2007-12-28 00:32 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2007-12-28 00:32 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll

2007-12-28 00:32 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll

2007-12-28 00:32 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll

2007-12-27 22:53 . 2008-01-04 20:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2007-12-27 22:53 . 2007-12-27 22:53 1,409 --a------ C:\WINDOWS\QTFont.for

2007-12-27 20:38 . 2007-12-27 20:38 <DIR> d-------- C:\Program Files\Metaboli Downloader

2007-12-22 17:02 . 2007-12-23 09:10 90,112 --a------ C:\WINDOWS\UpdReg .EXE

2007-12-22 17:02 . 2007-12-23 09:10 41,984 --a------ C:\WINDOWS\CTRegRun .EXE

2007-12-18 23:17 . 2007-12-28 00:36 <DIR> d-------- C:\Program Files\The Witcher Demo

2007-12-16 22:37 . 2007-12-16 22:55 <DIR> d-------- C:\Games

2007-12-09 07:29 . 2007-12-09 07:29 <DIR> d-------- C:\Program Files\NifTools

2007-12-07 18:18 . 2007-12-07 18:20 <DIR> d-------- C:\Daggermid

2007-12-06 13:29 . 2007-12-08 16:12 <DIR> d-------- C:\Program Files\Daggerfall Jukebox

2007-12-06 13:22 . 2007-12-07 18:17 <DIR> d-------- C:\Renabled

2007-12-06 00:16 . 2007-12-06 00:16 19,835 --a------ C:\hollyking.jpg



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-04 07:10 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AVG7

2007-12-30 20:59 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Bioshock

2007-12-30 06:46 --------- d-----w C:\Program Files\Paint Shop Pro 5

2007-12-28 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-26 08:14 --------- d-----w C:\Program Files\Steam

2007-12-23 22:47 --------- d-----w C:\Program Files\QuickTime

2007-12-15 22:49 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\LimeWire

2007-12-12 22:22 --------- d-----w C:\Program Files\DOSBox-0.63

2007-12-10 21:25 --------- d-----w C:\Program Files\Bethesda Softworks

2007-12-03 22:04 --------- d-----w C:\Program Files\Diablo II

2007-12-03 21:42 --------- d-----w C:\Program Files\Microsoft Games

2007-11-30 23:51 --------- d-----w C:\Program Files\ReflexiveArcade

2007-11-29 03:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-11-28 08:55 --------- d-----w C:\Program Files\NVIDIA Corporation

2007-11-27 01:17 --------- d-----w C:\Program Files\VSTPlugins

2007-11-26 23:01 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Steinberg

2007-11-26 22:59 --------- d-----w C:\Program Files\Steinberg

2007-11-26 22:57 --------- d-----w C:\Program Files\Pinnacle

2007-11-26 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle

2007-11-26 11:03 --------- d-----w C:\Program Files\Tomb Raider - Legend Demo

2007-11-25 09:18 --------- d-----w C:\Program Files\UT2004Demo

2007-11-25 08:50 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-11-18 16:33 --------- d-----w C:\Program Files\Winamp

2007-11-06 12:43 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AccurateRip

2007-11-03 03:10 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-11-03 03:10 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2007-11-02 03:59 42 ----a-w C:\Program Files\Common Files\appop.log

2007-10-24 04:53 6,532,138 ----a-w C:\DBProto_20071023.zip

2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll

2007-10-11 22:01 266,508 ----a-w C:\x0xb0x26_Panel.zip

2007-09-07 00:00 101,200 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_06_19_58_33_small.dmp.zip

2007-08-02 14:06 20,256,064 ----a-w C:\Program Files\QuickTimeInstaller.exe

2007-03-09 10:07 1 ----a-w C:\Documents and Settings\Cheshire Cat\SI.bin

.

