ctv*****.exe criptograhed malware. Need Help Pls!

[Damn_VCT-exe]

Hello tech people
Since a week ago my PC with OS Win XP Pro SP3 is slowing and web service using Firefox 3.5 / Opera 9 is revealing performance decrease. Just discovered two days ago on Task Manager (image follows) the constant presence of various ctv*****.exe always replicating with five digits, randomly. Even after deleted them on the C:\Documents and Settings\[user]\Local Settings\temp\ directory folder the cvt files remains. Antivirus Avast 4.x and SpyBot even running on Safe Mode didn't detected these files in order to fix the problem.
Hjthis log file follows as ... :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:16, on 20-10-2009
Platform: Windows XP SP3, v.5857 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UnsignedThemesSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ALCXMNTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv16991.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1255038252750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1255716346265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

GMER log file as follows:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-19 19:25:55
Windows 5.1.2600 Service Pack 3, v.5857
Running: 33y9tx84.exe; Driver: C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB031CA60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB022C6B8]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB031E920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB02FDF60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB022C574]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB03152B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB0315BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB02FCD10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB0308E40]
SSDT B9F5878C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB0321F30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB0307B20]
SSDT B9F5879B ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB022CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB022C14C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB0312BB0]
SSDT B9F587AA ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB03086B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB0300C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB022C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB022C08C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB02FD580]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB022C0F0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB031DDA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB03028A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB030C750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB022C76E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB031BED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB0310590]
SSDT B9F587B4 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB0320A50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB0320D70]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB022C72E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB030EC80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB030F4D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB031F480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB031B440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB0322520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB0303BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB03121C0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB022C8AE]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB031A190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB031AAC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB0321770]
SSDT B9F58787 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB0319620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB0313530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB031D2B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes JMP A040D75A
.text ntoskrnl.exe!_abnormal_termination + 394 804E29F0 1 Byte [80]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, A1, 31, B0, C0, AA, 31, ...] {NOP ; MOV EAX, [0xaac0b031]; XOR [EAX-0x4fcde890], ESI}

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!EnableWindow 7E41BE69 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExA 7E431221 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B0312190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B02FF130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 88AC12D0D1B72D6A66F421C03202A9A37A23F63DCB493BC00933435
B8ADCBFCB05A47301ABAD8120B88C8CDDE6BFD306F2EC952632F6CA1D5
AE395A68DA3780FBA289B23E3ECC51B6D53578674FED0F15382C76559975
CD858BCF2CCFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528
EDD5E5BE2F6E667FEBC9E127BECC74C2CAD362A5080C0BCD0FB007
AEE282B063BC7F03F82D08BE29CDEFC19C17DCF85675FEF9F51
FEDCCE4BBA6B0C48D8C622C58E622CC6809B82BC462C2DA06
CBD07338D29B58E69CD98839A744E7651A982ACBC2496C27
DF05436461FD0C8982013993AFD3BBEBC3F3542587E3442
DA9A781E6D84B56EFA0A0138F6AB2104C64FC4691A6ECF1D
68805699E6D303F7B300EA08EE349647A5884030258B8E9FAE
464D34965BEB68D085C05AED1ED6658BE7D0A0C64897CD
9932E15652DD5DEC78A46D4FCE0F57E2CDE7CA1CC6F01EE
009843ADE2A3C6C06E871C7A332A426C3C52B7DD69232B053
AA6061BA003D1C40C22845FD07EC9E781BD368D42E46567
A294369A667D6E804A7D00655DCDE67DEC74E2800FB1
A08B2290C4DE8618DAE712875AFE388ED4744F9BC4C4E530
FE91D18112EA85CE959C5026E16A81D28C3083F7264
F0E1D06466C8CC5B4E8DF064DE2A3433FE2FE59



--
End of file - 6871 bytes



Would appreciate kind help ASAP

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[Damn_VCT-exe]

