Spybot found/fixed smitfraud.c, but still problems

**Saberhagen** · 2010-03-11, 07:56

Idiot me clicked on an .exe downloaded from usenet. I know, I don't deserve any help. I should be put to sleep.

McAfee VS 8.0.0 patch 10 with March 9 2010 dat OnDemand scan finds nothing, Spybot 1.6.2.46 with 3/3/2010 update found smitfraud.c, supposedly fixed it, but I still get protracted "Setting up personalized settings for..." after logging on, several "qGKMEe has encountered a problem and needs to close..." boxes at startup, and other program failures and weirdness. Teatimer has been turned off. I ran ERUNT and backed up my registry. HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:20:24 PM, on 3/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HKLM] C:\WINDOWS\system32\svs\server.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [HKCU] C:\WINDOWS\system32\svs\server.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\svs\server.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\WINDOWS\system32\svs\server.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Giganews Accelerator.lnk = C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1175056199530
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/soft...5111/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

--
End of file - 7745 bytes

**Blade81** · 2010-03-15, 09:57

Hello,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

**Saberhagen** · 2010-03-16, 09:00

Thank you Blade for helping!!!

Below are DDS.txt and Attach.txt. I'm having lots of trouble with getting GMER to run, and will have to try again tomorrow. I was able to disable TeaTimer, but having trouble disabling McAfee VirusScan - hope that's not a problem in these logs.

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 23:01:58.96 on Mon 03/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1312 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svs\server.exe
C:\WINDOWS\system32\svs\server.exe
C:\WINDOWS\system32\svs\server.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\svs\server.exe
C:\WINDOWS\system32\svs\server.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Network Associates\VirusScan\entvutil.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [HKCU] c:\windows\system32\svs\server.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [ATI Launchpad]
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
mRun: [HKLM] c:\windows\system32\svs\server.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uExplorerRun: [Policies] c:\windows\system32\svs\server.exe
mExplorerRun: [Policies] c:\windows\system32\svs\server.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gigane~1.lnk - c:\program files\giganews accelerator\GiganewsAccelerator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175056199530
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {41H38OH6-7B63-314K-GB57-RPD7623U012U} - c:\windows\system32\svs\server.exe
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-3-27 58464]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2009-6-23 18840]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-3-27 108480]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-3-27 102463]
S2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-12-17 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
S3 USBAV191;Instant VideoXpress;c:\windows\system32\drivers\USBAV191.SYS [2005-4-27 120128]

=============== Created Last 30 ================

2010-03-11 05:39:08 0 d-----w- c:\program files\TrendMicro
2010-03-06 23:56:16 0 d-----w- c:\program files\LearnKey
2010-03-06 08:50:50 0 d-----w- c:\program files\common files\Creative
2010-03-06 08:50:47 0 d--h--w- c:\program files\Creative Installation Information
2010-03-06 07:44:16 0 d-----w- c:\program files\NewsBin
2010-02-27 09:54:56 0 d-----w- c:\program files\foobar2000

==================== Find3M ====================

2010-03-16 05:54:32 387052 ---ha-w- c:\docume~1\david\applic~1\logs.dat
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 09:01:49 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-17 09:01:49 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-02-16 08:37:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021620090217\index.dat
2005-06-11 21:53:31 364544 --sh--r- c:\windows\system32\svs\server.exe

============= FINISH: 23:03:55.43 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/27/2007 10:13:01 PM
System Uptime: 3/15/2010 10:49:12 PM (1 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800-E
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | CPU 1 | 2798/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 128 GiB total, 107.869 GiB free.
D: is CDROM (CDFS)
F: is FIXED (NTFS) - 571 GiB total, 16.11 GiB free.
G: is FIXED (NTFS) - 699 GiB total, 23.911 GiB free.
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_80A61043&REV_02\3&267A616A&0&EF
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_8086&DEV_24DD&SUBSYS_80A61043&REV_02\3&267A616A&0&EF
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_812A1043&REV_02\3&267A616A&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_812A1043&REV_02\3&267A616A&0&FD
Service:

==== System Restore Points ===================

RP1: 3/9/2010 11:54:20 PM - System Checkpoint
RP2: 3/10/2010 9:39:07 PM - Installed HiJackThis
RP3: 3/11/2010 10:29:48 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.1
Altap Salamander 2.51
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Decoder
ATI Display Driver
ATI Multimedia Center
ATI Multimedia Center 9.16
AVIVO Codecs
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Creative Audio Console
Creative MediaSource
Creative MediaSource 5
Creative Software AutoUpdate
Creative WaveStudio 7
Critical Update for Windows Media Player 11 (KB959772)
DAO
DING!
DVD Decrypter (Remove Only)
eBay Icon
ERUNT 1.1j
Exact Audio Copy 0.99pb5
FLAC 1.2.1b (remove only)
foobar2000 v1.0
Giganews Accelerator
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HydraVision
Java(TM) 6 Update 17
LightScribe Applications
LightScribe System Software
M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player v 1.1
Marvell Miniport Driver
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
NewsBin Pro
OGA Notifier 2.0.0048.0
oggcodecs 0.71.0946
PrintKey2000
QuickPar 0.9
QuickTime
RadLight APE DirectShow filter (remove only)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Skins
SoundFont Bank Manager
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
TitanTV Client components for ATI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinZip
WMPTagSupportExtender
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

3/15/2010 10:58:36 PM, error: Service Control Manager [7034] - The Network Associates McShield service terminated unexpectedly. It has done this 1 time(s).
3/15/2010 10:34:01 PM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
3/15/2010 10:33:48 PM, error: Service Control Manager [7034] - The Network Associates Task Manager service terminated unexpectedly. It has done this 1 time(s).
3/14/2010 1:33:05 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

**Blade81** · 2010-03-16, 16:24

Hi,

If GMER crashes try to run with sections and devices unselected. Also, make sure antivirus protection is disabled during the scan.

**Saberhagen** · 2010-03-17, 06:02

I got GMER to run with Sections and IAT/EAT unchecked. Let me know if that is not OK. Here's the result:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-16 21:53:55
Windows 5.1.2600 Service Pack 3
Running: ir7w9kxn.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\pwtyyaow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\explorer.exe (*** hidden *** ) 2116
Library C:\Program (*** hidden *** ) @ C:\Program Files\Giganews Accelerator\GiganewsAccelerator.exe [4176] 0x33940000

---- EOF - GMER 1.0.15 ----

**Blade81** · 2010-03-17, 07:30

Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**Saberhagen** · 2010-03-18, 04:11

Hello Blade81! Thanks again for you help. I'm real fascinated by this whole process. While I don't want to waste your time, do you know of any links that would explain the details of what we're doing here? I'd like learn from this, if I can.

Here's the ComboFix.txt, followed by a new DDS.txt:

ComboFix 10-03-16.03 - David 03/17/2010 19:34:35.1.2 - x86
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David\Application Data\Desktopicon
c:\documents and settings\David\Application Data\Desktopicon\eBay.ico
c:\documents and settings\David\Application Data\Desktopicon\uninst.exe
c:\documents and settings\David\Application Data\logs.dat
c:\recycler\S-1-5-21-57989841-1425521274-682003330-1003