Code:

----a-w           313,472 2007-12-23 14:10:12  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

----a-w           106,496 2007-12-23 14:09:57  C:\Program Files\AMD\amd_dc_opt\amd_dc_opt .exe

----a-w           185,632 2007-12-23 14:10:02  C:\Program Files\Common Files\Real\Update_OB\realsched .exe

----a-w            49,152 2007-12-23 14:10:08  C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe

----a-w           122,880 2007-12-23 14:10:07  C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe

----a-w            32,768 2007-12-23 14:10:05  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe

----a-w           579,072 2007-12-23 14:10:11  C:\Program Files\Grisoft\AVG7\avgcc .exe

----a-w           270,336 2007-12-23 14:09:57  C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr .exe

----a-w           299,008 2007-12-22 22:02:42  C:\Program Files\InterVideo\Disc Master 2.5\DirectCD .exe

----a-w           132,496 2007-12-23 14:09:58  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe

----a-w         1,694,208 2007-12-23 14:10:12  C:\Program Files\Messenger\msmsgs .exe

----a-w         1,003,520 2007-12-23 14:10:05  C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control .exe

----a-w            41,984 2007-12-23 14:10:07  C:\WINDOWS\CTRegRun .EXE

----a-w            90,112 2007-12-23 14:10:02  C:\WINDOWS\UpdReg .EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4695AAAF-0803-4CBF-A34D-FDAE34F2DBD2}]

C:\WINDOWS\system32\mlljk.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

"FIREBOX"="C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [ ]

"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02 919280]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 11:49 219136]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuss]

cbxuuss.dll



R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]

R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 13:24]

S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]

S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]

S3 MySqlMain;MySqlMain;C:\DEVEL\MYSQL\BIN\MYSQLD MySqlMain []

S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys [2004-10-14 17:33]

S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys [2004-10-14 17:33]



.

Contents of the 'Scheduled Tasks' folder

"2007-12-28 21:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-04 10:31:27 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"

- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep

- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex

- A:\

.

**************************************************************************



catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-06 06:59:34

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



**************************************************************************

.

Completion time: 2008-01-06 7:01:14

C:\qoobox\ComboFix-quarantined-files.txt 2008-01-06 12:00:24

.

2007-06-26 09:23:06 --- E O F ---

[Blade81]

Hi

Looks like you used old version of ComboFix. Please delete all old combofix.exe files (log shows you have also combofix(2).exe, delete it too). Then download new one from here, run again and post back the log.

[madcat]

The new log exceeds the forum limits, so I'm going to try posting it in two sections.

thanks.

Part I:

ComboFix 08-01-07.5 - Cheshire Cat 2008-01-08 6:20:14.9 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1761 [GMT -5:00]

Running from: C:\Regular Random Crap\compooter safteh\ComboFix.exe

.



((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))

.



2008-01-07 05:35 . 2008-01-08 06:18 2,680,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-07 05:35 . 2008-01-08 06:18 32,492 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-06 06:35 . 2008-01-06 06:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Program Files\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\Cheshire Cat\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-01-04 05:31 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll

2008-01-04 05:31 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2008-01-04 05:31 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2008-01-04 05:31 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2008-01-04 05:31 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

2008-01-03 21:26 . 2008-01-03 21:36 <DIR> d-------- C:\VundoFix Backups

2007-12-31 22:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-12-31 16:47 . 2007-03-09 00:02 919,280 --a------ C:\notwhatyouwant.exe

2007-12-31 13:57 . 2007-12-31 13:58 <DIR> d-------- C:\Die vundo die

2007-12-31 00:23 . 2007-12-31 00:24 14,651,520 --a------ C:\ssftrialsnrsetup1_23282812.exe

2007-12-30 22:20 . 2007-12-30 22:21 194 --a------ C:\WINDOWS\wininit.ini

2007-12-30 21:59 . 2007-12-31 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-29 07:46 . 2008-01-01 16:22 <DIR> d-------- C:\Documents and Settings\Uhanimar\Application Data\AVG7

2007-12-29 04:39 . 2007-12-29 04:39 <DIR> d-------- C:\Program Files\RADVideo

2007-12-28 21:08 . 2007-12-28 21:08 <DIR> d-------- C:\Program Files\SpywareBlaster

2007-12-28 00:32 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2007-12-28 00:32 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll

2007-12-28 00:32 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll

2007-12-28 00:32 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll

2007-12-27 22:53 . 2008-01-04 20:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2007-12-27 22:53 . 2007-12-27 22:53 1,409 --a------ C:\WINDOWS\QTFont.for

