Hope this will be an easy one

**Devon Millar** · 12-02-2008 11:15 PM

Hello,

I have followed all the steps, and I get Avira warnings showing the following:

loaderadv563[1].exe
agent.anrk

410.exe
agent.anrk

newdon[1].exe
719.exe
dropper.gen

So please take a look at my HijackThis this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:12:04 AM, on 03/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\sysmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\sysmgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-6800274978-2629857089-659897354-0944\service.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4612 bytes

Thanks in advance!

**evilfantasy** · 12-02-2008 11:53 PM

Welcome to H2G.

Your computer is infected by at least one Backdoor Trojan. Please read all of this carefully.

Backdoor Trojans, IRCBots and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use Backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums.

You should consider them to be compromised. Passwords should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

When should I re-format? How should I reinstall?.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Let me know what you have decided to do in your next post.

**Devon Millar** · 12-03-2008 07:14 AM

Hello,

I did re-format completely and it seems to have come back..

Any suggestions?

Devon

**evilfantasy** · 12-03-2008 03:00 PM

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

**Devon Millar** · 12-03-2008 09:22 PM

Here they are in order:
(seems to have done a good job so far)

Malwarebytes' Anti-Malware 1.30
Database version: 1455
Windows 5.1.2600 Service Pack 3

03/12/2008 7:05:32 PM
mbam-log-2008-12-03 (19-05-32).txt

Scan type: Quick Scan
Objects scanned: 45388
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\system32\sysmgr.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbaciliyo (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft(R) System Manager (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gs73gfidgf.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Noxious Rain\Local Settings\Temp\551.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Noxious Rain\Local Settings\Temp\627.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Noxious Rain\Local Settings\Temp\806.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Ulihetilar.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Noxious Rain\Local Settings\Temp\winlogin.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-6800274978-2629857089-659897354-0944\service.exe (Trojan.Agent) -> Delete on reboot.
C:\gguqrtmj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysmgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Noxious Rain\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.

ComboFix 08-12-02.02 - Noxious Rain 2008-12-03 19:19:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.968 [GMT -5:00]
Running from: c:\documents and settings\Noxious Rain\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Autorun.inf
e:\recycler\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 19:04 . 2008-12-03 19:04 141,824 --a------ c:\windows\utimebopevube.dll
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Malwarebytes
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 18:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 18:52 . 2008-12-03 18:52 40,448 --a------ C:\yjvmtaa.exe
2008-12-03 08:06 . 2008-12-03 08:08 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\SolidWorks
2008-12-03 00:01 . 2008-12-03 18:52 <DIR> d-------- c:\program files\SpywareGuard
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 23:48 . 2008-12-02 23:48 <DIR> d-------- c:\program files\Java
2008-12-02 23:48 . 2008-12-02 23:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 23:48 . 2008-12-02 23:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 23:39 . 2008-12-02 23:39 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 19:21 . 2008-12-02 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-02 18:19 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Bonjour
2008-12-02 18:10 . 2008-12-02 18:10 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-02 18:04 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-02 00:08 . 2008-12-02 00:08 <DIR> d-------- c:\program files\CCleaner
2008-12-02 00:06 . 2008-12-02 00:06 <DIR> d-------- c:\program files\AC3Filter
2008-12-02 00:06 . 2007-08-18 02:54 380,928 --a------ c:\windows\system32\ac3filter.acm
2008-12-02 00:05 . 2008-12-02 00:05 <DIR> d-------- c:\program files\XviD
2008-12-02 00:03 . 2008-12-02 00:03 <DIR> d-------- c:\program files\Illustrate
2008-12-02 00:03 . 2008-12-02 00:03 167,936 --a------ c:\windows\system32\SpoonUninstall.exe
2008-12-02 00:03 . 2008-12-02 00:03 27,958 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2008-12-02 00:03 . 2008-12-02 00:03 17,871 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-12-02 00:02 . 2008-12-03 19:07 <DIR> d-------- c:\program files\DNA
2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\program files\BitTorrent
2008-12-02 00:02 . 2008-12-03 19:17 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DNA
2008-12-01 23:43 . 2008-12-01 23:43 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DWGeditor
2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\SolidWorks Installation Manager
2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\DWGeditor
2008-12-01 23:42 . 2008-12-01 23:42 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2008-12-01 23:41 . 2004-11-05 11:08 670,208 --a------ c:\windows\system32\drivers\hardlock.sys
2008-12-01 23:41 . 2008-12-01 23:41 23 --ah----- c:\windows\yacht.xws
2008-12-01 23:40 . 2008-12-01 23:42 <DIR> d-------- c:\program files\Common Files\eDrawings2007
2008-12-01 23:38 . 2008-12-01 23:38 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-12-01 23:37 . 2008-12-02 00:00 <DIR> d-------- c:\program files\SolidWorks
2008-12-01 23:37 . 2008-12-01 23:58 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2008-12-01 23:37 . 2008-12-01 23:37 <DIR> d-------- c:\program files\Common Files\Solidworks Data
2008-12-01 23:36 . 2008-12-01 23:36 <DIR> d-------- c:\program files\Windows Desktop Search
2008-12-01 23:36 . 2005-12-05 07:38 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-01 23:35 . 2008-12-01 23:35 42 --a------ c:\windows\trailer.xws
2008-12-01 22:51 . 2008-12-01 22:52 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DivX
2008-12-01 22:45 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-12-01 22:30 . 2008-12-01 22:30 <DIR> d-------- c:\program files\DivX
2008-12-01 22:26 . 2008-12-01 22:26 <DIR> d-------- c:\program files\PowerISO
2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- c:\windows\nview
2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- C:\NVIDIA
2008-12-01 22:21 . 2008-12-03 08:18 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
2008-12-01 22:21 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-01 22:21 . 2008-05-16 14:01 446,464 --a------ c:\windows\system32\nvudisp.exe
2008-12-01 22:21 . 2008-12-03 19:07 186,097 --a------ c:\windows\system32\nvapps.xml
2008-12-01 22:21 . 2008-12-03 08:18 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 08:18 30,120 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 08:18 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 08:18 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-05-16 14:01 18,070 --a------ c:\windows\system32\nvdisp.nvu
2008-12-01 22:21 . 2008-12-03 08:18 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:19 . 2008-12-01 22:22 <DIR> d-------- c:\windows\system32\Defaults
2008-12-01 22:19 . 2008-12-01 22:19 <DIR> d-------- c:\program files\Creative
2008-12-01 22:19 . 2000-12-05 09:11 4,174,814 --------- c:\windows\system32\CT4MGM.SF2
2008-12-01 22:19 . 2008-12-03 08:18 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a------ c:\windows\system32\drivers\gameenum.sys
2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a--c--- c:\windows\system32\dllcache\splitter.sys
2008-12-01 22:18 . 2008-12-01 22:18 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Creative
2008-12-01 22:17 . 2008-12-01 22:18 <DIR> d-------- c:\windows\system32\Data
2008-12-01 22:17 . 2008-12-01 22:19 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-01 22:17 . 2008-12-01 22:17 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-01 22:16 . 2008-12-01 22:16 <DIR> d-------- C:\ubuntu
2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\program files\Avira
2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-01 22:03 . 2008-12-01 22:03 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 03:18 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-02 03:18 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-12-02 02:52 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-02 342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
"Efahulo"="c:\windows\utimebopevube.dll" [2008-12-03 141824]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Noxious Rain\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 10:44:08 PM 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Noxious Rain\Application Data\Mozilla\Firefox\Profiles\hwxn8drc.default\
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 19:20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-03 19:21:37
ComboFix-quarantined-files.txt 2008-12-04 00:21:21

Pre-Run: 89,170,980,864 bytes free
Post-Run: 89,464,123,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

197

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:57 PM, on 03/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\DNA\btdna.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Efahulo] rundll32.exe "C:\WINDOWS\utimebopevube.dll",e
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 4168 bytes

**evilfantasy** · 12-03-2008 09:42 PM

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\utimebopevube.dll
C:\yjvmtaa.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

**Devon Millar** · 12-03-2008 10:12 PM

Here it is:

ComboFix 08-12-02.02 - Noxious Rain 2008-12-03 23:05:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.940 [GMT -5:00]
Running from: c:\documents and settings\Noxious Rain\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Noxious Rain\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\utimebopevube.dll
C:\yjvmtaa.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\utimebopevube.dll
C:\yjvmtaa.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 23:04 . 2008-12-03 23:08 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
2008-12-03 22:24 . 2008-12-03 23:08 <DIR> d-------- c:\program files\Steam
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Malwarebytes
2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 18:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 18:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 08:06 . 2008-12-03 08:08 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\SolidWorks
2008-12-03 00:01 . 2008-12-03 18:52 <DIR> d-------- c:\program files\SpywareGuard
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 23:48 . 2008-12-02 23:48 <DIR> d-------- c:\program files\Java
2008-12-02 23:48 . 2008-12-02 23:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-02 23:48 . 2008-12-02 23:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 23:39 . 2008-12-02 23:39 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 19:21 . 2008-12-02 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-02 18:19 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Bonjour
2008-12-02 18:10 . 2008-12-02 18:10 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-12-02 18:04 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-02 00:08 . 2008-12-02 00:08 <DIR> d-------- c:\program files\CCleaner
2008-12-02 00:06 . 2008-12-02 00:06 <DIR> d-------- c:\program files\AC3Filter
2008-12-02 00:06 . 2007-08-18 02:54 380,928 --a------ c:\windows\system32\ac3filter.acm
2008-12-02 00:05 . 2008-12-02 00:05 <DIR> d-------- c:\program files\XviD
2008-12-02 00:03 . 2008-12-02 00:03 <DIR> d-------- c:\program files\Illustrate
2008-12-02 00:03 . 2008-12-02 00:03 167,936 --a------ c:\windows\system32\SpoonUninstall.exe
2008-12-02 00:03 . 2008-12-02 00:03 27,958 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2008-12-02 00:03 . 2008-12-02 00:03 17,871 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-12-02 00:02 . 2008-12-03 23:07 <DIR> d-------- c:\program files\DNA
2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\program files\BitTorrent
2008-12-02 00:02 . 2008-12-03 23:07 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DNA
2008-12-01 23:43 . 2008-12-01 23:43 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DWGeditor
2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\SolidWorks Installation Manager
2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\DWGeditor
2008-12-01 23:42 . 2008-12-01 23:42 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2008-12-01 23:41 . 2004-11-05 11:08 670,208 --a------ c:\windows\system32\drivers\hardlock.sys
2008-12-01 23:41 . 2008-12-01 23:41 23 --ah----- c:\windows\yacht.xws
2008-12-01 23:40 . 2008-12-01 23:42 <DIR> d-------- c:\program files\Common Files\eDrawings2007
2008-12-01 23:38 . 2008-12-01 23:38 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-12-01 23:37 . 2008-12-02 00:00 <DIR> d-------- c:\program files\SolidWorks
2008-12-01 23:37 . 2008-12-01 23:58 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2008-12-01 23:37 . 2008-12-01 23:37 <DIR> d-------- c:\program files\Common Files\Solidworks Data
2008-12-01 23:36 . 2008-12-01 23:36 <DIR> d-------- c:\program files\Windows Desktop Search
2008-12-01 23:36 . 2005-12-05 07:38 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-12-01 23:35 . 2008-12-01 23:35 42 --a------ c:\windows\trailer.xws
2008-12-01 22:51 . 2008-12-01 22:52 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DivX
2008-12-01 22:45 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-12-01 22:30 . 2008-12-01 22:30 <DIR> d-------- c:\program files\DivX
2008-12-01 22:26 . 2008-12-01 22:26 <DIR> d-------- c:\program files\PowerISO
2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- c:\windows\nview
2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- C:\NVIDIA
2008-12-01 22:21 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-01 22:21 . 2008-05-16 14:01 446,464 --a------ c:\windows\system32\nvudisp.exe
2008-12-01 22:21 . 2008-12-03 23:07 186,097 --a------ c:\windows\system32\nvapps.xml
2008-12-01 22:21 . 2008-12-03 23:06 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 23:06 30,120 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 23:06 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-12-03 23:06 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:21 . 2008-05-16 14:01 18,070 --a------ c:\windows\system32\nvdisp.nvu
2008-12-01 22:21 . 2008-12-03 23:06 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
2008-12-01 22:19 . 2008-12-01 22:22 <DIR> d-------- c:\windows\system32\Defaults
2008-12-01 22:19 . 2008-12-01 22:19 <DIR> d-------- c:\program files\Creative
2008-12-01 22:19 . 2000-12-05 09:11 4,174,814 --------- c:\windows\system32\CT4MGM.SF2
2008-12-01 22:19 . 2008-12-03 23:08 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a------ c:\windows\system32\drivers\gameenum.sys
2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a--c--- c:\windows\system32\dllcache\splitter.sys
2008-12-01 22:18 . 2008-12-01 22:18 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Creative
2008-12-01 22:17 . 2008-12-01 22:18 <DIR> d-------- c:\windows\system32\Data
2008-12-01 22:17 . 2008-12-03 19:32 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-01 22:17 . 2008-12-01 22:17 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-01 22:16 . 2008-12-01 22:16 <DIR> d-------- C:\ubuntu
2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\program files\Avira
2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-12-01 22:03 . 2008-12-01 22:03 0 --a------ c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 03:18 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-02 03:18 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-12-02 02:52 --------- d-----w c:\program files\microsoft frontpage
2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-03_19.20.59.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-04 03:24:27 27,648 ----a-r c:\windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
+ 2008-09-15 18:22:00 59,719 ----a-w c:\windows\LastGood.Tmp\system32\Macromed\Download\Install.exe
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
+ 2008-12-04 03:29:43 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-02 342336]
"Steam"="c:\program files\Steam\Steam.exe" [2008-12-03 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Noxious Rain\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 10:44:08 PM 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Efahulo - c:\windows\utimebopevube.dll

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 23:07:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-03 23:09:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 04:09:56
ComboFix2.txt 2008-12-04 00:21:38

Pre-Run: 84,745,641,984 bytes free
Post-Run: 84,838,404,096 bytes free

203

**evilfantasy** · 12-03-2008 11:27 PM

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Restart the computer before starting the Kaspersky scan.

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

**Devon Millar** · 12-04-2008 11:05 PM

Lookin' mighty fine! Thanks a lot!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 04, 2008 20:42:50
Records in database: 1436944
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Noxious Rain\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 46188
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:46:46

No malware has been detected. The scan area is clean.

The selected area was scanned.

**evilfantasy** · 12-04-2008 11:17 PM

Looks good.

Use the Secunia Software Inspector to check for out of date software.
Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Learn more about how to protect yourself while on the Internet from the following link. So how did I get infected in the first place? by Tony Klien.

Thread: Hope this will be an easy one

LinkBack

Thread Tools

Hope this will be an easy one

Re-format