+ Reply to Thread
Results 1 to 10 of 10
  1. #1
    Member
    Join Date
    Dec 2008
    Posts
    5
    Points
    0

    Cool Hope this will be an easy one

    Hello,

    I have followed all the steps, and I get Avira warnings showing the following:

    loaderadv563[1].exe
    agent.anrk

    410.exe
    agent.anrk

    newdon[1].exe
    719.exe
    dropper.gen

    So please take a look at my HijackThis this log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:12:04 AM, on 03/12/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\sysmgr.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\sysmgr.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-6800274978-2629857089-659897354-0944\service.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

    --
    End of file - 4612 bytes

    Thanks in advance!

  2. #2
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,478
    Points
    627

    Default

    Welcome to H2G.

    Your computer is infected by at least one Backdoor Trojan. Please read all of this carefully.

    Backdoor Trojans, IRCBots and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use Backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

    Read this article: Danger: Remote Access Trojans.

    If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums.

    You should consider them to be compromised. Passwords should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

    It is dangerous and incorrect to assume that because the Backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

    When should I re-format? How should I reinstall?.
    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards.

    Should you have any questions, please feel free to ask.

    Let me know what you have decided to do in your next post.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  3. #3
    Member
    Join Date
    Dec 2008
    Posts
    5
    Points
    0

    Question Re-format

    Hello,

    I did re-format completely and it seems to have come back..

    Any suggestions?


    Devon

  4. #4
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,478
    Points
    627

    Default

    Download Malwarebytes' Anti-Malware (MBAM)

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply.


    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    ----------

    Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

    Link #1
    Link #2

    **Note: It is important that it is saved directly to your Desktop

    Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Double click combofix.exe & follow the prompts.

    For Windows XP Systems install the Recovery Console:

    - If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
    - If for some reason your Internet is not working click No.
    - If you are not using Windows XP, you will not be prompted.
    - When prompted to accept the EULA click OK.
    - Accept Microsoft's EULA (Click Yes).
    - When you are told that the RC is installed correctly click YES to continue scanning for malware.

    When finished ComboFix will produce a log for you.
    Post the ComboFix log and a new HijackThis log in your next reply.

    Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  5. #5
    Member
    Join Date
    Dec 2008
    Posts
    5
    Points
    0

    Thumbs up

    Here they are in order:
    (seems to have done a good job so far)

    Malwarebytes' Anti-Malware 1.30
    Database version: 1455
    Windows 5.1.2600 Service Pack 3

    03/12/2008 7:05:32 PM
    mbam-log-2008-12-03 (19-05-32).txt

    Scan type: Quick Scan
    Objects scanned: 45388
    Time elapsed: 2 minute(s), 29 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 7
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 11

    Memory Processes Infected:
    C:\WINDOWS\system32\sysmgr.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbaciliyo (Trojan.Agent) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsjfn83jkemfofght (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12zfg94-f641-2sf-k31p-5n1er6h6l2 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft(R) System Manager (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\gs73gfidgf.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Noxious Rain\Local Settings\Temp\551.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Noxious Rain\Local Settings\Temp\627.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Noxious Rain\Local Settings\Temp\806.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\Ulihetilar.dll (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\Noxious Rain\Local Settings\Temp\winlogin.exe (Trojan.Agent) -> Delete on reboot.
    C:\RECYCLER\S-1-5-21-6800274978-2629857089-659897354-0944\service.exe (Trojan.Agent) -> Delete on reboot.
    C:\gguqrtmj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sysmgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msvcrt2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Noxious Rain\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.



    ComboFix 08-12-02.02 - Noxious Rain 2008-12-03 19:19:50.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.968 [GMT -5:00]
    Running from: c:\documents and settings\Noxious Rain\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    E:\Autorun.inf
    e:\recycler\Desktop.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
    .