DDS.com log files attached.
Thanks for your help

Hello tech people
Since a week ago my PC with OS Win XP Pro SP3 is slowing and web service using Firefox 3.5 / Opera 9 is revealing performance decrease. Just discovered two days ago on Task Manager (image follows) the constant presence of various ctv*****.exe always replicating with five digits, randomly. Even after deleted them on the C:\Documents and Settings\[user]\Local Settings\temp\ directory folder the cvt files remains. Antivirus Avast 4.x and SpyBot even running on Safe Mode didn't detected these files in order to fix the problem.
Hjthis log file follows as ... :
DDS.com log files attached

Thanks for your help



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:16, on 20-10-2009
Platform: Windows XP SP3, v.5857 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\UnsignedThemesSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ALCXMNTR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\ctv16991.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1255038252750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1255716346265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Unsigned Themes (UnsignedThemes) - The Within Network, LLC - C:\WINDOWS\UnsignedThemesSvc.exe
O24 - Desktop Component 0: (no name) - (no file)

GMER log file as follows:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-19 19:25:55
Windows 5.1.2600 Service Pack 3, v.5857
Running: 33y9tx84.exe; Driver: C:\DOCUME~1\BFERRY~1\LOCALS~1\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB031CA60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB022C6B8]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB031E920]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB02FDF60]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB022C574]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB03152B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB0315BB0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB02FCD10]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB0308E40]
SSDT B9F5878C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB0321F30]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB0307B20]
SSDT B9F5879B ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB022CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB022C14C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB0312BB0]
SSDT B9F587AA ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB03086B0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB0300C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB022C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB022C08C]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB02FD580]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB022C0F0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB031DDA0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB03028A0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB030C750]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB022C76E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB031BED0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB0310590]
SSDT B9F587B4 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB0320A50]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB0320D70]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB022C72E]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB030EC80]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB030F4D0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB031F480]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB031B440]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB0322520]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB0303BF0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB03121C0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB022C8AE]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB031A190]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB031AAC0]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB0321770]
SSDT B9F58787 ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB0319620]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB0313530]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB031D2B0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes JMP A040D75A
.text ntoskrnl.exe!_abnormal_termination + 394 804E29F0 1 Byte [80]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, A1, 31, B0, C0, AA, 31, ...] {NOP ; MOV EAX, [0xaac0b031]; XOR [EAX-0x4fcde890], ESI}

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!EnableWindow 7E41BE69 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExW 7E42DFFE 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
.text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[2180] USER32.dll!SetWindowsHookExA 7E431221 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9880906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B0312190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B02FF130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@start 4
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs@imagepath \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@aid 20188
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\injector@svchost.exe gasfkyconu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkywafaqhou.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycmd.dll \systemroot\system32\gasfkyltouorpl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkylog.dat \systemroot\system32\gasfkytylswgqd.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp.dll \systemroot\system32\gasfkykejfuuwk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfky.dat \systemroot\system32\gasfkyofyaacup.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkywsp8.dll \systemroot\system32\gasfkysjmutwvp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkycony.dll \systemroot\system32\gasfkyofdwqnqe.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkykodggrhs\modules@gasfkyconu.dll \systemroot\system32\gasfkythoptnkp.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 88AC12D0D1B72D6A66F421C03202A9A37A23F63DCB493BC00933435
B8ADCBFCB05A47301ABAD8120B88C8CDDE6BFD306F2EC952632F6CA1D5
AE395A68DA3780FBA289B23E3ECC51B6D53578674FED0F15382C76559975
CD858BCF2CCFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74
CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB34528
EDD5E5BE2F6E667FEBC9E127BECC74C2CAD362A5080C0BCD0FB007
AEE282B063BC7F03F82D08BE29CDEFC19C17DCF85675FEF9F51
FEDCCE4BBA6B0C48D8C622C58E622CC6809B82BC462C2DA06
CBD07338D29B58E69CD98839A744E7651A982ACBC2496C27
DF05436461FD0C8982013993AFD3BBEBC3F3542587E3442
DA9A781E6D84B56EFA0A0138F6AB2104C64FC4691A6ECF1D
68805699E6D303F7B300EA08EE349647A5884030258B8E9FAE
464D34965BEB68D085C05AED1ED6658BE7D0A0C64897CD
9932E15652DD5DEC78A46D4FCE0F57E2CDE7CA1CC6F01EE
009843ADE2A3C6C06E871C7A332A426C3C52B7DD69232B053
AA6061BA003D1C40C22845FD07EC9E781BD368D42E46567
A294369A667D6E804A7D00655DCDE67DEC74E2800FB1
A08B2290C4DE8618DAE712875AFE388ED4744F9BC4C4E530
FE91D18112EA85CE959C5026E16A81D28C3083F7264
F0E1D06466C8CC5B4E8DF064DE2A3433FE2FE59