2007-12-27 20:38 . 2007-12-27 20:38 <DIR> d-------- C:\Program Files\Metaboli Downloader

2007-12-22 17:02 . 2007-12-23 09:10 90,112 --a------ C:\WINDOWS\UpdReg .EXE

2007-12-22 17:02 . 2007-12-23 09:10 41,984 --a------ C:\WINDOWS\CTRegRun .EXE

2007-12-18 23:17 . 2007-12-28 00:36 <DIR> d-------- C:\Program Files\The Witcher Demo

2007-12-16 22:37 . 2007-12-16 22:55 <DIR> d-------- C:\Games

2007-12-09 07:29 . 2007-12-09 07:29 <DIR> d-------- C:\Program Files\NifTools



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-08 01:39 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AVG7

2008-01-07 20:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-07 10:40 116,282 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_07_05_34_16_small.dmp.zip

2007-12-30 20:59 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Bioshock

2007-12-30 06:46 --------- d-----w C:\Program Files\Paint Shop Pro 5

2007-12-28 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-26 08:14 --------- d-----w C:\Program Files\Steam

2007-12-23 22:47 --------- d-----w C:\Program Files\QuickTime

2007-12-15 22:49 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\LimeWire

2007-12-12 22:22 --------- d-----w C:\Program Files\DOSBox-0.63

2007-12-10 21:25 --------- d-----w C:\Program Files\Bethesda Softworks

2007-12-08 21:12 --------- d-----w C:\Program Files\Daggerfall Jukebox

2007-12-03 22:04 --------- d-----w C:\Program Files\Diablo II

2007-12-03 21:42 --------- d-----w C:\Program Files\Microsoft Games

2007-11-30 23:51 --------- d-----w C:\Program Files\ReflexiveArcade

2007-11-29 03:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-11-28 08:55 --------- d-----w C:\Program Files\NVIDIA Corporation

2007-11-27 01:17 --------- d-----w C:\Program Files\VSTPlugins

2007-11-26 23:01 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Steinberg

2007-11-26 22:59 --------- d-----w C:\Program Files\Steinberg

2007-11-26 22:57 --------- d-----w C:\Program Files\Pinnacle

2007-11-26 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle

2007-11-26 11:03 --------- d-----w C:\Program Files\Tomb Raider - Legend Demo

2007-11-25 09:18 --------- d-----w C:\Program Files\UT2004Demo

2007-11-25 08:50 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-11-18 16:33 --------- d-----w C:\Program Files\Winamp

2007-11-14 21:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2007-11-03 03:10 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-11-03 03:10 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2007-11-02 03:59 42 ----a-w C:\Program Files\Common Files\appop.log

2007-10-24 04:53 6,532,138 ----a-w C:\DBProto_20071023.zip

2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll

2007-10-11 22:01 266,508 ----a-w C:\x0xb0x26_Panel.zip

2007-09-07 00:00 101,200 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_06_19_58_33_small.dmp.zip

2007-08-02 14:06 20,256,064 ----a-w C:\Program Files\QuickTimeInstaller.exe

2007-03-09 10:07 1 ----a-w C:\Documents and Settings\Cheshire Cat\SI.bin

.

Code:

<pre>

----a-w           313,472 2007-12-23 14:10:12  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe

----a-w           106,496 2007-12-23 14:09:57  C:\Program Files\AMD\amd_dc_opt\amd_dc_opt .exe

----a-w           185,632 2007-12-23 14:10:02  C:\Program Files\Common Files\Real\Update_OB\realsched .exe

----a-w            49,152 2007-12-23 14:10:08  C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe

----a-w           122,880 2007-12-23 14:10:07  C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe

----a-w            32,768 2007-12-23 14:10:05  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe

----a-w           579,072 2007-12-23 14:10:11  C:\Program Files\Grisoft\AVG7\avgcc .exe

----a-w           270,336 2007-12-23 14:09:57  C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr .exe

----a-w           299,008 2007-12-22 22:02:42  C:\Program Files\InterVideo\Disc Master 2.5\DirectCD .exe

----a-w           132,496 2007-12-23 14:09:58  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe

----a-w         1,694,208 2007-12-23 14:10:12  C:\Program Files\Messenger\msmsgs .exe

----a-w         1,003,520 2007-12-23 14:10:05  C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control .exe

----a-w            41,984 2007-12-23 14:10:07  C:\WINDOWS\CTRegRun .EXE

----a-w            90,112 2007-12-23 14:10:02  C:\WINDOWS\UpdReg .EXE

</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-06_ 6.59.43.51 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-06-29 14:32:16 186,608 ----a-w C:\WINDOWS\system32\000050.exe

+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys

- 2007-03-09 05:01:24 83,696 ----a-w C:\WINDOWS\system32\vsdata.dll

+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll

- 2007-03-09 05:02:10 394,192 ----a-w C:\WINDOWS\system32\vsdatant.sys

+ 2007-11-14 21:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys

- 2007-03-09 05:01:24 157,424 ----a-w C:\WINDOWS\system32\vsinit.dll

+ 2007-11-14 21:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll

- 2007-03-09 05:01:26 104,176 ----a-w C:\WINDOWS\system32\vsmonapi.dll

+ 2007-11-14 21:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll

- 2007-03-09 05:01:26 276,208 ----a-w C:\WINDOWS\system32\vspubapi.dll

+ 2007-11-14 21:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll

- 2007-03-09 05:01:26 71,408 ----a-w C:\WINDOWS\system32\vsregexp.dll

+ 2007-11-14 21:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll

- 2007-03-09 05:01:28 472,816 ----a-w C:\WINDOWS\system32\vsutil.dll

+ 2007-11-14 21:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll

- 2007-03-09 05:01:30 46,832 ----a-w C:\WINDOWS\system32\vswmi.dll

+ 2007-11-14 21:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll

- 2007-03-09 05:01:30 100,080 ----a-w C:\WINDOWS\system32\vsxml.dll

+ 2007-11-14 21:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll

- 2007-03-09 05:01:30 83,696 ----a-w C:\WINDOWS\system32\zlcomm.dll

+ 2007-11-14 21:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll

- 2007-03-09 05:01:32 71,408 ----a-w C:\WINDOWS\system32\zlcommdb.dll

+ 2007-11-14 21:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll

- 2007-12-31 21:46:24 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat

+ 2008-01-07 10:34:20 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat

- 2007-03-09 05:01:10 362,280 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll

+ 2007-11-14 21:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll

+ 2007-05-31 05:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat

- 2006-12-19 23:13:50 61,565 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll

+ 2007-05-31 05:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll

- 2006-12-19 23:13:50 114,813 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll

+ 2007-05-31 05:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll

- 2006-12-19 23:13:50 307,323 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll

+ 2007-05-31 05:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll

- 2006-11-30 03:02:26 36,923 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll

+ 2007-05-31 05:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll

+ 2007-07-19 20:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys

+ 2007-07-19 20:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys

+ 2007-05-31 05:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys

+ 2007-07-19 20:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys

+ 2007-05-31 05:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe

- 2007-01-11 22:31:04 274,514 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll

+ 2007-09-12 02:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll

+ 2007-05-31 05:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll

+ 2007-05-31 05:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll

- 2006-11-30 03:02:26 184,445 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll

+ 2007-05-31 05:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll

+ 2007-05-31 05:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll

- 2006-12-19 23:13:52 94,313 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

+ 2007-09-12 02:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe

- 2007-03-09 05:01:10 100,080 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll

+ 2007-11-14 21:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll

- 2007-03-09 05:01:14 128,744 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll

+ 2007-11-14 21:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll

- 2007-03-09 05:01:14 38,640 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll

+ 2007-11-14 21:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll

- 2007-03-09 05:01:14 321,280 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll

+ 2007-11-14 21:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll

- 2007-03-09 05:02:12 288,408 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll

+ 2007-11-14 21:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll

- 2007-03-09 05:02:12 153,240 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll

+ 2007-11-14 21:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll

- 2007-03-09 05:02:14 26,264 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll

+ 2007-11-14 21:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll

- 2007-03-09 05:02:14 1,361,560 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll

+ 2007-11-14 21:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll

- 2007-03-09 05:02:14 71,320 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll

+ 2007-11-14 21:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll

- 2007-03-09 05:04:42 30,448 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll

+ 2007-11-14 21:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll

- 2007-03-09 05:04:44 30,480 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll

+ 2007-11-14 21:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll

- 2007-01-18 10:39:16 714,472 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll

+ 2007-10-19 01:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll

- 2007-01-18 10:39:16 677,608 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll

+ 2007-10-19 01:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll

- 2007-03-09 05:01:20 173,808 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll

+ 2007-11-14 21:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll

- 2007-01-18 10:39:18 1,369,832 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll

+ 2007-10-19 01:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll

- 2007-01-18 10:39:20 50,416 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys

+ 2007-10-19 01:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys

- 2007-03-09 05:01:20 456,432 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll

+ 2007-11-14 21:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll

- 2007-03-09 05:04:44 210,696 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll

+ 2007-11-14 21:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll

- 2007-03-09 05:04:46 3,229,440 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll

+ 2007-11-14 21:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll

- 2006-10-28 08:03:16 833,520 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll

+ 2007-10-11 21:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll

- 2007-03-09 05:01:58 141,104 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe

+ 2007-11-14 21:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe

- 2007-03-09 05:01:24 108,272 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll

+ 2007-11-14 21:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll

- 2007-03-09 05:01:24 79,600 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll

+ 2007-11-14 21:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll

- 2007-03-09 05:01:58 75,568 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe

+ 2007-11-14 21:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe

- 2007-03-09 05:01:26 2,025,200 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll

+ 2007-11-14 21:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll

- 2007-03-09 05:01:28 1,345,264 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll

+ 2007-11-14 21:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll

- 2007-03-09 05:01:28 243,440 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll

+ 2007-11-14 21:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll

- 2007-03-09 05:01:32 177,904 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll

+ 2007-11-14 21:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll

- 2007-03-09 05:01:32 79,608 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll

+ 2007-11-14 21:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll

- 2007-03-09 05:01:34 378,608 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll

+ 2007-11-14 21:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll

- 2007-03-09 05:01:34 120,560 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll

+ 2007-11-14 21:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll

.

-- Snapshot reset to current date --

.

[madcat]

Part II of ComboFix log:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4695AAAF-0803-4CBF-A34D-FDAE34F2DBD2}]

C:\WINDOWS\system32\mlljk.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

"FIREBOX"="C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [ ]

"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 11:49 219136]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuss]

cbxuuss.dll



R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]

S3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys []

S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]

S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]

S3 MySqlMain;MySqlMain;C:\DEVEL\MYSQL\BIN\MYSQLD MySqlMain []

S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys [2004-10-14 17:33]

S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys [2004-10-14 17:33]



.

Contents of the 'Scheduled Tasks' folder

"2007-12-28 21:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-04 10:31:27 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"

- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep

- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex

- A:\

.

**************************************************************************



catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-08 06:27:12

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



**************************************************************************

.

Completion time: 2008-01-08 6:28:30

ComboFix-quarantined-files.txt 2008-01-08 11:27:40

ComboFix2.txt 2008-01-07 10:21:07

ComboFix3.txt 2008-01-07 00:27:08

ComboFix4.txt 2008-01-06 12:01:14

.

2007-06-26 09:23:06 --- E O F ---

[Blade81]

Hi

Upload following file to http://www.virustotal.com or http://virusscan.jotti.org and post back the results:
C:\WINDOWS\system32\000050.exe


Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\notwhatyouwant.exe
C:\ssftrialsnrsetup1_23282812.exe
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\mlljk.dll

Folder::
C:\VundoFix Backups
C:\Die vundo die

RENV::
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\AMD\amd_dc_opt\amd_dc_opt .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Grisoft\AVG7\avgcc .exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr .exe
C:\Program Files\InterVideo\Disc Master 2.5\DirectCD .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control .exe
C:\WINDOWS\CTRegRun .EXE
C:\WINDOWS\UpdReg .EXE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4695AAAF-0803-4CBF-A34D-FDAE34F2DBD2}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuuss]

Save this as
CFScript




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

[madcat]

Hopefully did this correct.