    2008-12-03 19:04 . 2008-12-03 19:04 141,824 --a------ c:\windows\utimebopevube.dll
    2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Malwarebytes
    2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-12-03 18:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-03 18:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-12-03 18:52 . 2008-12-03 18:52 40,448 --a------ C:\yjvmtaa.exe
    2008-12-03 08:06 . 2008-12-03 08:08 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\SolidWorks
    2008-12-03 00:01 . 2008-12-03 18:52 <DIR> d-------- c:\program files\SpywareGuard
    2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\program files\SpywareBlaster
    2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
    2008-12-02 23:48 . 2008-12-02 23:48 <DIR> d-------- c:\program files\Java
    2008-12-02 23:48 . 2008-12-02 23:48 410,984 --a------ c:\windows\system32\deploytk.dll
    2008-12-02 23:48 . 2008-12-02 23:48 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-12-02 23:39 . 2008-12-02 23:39 <DIR> d-------- c:\program files\Trend Micro
    2008-12-02 19:21 . 2008-12-02 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
    2008-12-02 18:19 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Bonjour
    2008-12-02 18:10 . 2008-12-02 18:10 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
    2008-12-02 18:04 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Common Files\Adobe
    2008-12-02 00:08 . 2008-12-02 00:08 <DIR> d-------- c:\program files\CCleaner
    2008-12-02 00:06 . 2008-12-02 00:06 <DIR> d-------- c:\program files\AC3Filter
    2008-12-02 00:06 . 2007-08-18 02:54 380,928 --a------ c:\windows\system32\ac3filter.acm
    2008-12-02 00:05 . 2008-12-02 00:05 <DIR> d-------- c:\program files\XviD
    2008-12-02 00:03 . 2008-12-02 00:03 <DIR> d-------- c:\program files\Illustrate
    2008-12-02 00:03 . 2008-12-02 00:03 167,936 --a------ c:\windows\system32\SpoonUninstall.exe
    2008-12-02 00:03 . 2008-12-02 00:03 27,958 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
    2008-12-02 00:03 . 2008-12-02 00:03 17,871 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
    2008-12-02 00:02 . 2008-12-03 19:07 <DIR> d-------- c:\program files\DNA
    2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\program files\BitTorrent
    2008-12-02 00:02 . 2008-12-03 19:17 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DNA
    2008-12-01 23:43 . 2008-12-01 23:43 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DWGeditor
    2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\SolidWorks Installation Manager
    2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\DWGeditor
    2008-12-01 23:42 . 2008-12-01 23:42 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
    2008-12-01 23:41 . 2004-11-05 11:08 670,208 --a------ c:\windows\system32\drivers\hardlock.sys
    2008-12-01 23:41 . 2008-12-01 23:41 23 --ah----- c:\windows\yacht.xws
    2008-12-01 23:40 . 2008-12-01 23:42 <DIR> d-------- c:\program files\Common Files\eDrawings2007
    2008-12-01 23:38 . 2008-12-01 23:38 <DIR> d-------- c:\windows\system32\GroupPolicy
    2008-12-01 23:37 . 2008-12-02 00:00 <DIR> d-------- c:\program files\SolidWorks
    2008-12-01 23:37 . 2008-12-01 23:58 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
    2008-12-01 23:37 . 2008-12-01 23:37 <DIR> d-------- c:\program files\Common Files\Solidworks Data
    2008-12-01 23:36 . 2008-12-01 23:36 <DIR> d-------- c:\program files\Windows Desktop Search
    2008-12-01 23:36 . 2005-12-05 07:38 22,752 --a------ c:\windows\system32\spupdsvc.exe
    2008-12-01 23:35 . 2008-12-01 23:35 42 --a------ c:\windows\trailer.xws
    2008-12-01 22:51 . 2008-12-01 22:52 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DivX
    2008-12-01 22:45 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
    2008-12-01 22:30 . 2008-12-01 22:30 <DIR> d-------- c:\program files\DivX
    2008-12-01 22:26 . 2008-12-01 22:26 <DIR> d-------- c:\program files\PowerISO
    2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- c:\windows\nview
    2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- C:\NVIDIA
    2008-12-01 22:21 . 2008-12-03 08:18 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
    2008-12-01 22:21 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE
    2008-12-01 22:21 . 2008-05-16 14:01 446,464 --a------ c:\windows\system32\nvudisp.exe
    2008-12-01 22:21 . 2008-12-03 19:07 186,097 --a------ c:\windows\system32\nvapps.xml
    2008-12-01 22:21 . 2008-12-03 08:18 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-12-03 08:18 30,120 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-12-03 08:18 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-12-03 08:18 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-05-16 14:01 18,070 --a------ c:\windows\system32\nvdisp.nvu
    2008-12-01 22:21 . 2008-12-03 08:18 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:19 . 2008-12-01 22:22 <DIR> d-------- c:\windows\system32\Defaults
    2008-12-01 22:19 . 2008-12-01 22:19 <DIR> d-------- c:\program files\Creative
    2008-12-01 22:19 . 2000-12-05 09:11 4,174,814 --------- c:\windows\system32\CT4MGM.SF2
    2008-12-01 22:19 . 2008-12-03 08:18 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
    2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
    2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
    2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
    2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
    2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a------ c:\windows\system32\drivers\gameenum.sys
    2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
    2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
    2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a--c--- c:\windows\system32\dllcache\splitter.sys
    2008-12-01 22:18 . 2008-12-01 22:18 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Creative
    2008-12-01 22:17 . 2008-12-01 22:18 <DIR> d-------- c:\windows\system32\Data
    2008-12-01 22:17 . 2008-12-01 22:19 <DIR> d--h----- c:\program files\InstallShield Installation Information
    2008-12-01 22:17 . 2008-12-01 22:17 <DIR> d-------- c:\program files\Common Files\InstallShield
    2008-12-01 22:16 . 2008-12-01 22:16 <DIR> d-------- C:\ubuntu
    2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\program files\Avira
    2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
    2008-12-01 22:03 . 2008-12-01 22:03 0 --a------ c:\windows\nsreg.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-02 03:18 444,952 ----a-w c:\windows\system32\wrap_oal.dll
    2008-12-02 03:18 109,080 ----a-w c:\windows\system32\OpenAL32.dll
    2008-12-02 02:52 --------- d-----w c:\program files\microsoft frontpage
    2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
    2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
    2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
    2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
    2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
    2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
    2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
    2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
    2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
    2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
    2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
    2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
    2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
    2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
    2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
    2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
    2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
    2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
    2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
    2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
    2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
    2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
    2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-02 342336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-02 136600]
    "Efahulo"="c:\windows\utimebopevube.dll" [2008-12-03 141824]
    "CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
    "nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Noxious Rain\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 10:44:08 PM 257752]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.xvid"= xvid.dll
    "msacm.ac3filter"= ac3filter.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
    S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
    S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]

