Win32.TDSS.rtk

[Shaba]

That appears to be legit.

Delete these:

C:\Ignore Me\WINDOWS\cdocmf.bak1
C:\Ignore Me\WINDOWS\cdocmf.bak2
C:\Ignore Me\WINDOWS\cdocmf.ini
C:\Ignore Me\WINDOWS\system32\cfhkj.tmp
D:\WINDOWS\system32\doayssmn.tmp
D:\WINDOWS\system32\ysuxtgeh.tmp

Empty this folder:

D:\Qoobox\Quarantine\

Empty Recycle Bin.

Still problems?

 

[RiOmega]

i emptied the folder, and emptied my recycling bin, however, i am not able to find any of these

C:\Ignore Me\WINDOWS\cdocmf.bak1
C:\Ignore Me\WINDOWS\cdocmf.bak2
C:\Ignore Me\WINDOWS\cdocmf.ini
C:\Ignore Me\WINDOWS\system32\cfhkj.tmp
D:\WINDOWS\system32\doayssmn.tmp
D:\WINDOWS\system32\ysuxtgeh.tmp

i cannot seem to find the folder system32 in the Ignore me folder. same thing happened when i was trying to scan them, i couldn't find them, however, when i put in the name of the file, i was able to submit it to the online scanner. is there any other way to get rid of these files without going through the folders (there aren't search results either, but i'm sure the files are there, because i was able to send them and scan them)

 

[Shaba]

So we do this:

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\Ignore Me\WINDOWS\cdocmf.bak1
  C:\Ignore Me\WINDOWS\cdocmf.bak2
  C:\Ignore Me\WINDOWS\cdocmf.ini
  C:\Ignore Me\WINDOWS\system32\cfhkj.tmp
  D:\WINDOWS\system32\doayssmn.tmp
  D:\WINDOWS\system32\ysuxtgeh.tmp

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

[RiOmega]

here it is

ComboFix 09-08-10.06 - Administrator 12/08/2009 13:45.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3070.2235 [GMT -4:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\ignore me\WINDOWS\cdocmf.bak1"
"c:\ignore me\WINDOWS\cdocmf.bak2"
"c:\ignore me\WINDOWS\cdocmf.ini"
"c:\ignore me\WINDOWS\system32\cfhkj.tmp"
"d:\windows\system32\doayssmn.tmp"
"d:\windows\system32\ysuxtgeh.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\ignore me\WINDOWS\cdocmf.bak1
c:\ignore me\WINDOWS\cdocmf.bak2
c:\ignore me\WINDOWS\cdocmf.ini
c:\ignore me\WINDOWS\system32\cfhkj.tmp
d:\windows\system32\doayssmn.tmp
d:\windows\system32\ysuxtgeh.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-12 03:01 . 2009-08-12 03:01 -------- d-----w- d:\windows\LastGood
2009-08-12 01:26 . 2009-08-12 01:26 -------- d-----w- d:\program files\ESET
2009-08-09 17:10 . 2009-08-09 17:10 -------- d-----w- d:\program files\Trend Micro
2009-08-08 18:23 . 2009-08-08 18:23 -------- d-sh--w- d:\windows\system32\config\systemprofile\IETldCache
2009-07-28 18:43 . 2009-07-28 18:43 -------- d-sh--w- d:\documents and settings\Administrator\IECompatCache
2009-07-18 21:21 . 2008-09-04 18:17 447752 ----a-r- d:\windows\system32\vp6vfw.dll
2009-07-18 21:21 . 2009-07-18 21:21 10134 ----a-r- d:\documents and settings\Administrator\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-07-18 21:21 . 2009-07-18 21:21 -------- d-----w- d:\program files\Microsoft WSE
2009-07-16 23:02 . 2009-07-16 23:13 -------- d-----w- d:\program files\Common Files\DivX Shared
2009-07-16 21:14 . 2009-07-16 21:23 -------- d-----w- d:\windows\SxsCaPendDel
2009-07-16 18:39 . 2009-07-16 18:39 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2009-07-16 11:46 . 2009-07-16 11:46 -------- d-----w- d:\documents and settings\Administrator\Application Data\Red Kawa
2009-07-15 10:12 . 2009-07-15 10:12 -------- d-----w- d:\program files\Regensoft
2009-07-15 10:05 . 2009-07-15 10:12 -------- d-----w- d:\program files\Common Files\Common Share
2009-07-15 10:05 . 2008-12-18 17:38 1700352 ----a-w- d:\windows\system32\gdiplus.dll
2009-07-14 04:06 . 2009-07-14 04:06 1914000 ----a-w- d:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-14 04:05 . 2009-07-15 03:46 -------- d-----w- d:\documents and settings\All Users\Application Data\NOS
2009-07-14 04:05 . 2009-07-15 03:46 -------- d-----w- d:\program files\NOS
2009-07-13 22:45 . 2009-07-13 22:45 -------- d-sh--w- d:\documents and settings\Administrator\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 02:28 . 2007-03-08 16:32 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-08-08 21:46 . 2007-01-31 02:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-08 21:36 . 2007-01-31 02:14 -------- d-----w- d:\program files\Spybot - Search & Destroy
2009-08-08 18:22 . 2009-08-08 18:22 1234810 ----a-w- d:\windows\system32\xa.tmp
2009-08-03 23:04 . 2007-10-30 03:16 -------- d-----w- d:\documents and settings\Administrator\Application Data\mIRC
2009-08-03 23:04 . 2007-10-30 03:16 -------- d-----w- d:\program files\mIRC
2009-07-30 15:39 . 2009-01-18 03:39 335752 ----a-w- d:\windows\system32\drivers\avgldx86.sys
2009-07-18 21:17 . 2007-02-05 01:06 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-16 23:03 . 2007-03-07 00:57 -------- d-----w- d:\program files\DivX
2009-07-16 21:24 . 2007-01-31 04:28 50864 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 20:11 . 2007-02-14 23:35 -------- d-----w- d:\program files\PeerGuardian2
2009-07-03 17:09 . 2004-01-08 20:23 915456 ----a-w- d:\windows\system32\wininet.dll
2009-07-01 17:40 . 2009-07-01 17:40 -------- d-----w- d:\documents and settings\Administrator\Application Data\SPORE
2009-06-28 00:40 . 2009-06-28 00:38 -------- d-----w- d:\documents and settings\Administrator\Application Data\Bioshock
2009-06-28 00:38 . 2009-06-28 00:38 -------- d--h--r- d:\documents and settings\Administrator\Application Data\SecuROM
2009-06-27 04:56 . 2008-12-30 21:53 -------- d-----w- d:\program files\EVGA Precision
2009-06-26 15:25 . 2009-01-31 06:17 11952 ----a-w- d:\windows\system32\avgrsstx.dll
2009-06-26 15:25 . 2009-01-18 03:39 27784 ----a-w- d:\windows\system32\drivers\avgmfx86.sys
2009-06-18 01:59 . 2007-04-14 14:23 -------- d-----w- d:\documents and settings\Administrator\Application Data\Xfire
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- d:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- d:\windows\system32\t2embed.dll
2009-06-16 00:08 . 2007-06-19 02:41 -------- d-----w- d:\program files\Windows Live
2009-06-16 00:08 . 2008-03-03 12:13 -------- d-----w- d:\documents and settings\All Users\Application Data\WLInstaller
2009-06-15 23:55 . 2008-03-03 12:13 -------- dcsh--w- d:\program files\Common Files\WindowsLiveInstaller
2009-06-15 23:30 . 2009-06-15 23:30 3584 ----a-r- d:\documents and settings\Administrator\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-15 23:30 . 2009-06-15 23:30 -------- d-----w- d:\program files\Windows Installer Clean Up
2009-06-15 23:30 . 2009-06-15 23:30 -------- d-----w- d:\program files\MSECACHE
2009-06-15 22:36 . 2009-06-15 22:36 -------- d-----w- d:\program files\Common Files\Windows Live
2009-06-03 19:09 . 2009-06-03 19:09 1291264 ----a-w- d:\windows\system32\quartz.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- d:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- d:\program files\mozilla firefox\plugins\ssldivx.dll
2008-03-27 10:50 . 2008-03-27 10:48 24 --sh--w- d:\windows\S2241CE70.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-08-11_18.15.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-11 18:56 . 2009-08-11 18:56 16384 d:\windows\Temp\Perflib_Perfdata_9a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-01 68856]
"Rainlendar2"="d:\program files\Rainlendar2\Rainlendar2.exe" [2007-04-15 1291264]
"RocketDock"="d:\program files\RocketDock\RocketDock.exe" [2007-03-19 630784]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="d:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-03-01 90112]
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"NVIDIA nTune"="d:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 106496]
"MsnMsgr"="d:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DWQueuedReporting"="d:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"Lexmark X74-X75"="d:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"IMJPMIG8.1"="d:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="d:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="d:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="d:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"NeroFilterCheck"="d:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SoundMAXPnP"="d:\program files\Analog Devices\Core\smax4pnp.exe" [2007-10-08 1036288]
"Ai Nap"="d:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2008-04-11 1421824]
"CPU Power Monitor"="d:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2008-01-09 627200]
"ASUS Energy Saving"="d:\program files\ASUS\Ai Suite\EnergySaving\PwSave.exe" [2008-01-28 1352704]
"Cpu Level Up help"="d:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"AlcxMonitor"="ALCXMNTR.EXE" - d:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"LTMSG"="LTMSG.exe" - d:\windows\ltmsg.exe [2003-07-14 40960]
"nwiz"="nwiz.exe" - d:\windows\system32\nwiz.exe [2009-02-09 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Rainmeter.lnk - d:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-29 692224]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WinZip Quick Pick.lnk - d:\program files\WinZip\WZQKPICK.EXE [2008-2-12 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-12-30 03:40 184320 ----a-w- d:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 15:25 11952 ----a-w- d:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\D:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Alliance background mode.lnk]
path=d:\documents and settings\Administrator\Start Menu\Programs\Startup\Alliance background mode.lnk
backup=d:\windows\pss\Alliance background mode.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\MSN Messenger\\msrr.exe"=
"d:\\Program Files\\Xfire\\xfire.exe"=
"d:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"d:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\WINDOWS\\system32\\javaw.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"d:\\Program Files\\UT2004\\System\\UT2004.exe"=
"d:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"d:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"d:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"d:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"f:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"f:\\Program Files\\Activision\\Spider-Man - Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"f:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"f:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"f:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"f:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"f:\\Program Files\\Activision\\Prototype\\prototypef.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:*isabledCOM

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [17/01/2009 11:39 PM 335752]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [31/01/2009 2:17 AM 298776]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 paldrv;paldrv;d:\windows\system32\pal_drv.sys [01/03/2007 7:16 PM 10951]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;d:\windows\system32\drivers\libusb0.sys [22/06/2009 1:09 PM 33792]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;d:\windows\system32\drivers\dualshock3.sys [22/06/2009 1:14 PM 11392]
S3 cpuz132;cpuz132;d:\windows\system32\drivers\cpuz132_x32.sys [27/06/2009 8:57 PM 12672]
S3 npggsvc;nProtect GameGuard Service;d:\windows\system32\GameMon.des -service --> d:\windows\system32\GameMon.des -service [?]
S3 XDva009;XDva009;\??\d:\windows\system32\XDva009.sys --> d:\windows\system32\XDva009.sys [?]
S3 XDva269;XDva269;\??\d:\windows\system32\XDva269.sys --> d:\windows\system32\XDva269.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"d:\windows\system32\rundll32.exe" "d:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-30 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:15]

2009-08-12 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-08 02:41]

2009-08-11 d:\windows\Tasks\WGASetup.job
- d:\windows\system32\KB905474\wgasetup.exe [2009-04-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
IE: &Winamp Search - d:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fl08il4n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fl08il4n.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampPlayer.dll
FF - component: d:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: d:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: d:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\program files\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 13:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="d:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1993962763-1275210071-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,fb,43,c7,bd,aa,08,40,bc,1d,91,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,83,fb,43,c7,bd,aa,08,40,bc,1d,91,\

[HKEY_USERS\S-1-5-21-1993962763-1275210071-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:06,09,fa,c6,10,bc,64,42,b9,fd,7f,89,6d,2b,e5,4f,99,b3,75,d8,41,e0,98,
e4,37,32,16,c3,57,b6,41,89,a2,79,08,c9,51,c7,53,08,b2,fe,4c,20,8f,d5,1c,27,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
d:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\igfxsrvc.dll
d:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(732)
d:\windows\system32\nvappfilter.dll
.
Completion time: 2009-08-12 13:54
ComboFix-quarantined-files.txt 2009-08-12 17:53
ComboFix2.txt 2009-08-11 19:04
ComboFix3.txt 2009-08-11 18:19

Pre-Run: 5,470,994,432 bytes free
Post-Run: 6,983,446,528 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
261 --- E O F --- 2009-08-09 11:06

hmm, i don't appear to be having any more problems. is there anything else i should be worried about?

and thanks a lot shaba

 

[Shaba]

Great

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
  You can use one of these sites to check if any updates are needed for your pc.
  Secunia Software Inspector
  F-secure Health Check
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
  
  Malwarebytes' Anti-Malware Setup Guide
  
  Malwarebytes' Anti-Malware Scanning Guide
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:

 

[RiOmega]

Thanks a lot Shaba. i am now taking more precautions with the utilities you've shown me above. i am greatly grateful to you. once again, thanks a lot.

i will make sure to try and stay clean!

 

[Shaba]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.