VirusTotal results are here:


http://www.virustotal.com/analisis/6...42b07b68ba48ad

CF log is:

ComboFix 08-01-07.5 - Cheshire Cat 2008-01-08 18:34:51.10 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1759 [GMT -5:00]

Running from: C:\Regular Random Crap\compooter safteh\ComboFix.exe

Command switches used :: C:\Regular Random Crap\compooter safteh\CFScript.txt



FILE

C:\notwhatyouwant.exe

C:\ssftrialsnrsetup1_23282812.exe

C:\WINDOWS\QTFont.for

C:\WINDOWS\QTFont.qfn

C:\WINDOWS\system32\mlljk.dll

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\Die vundo die

C:\Die vundo die\FixVundo.exe

C:\Die vundo die\FixVundo.log

C:\notwhatyouwant.exe

C:\ssftrialsnrsetup1_23282812.exe

C:\VundoFix Backups

C:\VundoFix Backups\addmorefiles.txt

C:\VundoFix Backups\kjllm.ini.bad

C:\VundoFix Backups\kjllm.ini2.bad

C:\VundoFix Backups\mlljk.dll.bad

C:\WINDOWS\QTFont.for

C:\WINDOWS\QTFont.qfn



.

((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))

.



2008-01-08 16:10 . 2008-01-08 16:10 <DIR> d-------- C:\Program Files\Lavasoft

2008-01-08 16:10 . 2008-01-08 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-01-07 05:35 . 2008-01-08 18:32 2,764,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-01-07 05:35 . 2008-01-08 18:32 33,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2008-01-06 06:35 . 2008-01-06 06:35 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Program Files\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\Cheshire Cat\Application Data\Webroot

2008-01-04 05:31 . 2008-01-04 05:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot

2008-01-04 05:31 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll

2008-01-04 05:31 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2008-01-04 05:31 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2008-01-04 05:31 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2008-01-04 05:31 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

2007-12-31 22:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-12-30 22:20 . 2007-12-30 22:21 194 --a------ C:\WINDOWS\wininit.ini

2007-12-30 21:59 . 2007-12-31 00:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-12-29 07:46 . 2008-01-01 16:22 <DIR> d-------- C:\Documents and Settings\Uhanimar\Application Data\AVG7

2007-12-29 04:39 . 2007-12-29 04:39 <DIR> d-------- C:\Program Files\RADVideo

2007-12-28 21:08 . 2007-12-28 21:08 <DIR> d-------- C:\Program Files\SpywareBlaster

2007-12-28 00:32 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll

2007-12-28 00:32 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll

2007-12-28 00:32 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll

2007-12-28 00:32 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll

2007-12-27 20:38 . 2007-12-27 20:38 <DIR> d-------- C:\Program Files\Metaboli Downloader

2007-12-22 17:02 . 2007-12-23 09:10 90,112 --a------ C:\WINDOWS\UpdReg.EXE

2007-12-22 17:02 . 2007-12-23 09:10 41,984 --a------ C:\WINDOWS\CTRegRun.EXE

2007-12-18 23:17 . 2007-12-28 00:36 <DIR> d-------- C:\Program Files\The Witcher Demo

2007-12-16 22:37 . 2007-12-16 22:55 <DIR> d-------- C:\Games

2007-12-09 07:29 . 2007-12-09 07:29 <DIR> d-------- C:\Program Files\NifTools



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-08 21:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-01-08 01:39 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\AVG7

2008-01-07 10:40 116,282 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_07_05_34_16_small.dmp.zip

2007-12-30 20:59 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Bioshock

2007-12-30 06:46 --------- d-----w C:\Program Files\Paint Shop Pro 5

2007-12-28 05:24 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-12-26 08:14 --------- d-----w C:\Program Files\Steam