    *Newly Created Service* - PROCEXP90
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Noxious Rain\Application Data\Mozilla\Firefox\Profiles\hwxn8drc.default\
    FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
    FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
    FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-03 19:20:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTHelper = CTHELPER.EXE?

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-12-03 19:21:37
    ComboFix-quarantined-files.txt 2008-12-04 00:21:21

    Pre-Run: 89,170,980,864 bytes free
    Post-Run: 89,464,123,392 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    197



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:18:57 PM, on 03/12/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Efahulo] rundll32.exe "C:\WINDOWS\utimebopevube.dll",e
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

    --
    End of file - 4168 bytes

  6. #6
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,478
    Points
    627

    Default

    Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

    Delete these files/folders, as follows:

    1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
    It must be Notepad, not Wordpad.
    2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

    Code:
    KillAll::
    
    File::
    c:\windows\utimebopevube.dll
    C:\yjvmtaa.exe
    
    3. Go to the Notepad window and click Edit > Paste
    4. Then click File > Save
    5. Name the file CFScript.txt - Save the file to your Desktop
    6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



    ComboFix will begin to execute, just follow the prompts.
    After reboot (in case it asks to reboot), it will produce a log for you.
    Post that log (Combofix.txt) in your next reply.

    Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  7. #7
    Member
    Join Date
    Dec 2008
    Posts
    5
    Points
    0

    Thumbs up

    Here it is:

    ComboFix 08-12-02.02 - Noxious Rain 2008-12-03 23:05:18.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.940 [GMT -5:00]
    Running from: c:\documents and settings\Noxious Rain\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Noxious Rain\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\windows\utimebopevube.dll
    C:\yjvmtaa.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\utimebopevube.dll
    C:\yjvmtaa.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
    .