--
End of file - 6871 bytes



Would appreciate kind help ASAP

[Blade81]

Hi again


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


You seem to have run ComboFix there (not recommended without trained helper's supervision!). Post contents of c:\combofix.txt log, please.

[Damn_VCT-exe]

Hi again

Combofix log file zipped and attached
Thanks

Hi again


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


You seem to have run ComboFix there (not recommended without trained helper's supervision!). Post contents of c:\combofix.txt log, please.

[Blade81]

Hi,

Open MBAM and update its definitions. Then run a full scan with it. Post back the report.

[Damn_VCT-exe]

MBAM log attached. Trojans deleted and quarentined although has already done this and files are always replicating randomly
Thanks

Hi,

Open MBAM and update its definitions. Then run a full scan with it. Post back the report.

[Blade81]

Hi,

Upload these files to http://www.virustotal.com and post back the results:
c:\windows\system32\oodtray.exe
c:\windows\system32\taskswitch.exe


Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.spybot.info/showthread.php?p=343681#post343681
Suspect::
c:\documents and settings\bferry_pt\alcxmntr.exe
c:\documents and settings\bferry_pt\alcxmntr .exe
c:\windows\system32\l3fmoeusvvbr.dll
c:\windows\system32\l3fmoetsvvsr.exe70
c:\windows\system32\l3fmoetsvvsr.exe112
c:\windows\system32\l3fmoetsvvsr.exe
Driver::
NPHJLURBWVFY
UQRYGVQ
File::
c:\docume~1\BFERRY~1\LOCALS~1\Temp\NPHJLURBWVFY.exe
c:\docume~1\BFERRY~1\LOCALS~1\Temp\UQRYGVQ.exe
Folder::
c:\documents and settings\BFERRY_PT\Application Data\uTorrent
c:\program files\uTorrent

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Keep network connection enabled and follow given instructions to submit some file samples.
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

[Damn_VCT-exe]

Virus Total scan results for oodtray.exe (2 files with same name and extension ... ) and taskswitch.exe (2 files either):
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e

( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

....

File oodtray.exe received on 2009.10.25 19:48:44 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/41 (53.66%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e

( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
----------------------

File taskswitch_.exe received on 2009.10.25 19:59:29 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/41 (53.66%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e

( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
-----------------------
File taskswitch.exe received on 2009.10.25 20:01:43 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 22/41 (53.66%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.25 Trojan-Downloader.Win32.Small!IK
AhnLab-V3 5.0.0.2 2009.10.23 -
AntiVir 7.9.1.44 2009.10.23 TR/Dldr.Small.anvz
Antiy-AVL 2.0.3.7 2009.10.23 Trojan/Win32.Small.gen
Authentium 5.1.2.4 2009.10.25 -
Avast 4.8.1351.0 2009.10.25 -
AVG 8.5.0.423 2009.10.25 Worm/Koobface.K
BitDefender 7.2 2009.10.25 -
CAT-QuickHeal 10.00 2009.10.24 TrojanDownloader.Small.anvz
ClamAV 0.94.1 2009.10.25 Trojan.Downloader-80685
Comodo 2729 2009.10.25 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.10.25 -
eSafe 7.0.17.0 2009.10.25 Win32.Adclicker
eTrust-Vet 35.1.7082 2009.10.23 Win32/Donloz.ADF
F-Prot 4.5.1.85 2009.10.25 -
F-Secure 9.0.15370.0 2009.10.22 -
Fortinet 3.120.0.0 2009.10.25 W32/Small.ANVZ!tr.dldr
GData 19 2009.10.25 -
Ikarus T3.1.1.72.0 2009.10.25 Trojan-Downloader.Win32.Small
Jiangmin 11.0.800 2009.10.24 TrojanDownloader.Small.aokk
K7AntiVirus 7.10.879 2009.10.24 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.10.25 Trojan-Downloader.Win32.Small.anvz
McAfee 5782 2009.10.25 -
McAfee+Artemis 5782 2009.10.25 Artemis!EC3170C08663
McAfee-GW-Edition 6.8.5 2009.10.25 Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft 1.5202 2009.10.25 Trojan:Win32/Meredrop
NOD32 4541 2009.10.25 Win32/TrojanDownloader.Unruy.AA
Norman 6.03.02 2009.10.23 -
nProtect 2009.1.8.0 2009.10.25 Trojan-Downloader/W32.Small.30720.O
Panda 10.0.2.2 2009.10.25 Trj/Downloader.MDW
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.25 -
Rising 21.52.62.00 2009.10.25 -
Sophos 4.46.0 2009.10.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.25 -
Symantec 1.4.4.12 2009.10.25 Trojan.Adclicker
TheHacker 6.5.0.2.053 2009.10.24 -
TrendMicro 8.950.0.1094 2009.10.25 -
VBA32 3.12.10.11 2009.10.23 -
ViRobot 2009.10.23.2003 2009.10.23 -
VirusBuster 4.6.5.0 2009.10.25 -
Additional information
File size: 30720 bytes
MD5...: ec3170c08663951a14a20d4981790521
SHA1..: 23c7ec2432f55d59537b84dc011f6bbcfa6638f9
SHA256: 2ef4cbc616d5574120ef15d118e11c1e213b7a69adf6baaf6b074f136a473352
ssdeep: 768:KtJNldbYDMdwnIkmJFustctrUhQFyP+LDkfboboW9Y:KtJJA2cDkfbQoW+
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3a9f
timedatestamp.....: 0x4acbfd72 (Wed Oct 07 02:31:14 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2b7e 0x2c00 5.86 327a07d66b104d0284f499a4dc2756ca
.rdata 0x4000 0x2c6 0x400 3.68 273c9b096c2382ba84e7db5be3659569
.data 0x5000 0x10af0 0x4400 6.81 6c70b9c9059b2bbb018f92303ade017e

( 1 imports )
> KERNEL32.dll: GetFileAttributesExA, HeapDestroy, Sleep, HeapFree, QueryPerformanceCounter, HeapCreate, HeapAlloc, GetProcessHeap, CloseHandle, GetTickCount, ReadFile, SetFilePointer, CreateFileA, ExitProcess, GetModuleFileNameA, VirtualAlloc, VirtualProtect, VirtualFree, GetProcAddress, LoadLibraryA, IsBadReadPtr, lstrcmpiA, FreeLibrary, HeapReAlloc, GetModuleHandleA, GetStartupInfoA, GetCommandLineA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Hi,

Upload these files to http://www.virustotal.com and post back the results:
c:\windows\system32\oodtray.exe
c:\windows\system32\taskswitch.exe


Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.spybot.info/showthread.php?p=343681#post343681
Suspect::
c:\documents and settings\bferry_pt\alcxmntr.exe
c:\documents and settings\bferry_pt\alcxmntr .exe
c:\windows\system32\l3fmoeusvvbr.dll
c:\windows\system32\l3fmoetsvvsr.exe70
c:\windows\system32\l3fmoetsvvsr.exe112
c:\windows\system32\l3fmoetsvvsr.exe
Driver::
NPHJLURBWVFY
UQRYGVQ
File::
c:\docume~1\BFERRY~1\LOCALS~1\Temp\NPHJLURBWVFY.exe
c:\docume~1\BFERRY~1\LOCALS~1\Temp\UQRYGVQ.exe
Folder::
c:\documents and settings\BFERRY_PT\Application Data\uTorrent
c:\program files\uTorrent

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. Keep network connection enabled and follow given instructions to submit some file samples.
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

[Blade81]

Thanks for the results. Shall see for further steps after those other things are done