2007-12-23 22:47 --------- d-----w C:\Program Files\QuickTime

2007-12-15 22:49 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\LimeWire

2007-12-12 22:22 --------- d-----w C:\Program Files\DOSBox-0.63

2007-12-10 21:25 --------- d-----w C:\Program Files\Bethesda Softworks

2007-12-08 21:12 --------- d-----w C:\Program Files\Daggerfall Jukebox

2007-12-03 22:04 --------- d-----w C:\Program Files\Diablo II

2007-12-03 21:42 --------- d-----w C:\Program Files\Microsoft Games

2007-11-30 23:51 --------- d-----w C:\Program Files\ReflexiveArcade

2007-11-29 03:42 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

2007-11-28 08:55 --------- d-----w C:\Program Files\NVIDIA Corporation

2007-11-27 01:17 --------- d-----w C:\Program Files\VSTPlugins

2007-11-26 23:01 --------- d-----w C:\Documents and Settings\Cheshire Cat\Application Data\Steinberg

2007-11-26 22:59 --------- d-----w C:\Program Files\Steinberg

2007-11-26 22:57 --------- d-----w C:\Program Files\Pinnacle

2007-11-26 22:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Pinnacle

2007-11-26 11:03 --------- d-----w C:\Program Files\Tomb Raider - Legend Demo

2007-11-25 09:18 --------- d-----w C:\Program Files\UT2004Demo

2007-11-25 08:50 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-11-18 16:33 --------- d-----w C:\Program Files\Winamp

2007-11-14 21:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe

2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll

2007-11-03 03:10 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-11-03 03:10 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2007-11-02 03:59 42 ----a-w C:\Program Files\Common Files\appop.log

2007-10-24 04:53 6,532,138 ----a-w C:\DBProto_20071023.zip

2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll

2007-10-11 22:01 266,508 ----a-w C:\x0xb0x26_Panel.zip

2007-09-07 00:00 101,200 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_06_19_58_33_small.dmp.zip

2007-08-02 14:06 20,256,064 ----a-w C:\Program Files\QuickTimeInstaller.exe

2007-03-09 10:07 1 ----a-w C:\Documents and Settings\Cheshire Cat\SI.bin

.



((((((((((((((((((((((((((((( snapshot_2008-01-08_ 6.27.19.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys

+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys

+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys

+ 2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" []



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]

"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

"FIREBOX"="C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe" [2007-12-23 09:10 1003520]

"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 07:00 33280 C:\WINDOWS\system32\rundll32.exe]

"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 17920 C:\WINDOWS\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 11:49 219136]



C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-22 17:02:42]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]

NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-04-28 15:19:58]



R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]

S3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys []

S3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 11:16]

S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]

S3 MySqlMain;MySqlMain;C:\DEVEL\MYSQL\BIN\MYSQLD MySqlMain []

S3 ps_1394;ps_1394;C:\WINDOWS\system32\Drivers\ps_1394.sys [2004-10-14 17:33]

S3 ps_avs;ps_avs;C:\WINDOWS\system32\Drivers\ps_avs.sys [2004-10-14 17:33]



.

Contents of the 'Scheduled Tasks' folder

"2007-12-28 21:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-01-04 10:31:27 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"

- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep

- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex

- A:\

.

**************************************************************************



catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-08 18:41:52

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ...



scanning hidden autostart entries ...



scanning hidden files ...



**************************************************************************

.

Completion time: 2008-01-08 18:43:03

ComboFix-quarantined-files.txt 2008-01-08 23:42:14

ComboFix2.txt 2008-01-08 11:28:31

ComboFix3.txt 2008-01-07 10:21:07

ComboFix4.txt 2008-01-07 00:27:08

ComboFix5.txt 2008-01-06 12:01:14

.

2007-06-26 09:23:06 --- E O F ---



*******************************************************
*******************************************************
*******************************************************



HJt log is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:47:30 PM, on 1/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Regular Random Crap\compooter safteh\madcat.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

O4 - HKLM\..\Run: [FIREBOX] C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FIREBOX Control.exe

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: &Search - ?p=ZJfox000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190388141718

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: MySqlMain - Unknown owner - C:\DEVEL\MYSQL\BIN\MYSQLD.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



--

End of file - 6884 bytes