    2008-12-03 23:04 . 2008-12-03 23:08 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.BAK
    2008-12-03 22:24 . 2008-12-03 23:08 <DIR> d-------- c:\program files\Steam
    2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Malwarebytes
    2008-12-03 18:56 . 2008-12-03 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-12-03 18:56 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-03 18:56 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2008-12-03 08:06 . 2008-12-03 08:08 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\SolidWorks
    2008-12-03 00:01 . 2008-12-03 18:52 <DIR> d-------- c:\program files\SpywareGuard
    2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\program files\SpywareBlaster
    2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
    2008-12-02 23:48 . 2008-12-02 23:48 <DIR> d-------- c:\program files\Java
    2008-12-02 23:48 . 2008-12-02 23:48 410,984 --a------ c:\windows\system32\deploytk.dll
    2008-12-02 23:48 . 2008-12-02 23:48 73,728 --a------ c:\windows\system32\javacpl.cpl
    2008-12-02 23:39 . 2008-12-02 23:39 <DIR> d-------- c:\program files\Trend Micro
    2008-12-02 19:21 . 2008-12-02 19:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
    2008-12-02 18:19 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Bonjour
    2008-12-02 18:10 . 2008-12-02 18:10 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
    2008-12-02 18:04 . 2008-12-02 18:19 <DIR> d-------- c:\program files\Common Files\Adobe
    2008-12-02 00:08 . 2008-12-02 00:08 <DIR> d-------- c:\program files\CCleaner
    2008-12-02 00:06 . 2008-12-02 00:06 <DIR> d-------- c:\program files\AC3Filter
    2008-12-02 00:06 . 2007-08-18 02:54 380,928 --a------ c:\windows\system32\ac3filter.acm
    2008-12-02 00:05 . 2008-12-02 00:05 <DIR> d-------- c:\program files\XviD
    2008-12-02 00:03 . 2008-12-02 00:03 <DIR> d-------- c:\program files\Illustrate
    2008-12-02 00:03 . 2008-12-02 00:03 167,936 --a------ c:\windows\system32\SpoonUninstall.exe
    2008-12-02 00:03 . 2008-12-02 00:03 27,958 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
    2008-12-02 00:03 . 2008-12-02 00:03 17,871 --a------ c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
    2008-12-02 00:02 . 2008-12-03 23:07 <DIR> d-------- c:\program files\DNA
    2008-12-02 00:02 . 2008-12-02 00:02 <DIR> d-------- c:\program files\BitTorrent
    2008-12-02 00:02 . 2008-12-03 23:07 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DNA
    2008-12-01 23:43 . 2008-12-01 23:43 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DWGeditor
    2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\SolidWorks Installation Manager
    2008-12-01 23:42 . 2008-12-01 23:42 <DIR> d-------- c:\program files\DWGeditor
    2008-12-01 23:42 . 2008-12-01 23:42 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
    2008-12-01 23:41 . 2004-11-05 11:08 670,208 --a------ c:\windows\system32\drivers\hardlock.sys
    2008-12-01 23:41 . 2008-12-01 23:41 23 --ah----- c:\windows\yacht.xws
    2008-12-01 23:40 . 2008-12-01 23:42 <DIR> d-------- c:\program files\Common Files\eDrawings2007
    2008-12-01 23:38 . 2008-12-01 23:38 <DIR> d-------- c:\windows\system32\GroupPolicy
    2008-12-01 23:37 . 2008-12-02 00:00 <DIR> d-------- c:\program files\SolidWorks
    2008-12-01 23:37 . 2008-12-01 23:58 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
    2008-12-01 23:37 . 2008-12-01 23:37 <DIR> d-------- c:\program files\Common Files\Solidworks Data
    2008-12-01 23:36 . 2008-12-01 23:36 <DIR> d-------- c:\program files\Windows Desktop Search
    2008-12-01 23:36 . 2005-12-05 07:38 22,752 --a------ c:\windows\system32\spupdsvc.exe
    2008-12-01 23:35 . 2008-12-01 23:35 42 --a------ c:\windows\trailer.xws
    2008-12-01 22:51 . 2008-12-01 22:52 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\DivX
    2008-12-01 22:45 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
    2008-12-01 22:30 . 2008-12-01 22:30 <DIR> d-------- c:\program files\DivX
    2008-12-01 22:26 . 2008-12-01 22:26 <DIR> d-------- c:\program files\PowerISO
    2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- c:\windows\nview
    2008-12-01 22:21 . 2008-12-01 22:21 <DIR> d-------- C:\NVIDIA
    2008-12-01 22:21 . 2008-05-16 11:48 446,464 --a------ c:\windows\system32\NVUNINST.EXE
    2008-12-01 22:21 . 2008-05-16 14:01 446,464 --a------ c:\windows\system32\nvudisp.exe
    2008-12-01 22:21 . 2008-12-03 23:07 186,097 --a------ c:\windows\system32\nvapps.xml
    2008-12-01 22:21 . 2008-12-03 23:06 30,120 --a------ c:\windows\system32\BMXStateBkp-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-12-03 23:06 30,120 --a------ c:\windows\system32\BMXState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-12-03 23:06 27,408 --a------ c:\windows\system32\BMXCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-12-03 23:06 27,408 --a------ c:\windows\system32\BMXBkpCtrlState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:21 . 2008-05-16 14:01 18,070 --a------ c:\windows\system32\nvdisp.nvu