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-11 05:36 . 2010-03-11 05:36 -------- d-----w- c:\program files\ERUNT
2010-03-06 23:56 . 2003-05-12 20:35 475136 ----a-w- c:\windows\lk_c4.dll
2010-03-06 23:56 . 2002-06-27 16:24 399872 ----a-w- c:\windows\c4dstand.dll
2010-03-06 23:56 . 2010-03-06 23:56 -------- d-----w- c:\program files\LearnKey
2010-03-06 23:56 . 2001-01-25 10:12 98304 ----a-w- c:\windows\system32\tsccvid.dll
2010-03-06 23:56 . 2003-07-02 17:03 600576 ----a-w- c:\windows\LkUnInst.exe
2010-03-06 08:51 . 1999-11-18 09:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2010-03-06 08:51 . 1999-12-13 09:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2010-03-06 08:50 . 2010-03-06 08:50 -------- d-----w- c:\program files\Common Files\Creative
2010-03-06 08:50 . 2010-03-06 08:50 -------- d--h--w- c:\program files\Creative Installation Information
2010-03-06 08:48 . 2010-03-06 08:48 11690872 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource Plugin for CD Burner 3.10.18__\CMS_BURNER_PCAPP_LB_3_10_18.exe
2010-03-06 08:47 . 2010-03-06 08:48 54743966 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource Player_Organizer 3.30.21__\CMS_PCAPP_LB_3_30_21.exe
2010-03-06 08:47 . 2010-03-06 08:47 6390815 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative SoundFont Bank Manager Web Update ver 1.00.21__\SFBM_WEB_030909.exe
2010-03-06 08:47 . 2010-03-06 08:47 12907880 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative WaveStudio 7.12.00__\WAVESTD_PCAPP_LB_7_12_00.exe
2010-03-06 08:46 . 2010-03-06 08:47 37634288 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe
2010-03-06 07:44 . 2010-03-09 09:10 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\NewsBin
2010-03-06 07:44 . 2010-03-06 07:44 -------- d-----w- c:\program files\NewsBin
2010-02-27 09:54 . 2010-02-27 09:55 -------- d-----w- c:\program files\foobar2000
2010-02-27 09:29 . 2010-03-17 06:14 -------- d-----w- c:\documents and settings\David\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 05:39 . 2010-03-11 05:39 388096 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-11 05:39 . 2010-03-11 05:39 -------- d-----w- c:\program files\TrendMicro
2010-03-06 09:02 . 2007-04-01 07:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 09:00 . 2007-04-01 07:00 -------- d-----w- c:\program files\Creative
2010-02-27 09:55 . 2009-06-29 10:22 -------- d-----w- c:\documents and settings\David\Application Data\foobar2000
2010-02-27 09:01 . 2009-06-24 07:58 -------- d-----w- c:\documents and settings\David\Application Data\ATI MMC
2010-02-27 09:01 . 2008-01-27 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2010-02-27 08:51 . 2010-02-11 07:01 -------- d-----w- c:\documents and settings\David\Application Data\AccurateRip
2010-02-27 08:33 . 2007-04-01 06:20 -------- d-----w- c:\program files\Flac
2010-02-11 07:10 . 2010-02-11 07:10 -------- d-----w- c:\documents and settings\David\Application Data\Cool Burning Studio
2010-02-11 07:01 . 2010-02-11 07:01 -------- d-----w- c:\program files\Exact Audio Copy
2010-02-10 03:33 . 2009-01-18 08:14 -------- d-----w- c:\documents and settings\David\Application Data\dvdcss
2010-01-25 08:52 . 2010-01-25 08:52 -------- d-----w- c:\documents and settings\David\Application Data\Office Genuine Advantage
2010-01-21 05:01 . 2009-04-12 02:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-01-08 23:23 916480 ----a-w- c:\windows\system32\wininet.dll
2005-06-11 21:53 . 2005-06-11 21:53 364544 --sh--r- c:\windows\system32\svs\server.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-11-01 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\David\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Giganews Accelerator.lnk - c:\program files\Giganews Accelerator\GiganewsAccelerator.exe [2007-12-18 757760]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-4-16 869376]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 99352]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-17 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 566296]
R3 USBAV191;Instant VideoXpress;c:\windows\system32\DRIVERS\USBAV191.SYS [2005-04-28 120128]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-01-15 58464]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 555032]
S3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2009-06-23 18840]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 566296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-04-13 22:08 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41H38OH6-7B63-314K-GB57-RPD7623U012U}]
2005-06-11 21:53 364544 --sh--r- c:\windows\system32\svs\server.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)
AddRemove-eBay Icon - c:\documents and settings\David\Application Data\Desktopicon\uninst.exe

**************************************************************************
scanning hidden processes ...

? [2976]
GiganewsAcceler [2976] 0x8963DDA0
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-17 19:41:13
ComboFix-quarantined-files.txt 2010-03-18 02:41

Pre-Run: 115,687,362,560 bytes free
Post-Run: 115,704,807,424 bytes free

- - End Of File - - F9577CE927F05B06D2C000209D937101

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by David at 19:50:08.75 on Wed 03/17/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [HKCU] c:\windows\system32\svs\server.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HKLM] c:\windows\system32\svs\server.exe
uExplorerRun: [Policies] c:\windows\system32\svs\server.exe
mExplorerRun: [Policies] c:\windows\system32\svs\server.exe
StartupFolder: c:\docume~1\david\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gigane~1.lnk - c:\program files\giganews accelerator\GiganewsAccelerator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175056199530
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {41H38OH6-7B63-314K-GB57-RPD7623U012U} - c:\windows\system32\svs\server.exe
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-03-11 05:39:08 0 d-----w- c:\program files\TrendMicro
2010-03-06 23:56:16 0 d-----w- c:\program files\LearnKey
2010-03-06 08:50:50 0 d-----w- c:\program files\common files\Creative
2010-03-06 08:50:47 0 d--h--w- c:\program files\Creative Installation Information
2010-03-06 07:44:16 0 d-----w- c:\program files\NewsBin
2010-02-27 09:54:56 0 d-----w- c:\program files\foobar2000

==================== Find3M ====================

2010-03-18 02:43:00 159 ---ha-w- c:\docume~1\david\applic~1\logs.dat
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-02-16 08:37:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021620090217\index.dat
2005-06-11 21:53:31 364544 --sh--r- c:\windows\system32\svs\server.exe

============= FINISH: 19:54:53.64 ===============

**Blade81** · 2010-03-18, 15:07

Hi,

There're some schools teaching malware removal. I'll give you a list when we've got the case ready.

Did ComboFix ask for permission to install recovery console? Please run ComboFix again and let it install the console.

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Upload following file to http://www.virustotal.com and post back the results:
c:\windows\system32\svs\server.exe

**Saberhagen** · 2010-03-19, 09:20

As soon as I had noticed I had this virus/malware, I pulled my network cable and wasn't about to re-attach it until I was clean. But I hooked it back up so ComboFix.exe could d/l the Recovery Console. Here's the ComboFix.exe log run after Recovery Console:

ComboFix 10-03-16.03 - David 03/18/2010 19:51:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1514 [GMT -7:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David\Application Data\logs.dat

.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-11 05:39 . 2010-03-11 05:39 388096 ----a-r- c:\documents and settings\David\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-11 05:39 . 2010-03-11 05:39 -------- d-----w- c:\program files\TrendMicro
2010-03-11 05:36 . 2010-03-11 05:36 -------- d-----w- c:\program files\ERUNT
2010-03-06 23:56 . 2003-05-12 20:35 475136 ----a-w- c:\windows\lk_c4.dll
2010-03-06 23:56 . 2002-06-27 16:24 399872 ----a-w- c:\windows\c4dstand.dll
2010-03-06 23:56 . 2010-03-06 23:56 -------- d-----w- c:\program files\LearnKey
2010-03-06 23:56 . 2001-01-25 10:12 98304 ----a-w- c:\windows\system32\tsccvid.dll
2010-03-06 23:56 . 2003-07-02 17:03 600576 ----a-w- c:\windows\LkUnInst.exe
2010-03-06 08:51 . 1999-11-18 09:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2010-03-06 08:51 . 1999-12-13 09:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2010-03-06 08:50 . 2010-03-06 08:50 -------- d-----w- c:\program files\Common Files\Creative
2010-03-06 08:50 . 2010-03-06 08:50 -------- d--h--w- c:\program files\Creative Installation Information
2010-03-06 08:48 . 2010-03-06 08:48 11690872 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource Plugin for CD Burner 3.10.18__\CMS_BURNER_PCAPP_LB_3_10_18.exe
2010-03-06 08:47 . 2010-03-06 08:48 54743966 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource Player_Organizer 3.30.21__\CMS_PCAPP_LB_3_30_21.exe
2010-03-06 08:47 . 2010-03-06 08:47 6390815 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative SoundFont Bank Manager Web Update ver 1.00.21__\SFBM_WEB_030909.exe
2010-03-06 08:47 . 2010-03-06 08:47 12907880 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative WaveStudio 7.12.00__\WAVESTD_PCAPP_LB_7_12_00.exe
2010-03-06 08:46 . 2010-03-06 08:47 37634288 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative MediaSource 5 Player_Organizer 5.26.02__\CMS5_PCAPP_LB_5_26_02.exe
2010-03-06 07:44 . 2010-03-09 09:10 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\NewsBin
2010-03-06 07:44 . 2010-03-06 07:44 -------- d-----w- c:\program files\NewsBin
2010-02-27 09:54 . 2010-02-27 09:55 -------- d-----w- c:\program files\foobar2000
2010-02-27 09:29 . 2010-03-18 03:42 -------- d-----w- c:\documents and settings\David\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 09:02 . 2007-04-01 07:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-06 09:00 . 2007-04-01 07:00 -------- d-----w- c:\program files\Creative
2010-02-27 09:55 . 2009-06-29 10:22 -------- d-----w- c:\documents and settings\David\Application Data\foobar2000
2010-02-27 09:01 . 2009-06-24 07:58 -------- d-----w- c:\documents and settings\David\Application Data\ATI MMC
2010-02-27 09:01 . 2008-01-27 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2010-02-27 08:51 . 2010-02-11 07:01 -------- d-----w- c:\documents and settings\David\Application Data\AccurateRip
2010-02-27 08:33 . 2007-04-01 06:20 -------- d-----w- c:\program files\Flac
2010-02-11 07:10 . 2010-02-11 07:10 -------- d-----w- c:\documents and settings\David\Application Data\Cool Burning Studio
2010-02-11 07:01 . 2010-02-11 07:01 -------- d-----w- c:\program files\Exact Audio Copy
2010-02-10 03:33 . 2009-01-18 08:14 -------- d-----w- c:\documents and settings\David\Application Data\dvdcss
2010-01-25 08:52 . 2010-01-25 08:52 -------- d-----w- c:\documents and settings\David\Application Data\Office Genuine Advantage
2010-01-21 05:01 . 2009-04-12 02:45 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2001-08-23 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-01-08 23:23 916480 ------w- c:\windows\system32\wininet.dll
2005-06-11 21:53 . 2005-06-11 21:53 364544 --sh--r- c:\windows\system32\svs\server.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-03-18_02.39.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-19 01:57 . 2010-03-19 01:57 16384 c:\windows\Temp\Perflib_Perfdata_670.dat
+ 2010-03-19 01:57 . 2010-03-19 01:57 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2006-11-01 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\David\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Giganews Accelerator.lnk - c:\program files\Giganews Accelerator\GiganewsAccelerator.exe [2007-12-18 757760]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2009-4-16 869376]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [3/27/2007 10:03 PM 58464]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [6/23/2009 2:36 PM 18840]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [6/23/2009 2:34 PM 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/17/2009 2:02 AM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [6/23/2009 2:34 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [6/23/2009 2:35 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [6/23/2009 2:34 PM 566296]
S3 USBAV191;Instant VideoXpress;c:\windows\system32\drivers\USBAV191.SYS [4/27/2005 11:24 PM 120128]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-04-13 22:08 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{41H38OH6-7B63-314K-GB57-RPD7623U012U}]
2005-06-11 21:53 364544 --sh--r- c:\windows\system32\svs\server.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [16224] 0x899B9020

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-18 20:03:18
ComboFix-quarantined-files.txt 2010-03-19 03:03
ComboFix2.txt 2010-03-18 02:41

Pre-Run: 115,673,141,248 bytes free
Post-Run: 115,625,406,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 5170A749ED73457A71ACEA9DFBA241D5

--------------------------------------------------------------
I rebooted my computer after running the ComboFix above. Very different! As Windows started, I was not bombarded with the usual dozen or so "qGKMEe has encountered..." and other error messages. Progress! :-)

Here is the result from uploading the services.exe file - nasty!:
--------------------------------------------------------------

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.19 Backdoor.Win32.Poison!IK
AhnLab-V3 5.0.0.2 2010.03.19 -
AntiVir 8.2.1.194 2010.03.18 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.03.19 -
Authentium 5.2.0.5 2010.03.19 -
Avast 4.8.1351.0 2010.03.18 Win32:Trojan-gen
Avast5 5.0.332.0 2010.03.18 Win32:Trojan-gen
AVG 9.0.0.787 2010.03.18 Dropper.Generic.BXEC
BitDefender 7.2 2010.03.19 -
CAT-QuickHeal 10.00 2010.03.19 (Suspicious) - DNAScan
ClamAV 0.96.0.0-git 2010.03.19 -
Comodo 4314 2010.03.19 -
DrWeb 5.0.1.12222 2010.03.19 -
eSafe 7.0.17.0 2010.03.18 -
eTrust-Vet 35.2.7374 2010.03.19 -
F-Prot 4.5.1.85 2010.03.18 -
F-Secure 9.0.15370.0 2010.03.19 -
Fortinet 4.0.14.0 2010.03.18 -
GData 19 2010.03.19 Win32:Trojan-gen
Ikarus T3.1.1.80.0 2010.03.19 Backdoor.Win32.Poison
Jiangmin 13.0.900 2010.03.19 -
K7AntiVirus 7.10.1001 2010.03.18 -
McAfee 5924 2010.03.18 -
McAfee+Artemis 5924 2010.03.18 -
McAfee-GW-Edition 6.8.5 2010.03.18 Trojan.Dropper.Gen
Microsoft 1.5605 2010.03.19 -
NOD32 4956 2010.03.18 probably a variant of Win32/Injector.BAD
Norman 6.04.09 2010.03.18 -
nProtect 2009.1.8.0 2010.03.19 -
Panda 10.0.2.2 2010.03.18 -
PCTools 7.0.3.5 2010.03.19 -
Rising 22.39.04.04 2010.03.19 -
Sophos 4.51.0 2010.03.19 Sus/VB-BR
Sunbelt 5965 2010.03.19 -
Symantec 20091.2.0.41 2010.03.19 Suspicious.Insight
TheHacker 6.5.2.0.238 2010.03.19 -
TrendMicro 9.120.0.1004 2010.03.19 -
VBA32 3.12.12.2 2010.03.17 -
ViRobot 2010.3.19.2235 2010.03.19 -
VirusBuster 5.0.27.0 2010.03.18 -
Additional information
File size: 364544 bytes
MD5...: 19e1b6877ad55ba8ca794bb91edf3a4b
SHA1..: f29d37285fa9df53d2eaf0a9d130e9e6038c2f6f
SHA256: d4b81c2922bd5d4a84be018449f37d07a17dcf8279378c09de78d8a0a3a265e1
ssdeep: 6144:O/MzS8ZpWnnVI8Y6e7pjHjXoVXykVrhbjd9iX0z2b5h9mS7EVg1KtlhbtXS
bLa:TZYnnbVC0lDLGAS7EO1KZJXS

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1180
timedatestamp.....: 0x4b8d6b76 (Tue Mar 02 19:48:06 2010)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1169c 0x12000 5.38 5a297aab6ce1b83ec2553b148fdc71fd
.data 0x13000 0x888 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x14000 0x9d4 0x1000 2.21 c79d56c0c850a9d6935b49e5fab13a66
.vbc 0x15000 0x45000 0x45000 7.98 39f1a627395e036a8186999a2bf3e8de

( 2 imports )
> kernel32.dll: GetProcAddress
> MSVBVM60.DLL: MethCallEngine, -, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, -, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, ProcCallEngine, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: lVDFaC
copyright....: KLJOzsze
product......: OnfbnD
description..: qGKMEe
original name: JSrmOQxRQfUAJJI.exe
internal name: JSrmOQxRQfUAJJI
file version.: 3.07.0094
comments.....: VgANBnOlk
signers......: -
signing date.: -
verified.....: Unsigned

**Blade81** · 2010-03-19, 14:57

Glad to hear we're making progress

Please have internet connection open during following operation.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://forums.spybot.info/showthread.php?p=364290#post364290
Suspect::[76]
c:\windows\system32\svs\server.exe
DirLook::
c:\windows\system32\svs

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Thread: Spybot found/fixed smitfraud.c, but still problems

Thread Tools

Display

Spybot found/fixed smitfraud.c, but still problems

Tags for this Thread

Posting Permissions