    2008-12-01 22:21 . 2008-12-03 23:06 11,564 --a------ c:\windows\system32\DVCState-{00000000-00000000-0000000B-00001102-00000004-00511102}.rfx
    2008-12-01 22:19 . 2008-12-01 22:22 <DIR> d-------- c:\windows\system32\Defaults
    2008-12-01 22:19 . 2008-12-01 22:19 <DIR> d-------- c:\program files\Creative
    2008-12-01 22:19 . 2000-12-05 09:11 4,174,814 --------- c:\windows\system32\CT4MGM.SF2
    2008-12-01 22:19 . 2008-12-03 23:08 3,162,278 --a------ c:\windows\{00000000-00000000-0000000B-00001102-00000004-00511102}.CDF
    2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
    2008-12-01 22:19 . 2008-04-14 00:47 83,072 --a--c--- c:\windows\system32\dllcache\wdmaud.sys
    2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
    2008-12-01 22:19 . 2008-04-14 00:15 52,864 --a--c--- c:\windows\system32\dllcache\dmusic.sys
    2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a------ c:\windows\system32\drivers\gameenum.sys
    2008-12-01 22:19 . 2008-04-14 00:15 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
    2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
    2008-12-01 22:19 . 2008-04-14 00:15 6,272 --a--c--- c:\windows\system32\dllcache\splitter.sys
    2008-12-01 22:18 . 2008-12-01 22:18 <DIR> d-------- c:\documents and settings\Noxious Rain\Application Data\Creative
    2008-12-01 22:17 . 2008-12-01 22:18 <DIR> d-------- c:\windows\system32\Data
    2008-12-01 22:17 . 2008-12-03 19:32 <DIR> d--h----- c:\program files\InstallShield Installation Information
    2008-12-01 22:17 . 2008-12-01 22:17 <DIR> d-------- c:\program files\Common Files\InstallShield
    2008-12-01 22:16 . 2008-12-01 22:16 <DIR> d-------- C:\ubuntu
    2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\program files\Avira
    2008-12-01 22:06 . 2008-12-01 22:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
    2008-12-01 22:03 . 2008-12-01 22:03 0 --a------ c:\windows\nsreg.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-02 03:18 444,952 ----a-w c:\windows\system32\wrap_oal.dll
    2008-12-02 03:18 109,080 ----a-w c:\windows\system32\OpenAL32.dll
    2008-12-02 02:52 --------- d-----w c:\program files\microsoft frontpage
    2008-11-02 08:44 56,572 ----a-w c:\windows\system32\drivers\scdemu.sys
    2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
    2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
    2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
    2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
    2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
    2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
    2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
    2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
    2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
    2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
    2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
    2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
    2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
    2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
    2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
    2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
    2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
    2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
    2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
    2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
    2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
    2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-12-03_19.20.59.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-12-04 03:24:27 27,648 ----a-r c:\windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
    + 2008-09-15 18:22:00 59,719 ----a-w c:\windows\LastGood.Tmp\system32\Macromed\Download\Install.exe
    + 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
    + 2008-12-04 03:29:43 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-02 342336]
    "Steam"="c:\program files\Steam\Steam.exe" [2008-12-03 1410296]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
    "CTHelper"="CTHELPER.EXE" [2008-06-27 c:\windows\system32\CtHelper.exe]
    "nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Noxious Rain\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM 360448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [3/26/2006 10:44:08 PM 257752]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.xvid"= xvid.dll
    "msacm.ac3filter"= ac3filter.acm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
    R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
    R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
    S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [6/27/2008 7:21:18 PM 99352]
    S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [6/27/2008 7:21:26 PM 555032]
    S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
    S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [6/27/2008 7:21:44 PM 100888]
    S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [6/27/2008 7:21:38 PM 566296]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Efahulo - c:\windows\utimebopevube.dll



    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-03 23:07:48
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTHelper = CTHELPER.EXE?

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
    c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\SpywareGuard\sgbhp.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-03 23:09:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-12-04 04:09:56
    ComboFix2.txt 2008-12-04 00:21:38

    Pre-Run: 84,745,641,984 bytes free
    Post-Run: 84,838,404,096 bytes free

    203

  8. #8
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,478
    Points
    627

    Default

    • Click START then RUN
    • Now type Combofix /u in the runbox
    • Make sure there's a space between Combofix and /u
    • Then hit Enter.


    • The above procedure will:
    • Delete the following:
    • ComboFix and its associated files and folders.
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Set a new, clean Restore Point.


    ----------

    Download ATF Cleaner by Atribune to your Desktop.

    Alternate download link

    Note: Vista users must use Run As Administrator
    • Under Main: Select Files to Delete choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords click No at the prompt.
    • Click Exit on the Main menu to close the program.


    Note that your system will run slower for a reboot or two after having used this tool so don't panic.

    Restart the computer before starting the Kaspersky scan.

    ----------

    Run the Kaspersky Online Scanner

    In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

    • Click on SCAN NOW
    • Click Accept.
    • The program will then begin downloading the latest definition files.
    • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
    • The scan will take a while, so be patient and let it finish.


    When the scan is done, in the Scan is complete window, any infection is displayed.
    There is no option to clean/disinfect, however, we need to analyze the information on the report.

    To obtain the report:
    Click on: Save Report As
    • Next, in the Save as prompt, Save in area, select: Desktop.
    • In the File name area use KScan, or something similar.
    • In Save as type: click the drop arrow and select: Text file [*.txt]
    • Then, click: Save


    Copy and paste the Kaspersky Online Scanner Report in your next reply.

    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  9. #9
    Member
    Join Date
    Dec 2008
    Posts
    5
    Points
    0

    Thumbs up

    Lookin' mighty fine! Thanks a lot!



    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Thursday, December 4, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Thursday, December 04, 2008 20:42:50
    Records in database: 1436944
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - Critical Areas:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\Noxious Rain\Start Menu\Programs\Startup
    C:\Program Files
    C:\WINDOWS

    Scan statistics:
    Files scanned: 46188
    Threat name: 0
    Infected objects: 0
    Suspicious objects: 0
    Duration of the scan: 00:46:46

    No malware has been detected. The scan area is clean.

    The selected area was scanned.

  10. #10
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,478
    Points
    627

    Default

    Looks good.

    Use the Secunia Software Inspector to check for out of date software.
    Click Start Now
    Check the box next to Enable thorough system inspection.
    Click Start
    Allow the scan to finish and scroll down to see if any updates are needed.
    Update anything listed.

    ----------

    Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

    ----------

    Learn more about how to protect yourself while on the Internet from the following link. So how did I get infected in the first place? by Tony Klien.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum