Tweaks.com Forum / Windows & System Security / HiJack This Logs / Definately infectaed, but what ? / Latest Posts

RE: Definately infectaed, but what ?

RichieUK — Fri, 16 May 2008 06:54:50 GMT

[quote]I intend to delete the infected game emulators as well as the MAME frontends[/quote]
Delete those then do the following:
Run this online virus/spyware scan using [b]Internet Explorer[/b]:
[b][url=http://www.kaspersky.com/virusscanner][color="blue"]Kaspersky WebScanner[/color][/url][/b]
Next click [b]Kaspersky Online Scanner[/b]
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,[b]i need to see the scan results[/b].
• Now click on the Save as Text button.
• Save the file to your desktop.
• [b]Copy and paste the contents of that file into your next reply[/b].

If the above link doesn't work,try this:
[url]http://www.kaspersky.com/kos/english/kavwebscan.html[/url]

RE: Definately infectaed, but what ?

Err — Fri, 16 May 2008 05:15:14 GMT

Here are the results of the requested scans

//-----------------------------------------------------------------
//
//Product: BitDefender 8 Free Edition
//Version: 8.0
//
//Created on:16/05/200800:23:02
//
//-----------------------------------------------------------------

Statistics

Scan path: C:\
D:\
E:\
F:\
G:\
H:\
Folders: 4759
Files: 249586
Archives: 2083
Packed files: 7645
Identified viruses: 9
Infected files: 11
Warnings: 0
Suspect files: 0
Disinfected files: 0
Deleted files: 0
Copied files: 0
Moved files: 10
Renamed files: 0
I/O errors: 32
Scan time: 01:15:23
Scan speed (files/sec): 55

Virus definitions: 1094044
Scan plugins: 14
Archive plugins: 39
Unpack plugins: 7
Mail plugins: 6
System plugins: 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\QooBox\Quarantine\C\0xf9.exe.virInfected Generic.Malware.dld!!.90566892
C:\QooBox\Quarantine\C\0xf9.exe.virDisinfection failed
C:\QooBox\Quarantine\C\0xf9.exe.virMoved
C:\SDFix\backups\backups.zip=>backups/msdirect.sysInfected Backdoor.ForBot.M
C:\SDFix\backups\backups.zip=>backups/msdirect.sysDisinfection failed
C:\SDFix\backups\backups.zipMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\cyber[1].wmfInfected Exploit.Win32.WMF-PFV
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\cyber[1].wmfDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\cyber[1].wmfMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\dnlsvc[1].exeInfected Trojan.Hacktool.Rootkit.BR
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\dnlsvc[1].exeDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\dnlsvc[1].exeMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\test[1].htmInfected Exploit.ADODB.Stream.BU
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\test[1].htmDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\test[1].htmMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Z5U5S82\loader[1].exeInfected Generic.Malware.dld!!.90566892
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Z5U5S82\loader[1].exeDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Z5U5S82\loader[1].exeMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GL2F0D6B\2[1].aniInfected Exploit.Win32.MS05-002.Gen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GL2F0D6B\2[1].aniDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GL2F0D6B\2[1].aniMoved
C:\z_Drivers\svchost.exeInfected Trojan.Generic.163127
C:\z_Drivers\svchost.exeDisinfection failed
C:\z_Drivers\svchost.exeMoved
F:\EMULS\MAME\FrontENDS\MALA\MaLaKeyHook.dllInfected Backdoor.Bancodor.I
F:\EMULS\MAME\FrontENDS\MALA\MaLaKeyHook.dllDisinfection failed
F:\EMULS\MAME\FrontENDS\MALA\MaLaKeyHook.dllMoved
F:\EMULS\MAME\FrontENDS\MaLa.7z=>MaLaKeyHook.dllInfected Backdoor.Bancodor.I
F:\EMULS\MAME\FrontENDS\MaLa.7z=>MaLaKeyHook.dllDisinfection failed
F:\EMULS\MAME\FrontENDS\MaLa.7z=>MaLaKeyHook.dllMove failed
F:\EMULS\N64\1964_099.exeInfected Trojan.Generic.79287
F:\EMULS\N64\1964_099.exeDisinfection failed
F:\EMULS\N64\1964_099.exeMoved

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/16/2008 at 02:27 AM

Application Version : 4.0.1154

Core Rules Database Version : 3462
Trace Rules Database Version: 1453

Scan type : Complete Scan
Total Scan Time : 00:25:28

Memory items scanned : 279
Memory threats detected : 0
Registry items scanned : 4166
Registry threats detected : 11
File items scanned : 15458
File threats detected : 7

Trojan.Unknown Origin
c:\z_Drivers
C:\WINDOWS\..\z_Drivers

Trojan.SystemDriver
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#DriverLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#DriverCheck
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#SystemDriverLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#ADriver
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#FDriver
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#SystemDriver

Trojan.MSDirect
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP69\A0040205.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP69\A0040209.SYS

Trojan.Downloader-DnlSvc
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP71\A0040319.EXE

Trojan.Downloader-Gen/Searcher
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP71\A0040390.EXE

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.cadelasexy[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 11:07:53, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\soffice.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Poi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://techwhims.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKCU\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

----------------------------------------------------------------------

I have deleted all the detected spyware using SUPERAntiSpyware, I did a second scan and nothing was detected.
I intend to delete the infected game emulators as well as the MAME frontends, is this this a good method of getting rid of those viruses or is it better to look for dedicated tools for each virus ?

RE: Definately infectaed, but what ?

RichieUK — Thu, 15 May 2008 18:18:45 GMT

You can re-enable BitDefender,forget Avira and carry on with the remaining instructions then if you will.

RE: Definately infectaed, but what ?

Err — Thu, 15 May 2008 18:15:14 GMT

I have BitDefender 8 Free Edition, build 8.0.202
I disabled it because I did not want to disrupt the use of the anti malware programs.
I've used BitDefender for a few months and have not experienced any problems with it.

RE: Definately infectaed, but what ?

RichieUK — Thu, 15 May 2008 18:01:41 GMT

[quote]I'm reluctant to switch from BitDefender, would a scan result from BitDefender be as reliable as
Avira AntiVir ?[/quote]
The reason i asked you to install and scan with Avira is because i cannot see any signs of virus protection installed in the latest Hijackthis log you posted,have you disabled BitDefender or is there a problem with it.

RE: Definately infectaed, but what ?

Err — Thu, 15 May 2008 17:49:07 GMT

I'm reluctant to switch from BitDefender, would a scan result from BitDefender be as reliable as
Avira AntiVir ?

RE: Definately infectaed, but what ?

RichieUK — Thu, 15 May 2008 17:39:56 GMT

Please download/install [b]Avira AntiVir Personal - FREE Antivirus[/b]:
[url]http://www.free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html[/url]
Perform a full scan with Avira and allow it to delete everything it detects.
[b]Restart your pc when you've done.[/b]
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then [b]copy and paste the report into your next reply[/b].

Download [b]ATF Cleaner[/b] by [b]Atribune[/b]:
[url]http://www.atribune.org/ccount/click.php?id=1[/url]
[b]Do not run it just yet.[/b]

Download\install [b]'SuperAntiSpyware Free Version Home Users'[/b] from here:
[URL]http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE[/URL]

Launch SuperAntiSpyware and click on 'Check for updates'.
If you encounter any error messages while downloading the updates,manually download them from [B][URL=http://www.superantispyware.com/definitions.html][COLOR="BLUE"]Here[/COLOR][/URL][/B].
Once the updates have been installed,[b]exit[/b] SuperAntiSpyware.
[b]Do not run it just yet.[/b]

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
[b]O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)[/b]
Exit Hijackthis.

[b]Now double-click ATF-Cleaner.exe to run the program.[/b]
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.
If you use [b]Firefox[/b] browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
[b][color="blue"]NOTE:[/color][/b]
[color="blue"]If you would like to keep your saved passwords,please click [b]'No'[/b] at the prompt.[/color]
If you use [b]Opera[/b] browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
[b][color="blue"]NOTE:[/color][/b]
[color="blue"]If you would like to keep your saved passwords,please click [b]'No'[/b] at the prompt.[/color]
Click 'Exit' on the Main menu to close the program.

[b]Now Start SuperAntiSpyware.[/b]
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
[b]Copy and paste the contents of that report into your next reply.[/b]

Your version of [b]Sun Java[/b] is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of [b][url=http://java.sun.com/javase/downloads/index.jsp][color="blue"]Java Runtime Environment (JRE)[/color][/url][/b]
2. Scroll down to where it says '[b]Java Runtime Environment (JRE) 6u6[/b]'.
3. Click the "Download" button to the right.
4. Select the Platform and Language for your download,then check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download [b]'Windows Offline Installation, Multi-language - jre-6u6-windows-i586-p.exe'[/b] [15.21 MB] and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java version.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on [b]jre-6u6-windows-i586-p.exe[/b] to install the newest version.

[b]Also post a new Hijackthis log,let me know how your pc is running now please.[/b]

RE: Definately infectaed, but what ?

Err — Thu, 15 May 2008 17:33:30 GMT

I had my headphones on because previous to this spyware problem, I was listening to a netcast.
Ran ComboFix and HijackThis without any noticeable problems.
The CPU Usage is back to normal, FireFox is responding well, no longer hanging and only one startup item enabled, ctfmon.exe

Problems are fixed, your help is much appreciated, thank you.

Here are the results

ComboFix 08-05-12.1 - Poi 2008-05-15 23:05:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.198 [GMT 1:00]
Running from: C:\Documents and Settings\Poi\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Poi\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\[u]0[/u]xf9.exe
C:\z_Drivers
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\[u]0[/u]xf9.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 21:49 . 2008-05-15 21:49d--------C:\WINDOWS\ERUNT
2008-05-15 21:44 . 2008-05-15 22:05d--------C:\SDFix
2008-05-15 11:38 . 2008-05-15 11:38d--------C:\z_Drivers
2008-05-09 08:05 . 2008-05-09 08:05d--------C:\Documents and Settings\Poi\Application Data\Talkback
2008-05-02 18:25 . 2008-05-02 18:25d--------C:\Program Files\Rockstar Games
2008-04-28 22:23 . 2008-04-28 22:23d--------C:\Program Files\Hotspot Shield
2008-04-26 22:02 . 2008-04-26 22:04d--------C:\Documents and Settings\Poi\Application Data\Dimdim
2008-04-26 22:02 . 2005-11-27 19:2531,896--a------C:\WINDOWS\system32\drivers\dfmirage.sys
2008-04-26 22:02 . 2005-11-27 19:2530,360--a------C:\WINDOWS\system32\dfmirage.dll
2008-04-25 14:12 . 2004-08-30 14:25438,272--a------C:\WINDOWS\system32\vp6vfw.dll
2008-04-25 14:12 . 2004-12-10 10:06327,680--a------C:\WINDOWS\system32\vp6dec.ax
2008-04-25 14:12 . 2007-04-12 15:01118,832--a------C:\WINDOWS\system32\SHW32.DLL
2008-04-23 12:17 . 2008-04-23 13:06d--------C:\Program Files\PeerGuardian2
2008-04-22 10:31 . 2008-04-22 10:31dr-h-----C:\Documents and Settings\Poi\Application Data\SecuROM
2008-04-22 06:17 . 2008-04-22 08:42d--------C:\Program Files\Desktop Activity Recorder
2008-04-20 12:51 . 2008-04-20 12:51d--------C:\Program Files\OpenAL
2008-04-20 12:51 . 2008-04-20 12:51409,600--a------C:\WINDOWS\system32\wrap_oal.dll
2008-04-20 12:51 . 2008-04-20 12:51114,688--a------C:\WINDOWS\system32\OpenAL32.dll
2008-04-20 12:47 . 2008-04-20 12:47d--------C:\Program Files\Paradox Interactive
2008-04-19 00:30 . 2008-04-19 00:30d--------C:\Program Files\Network Stumbler
2008-04-18 20:04 . 2008-04-18 20:03737,280--a------C:\WINDOWS\iun6002.exe
2008-04-18 13:21 . 2008-04-18 13:21d--------C:\Documents and Settings\All Users\Application Data\Default
2008-04-17 16:43 . 2008-04-17 16:43107,888--a------C:\WINDOWS\system32\CmdLineExt.dll
2008-04-17 08:42 . 2008-04-17 08:42d--------C:\Program Files\BIGSPEED Peer-to-Peer SDK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 22:04---------d-----wC:\Documents and Settings\Poi\Application Data\OpenOffice.org2
2008-05-15 20:2014----a-wC:\Documents and Settings\Poi\getfile.dat
2008-05-15 17:08---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 16:28---------d-----wC:\Program Files\BOINC
2008-05-14 10:54---------d-----wC:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-08 14:33---------d--h--wC:\Program Files\InstallShield Installation Information
2008-04-25 13:06---------d-----wC:\Program Files\EA Sports
2008-04-25 12:56---------d-----wC:\Program Files\Common Files\LogiShrd
2008-04-25 12:38---------d-----wC:\Documents and Settings\All Users\Application Data\Logishrd
2008-04-18 19:16---------d-----wC:\Program Files\Atheros
2008-04-18 19:1443,520----a-wC:\WINDOWS\system32\CmdLineExt03.dll
2008-04-17 13:40---------d-----wC:\Documents and Settings\Poi\Application Data\Hamachi
2008-04-13 18:51---------d-----wC:\Program Files\New Star Soccer 3
2008-04-11 00:44---------d-----wC:\Program Files\Project64 1.6
2008-04-10 13:19---------d-----wC:\Program Files\1964
2008-04-10 12:18---------d-----wC:\Program Files\mupen64 0.5
2008-04-09 20:07---------d-----wC:\Program Files\mupen64 0.4
2008-04-05 14:35---------d-----wC:\Program Files\Microsoft Silverlight
2008-03-28 12:13---------d-----wC:\Program Files\Safari
2008-03-28 12:13---------d-----wC:\Documents and Settings\Poi\Application Data\Apple Computer
2008-03-28 12:12---------d-----wC:\Program Files\Apple Software Update
2008-03-28 12:12---------d-----wC:\Documents and Settings\All Users\Application Data\Apple
2008-03-24 23:03---------d-----wC:\Documents and Settings\Poi\Application Data\Vso
2008-03-22 22:27---------d-----wC:\Program Files\VSO
2008-03-19 15:37---------d-----wC:\Documents and Settings\All Users\Application Data\Logitech
2008-03-19 15:07---------d-----wC:\Program Files\SiSoftware
2008-03-19 15:00---------d-----wC:\Program Files\Belarc
2008-03-18 17:32---------d--h--wC:\Documents and Settings\All Users\Application Data\{3DABBC31-9BB8-45D8-BE78-353E801E5DBA}
2008-03-18 17:32---------d-----wC:\Program Files\GGPO Client
2008-03-17 18:11---------d-----wC:\Program Files\mosaic
2008-03-16 21:05---------d-----wC:\Program Files\Windows Media Connect 2
2008-03-16 20:54---------d-----wC:\Program Files\Kontiki
2008-03-16 20:54---------d-----wC:\Program Files\Channel4
2008-03-16 20:54---------d-----wC:\Documents and Settings\All Users\Application Data\Channel4
2008-03-14 14:23415,096----a-wC:\WINDOWS\system32\pr2aqvlb.exe
2008-03-07 11:56920,088----a-wC:\WINDOWS\system32\igxpun.exe
2008-03-06 18:20691,545----a-wC:\WINDOWS\unins000.exe
2008-03-04 13:00811,776----a-wC:\WINDOWS\boinc.scr
2008-02-15 12:21147,456----a-wC:\WINDOWS\system32\igfxCoIn_v4926.dll
2008-02-15 12:1257,344----a-wC:\WINDOWS\system32\igxprd32.dll
2008-02-15 12:122,643,968----a-wC:\WINDOWS\system32\igxpdx32.dll
2008-02-15 12:12151,040----a-wC:\WINDOWS\system32\igxpgd32.dll
2008-02-15 12:121,670,144----a-wC:\WINDOWS\system32\igxpdv32.dll
2008-02-15 12:01294,912----a-wC:\WINDOWS\system32\igldev32.dll
2008-02-15 12:002,334,720----a-wC:\WINDOWS\system32\iglicd32.dll
2008-02-15 11:48524,288----a-wC:\WINDOWS\system32\igfxcfg.exe
2008-02-15 11:4648,128----a-wC:\WINDOWS\system32\igfxsrvc.dll
2008-02-15 11:46249,856----a-wC:\WINDOWS\system32\igfxsrvc.exe
2008-02-15 11:4624,576----a-wC:\WINDOWS\system32\igfxexps.dll
2008-02-15 11:46204,800----a-wC:\WINDOWS\system32\igfxpph.dll
2008-02-15 11:46163,840----a-wC:\WINDOWS\system32\igfxext.exe
2008-02-15 11:46159,744----a-wC:\WINDOWS\system32\hkcmd.exe
2008-02-15 11:46135,168----a-wC:\WINDOWS\system32\igfxtray.exe
2008-02-15 11:46135,168----a-wC:\WINDOWS\system32\igfxdo.dll
2008-02-15 11:46131,072----a-wC:\WINDOWS\system32\igfxpers.exe
2008-02-15 11:453,293,184----a-wC:\WINDOWS\system32\igfxress.dll
2008-02-15 11:45208,896----a-wC:\WINDOWS\system32\igfxdev.dll
2008-02-15 11:45172,032----a-wC:\WINDOWS\system32\igfxres.dll
2008-02-15 11:45163,840----a-wC:\WINDOWS\system32\igfxzoom.exe
2008-02-15 11:45102,400----a-wC:\WINDOWS\system32\hccutils.dll
.

------- Sigcheck -------

2007-12-21 00:32 359040 a14fafd66adbd55a86f17a37e5ec4263C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-05-15_22.20.07.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 21:10:0360,934----a-wC:\WINDOWS\system32\perfc009.dat
+ 2008-05-15 21:25:5760,934----a-wC:\WINDOWS\system32\perfc009.dat
- 2008-05-15 21:10:03396,608----a-wC:\WINDOWS\system32\perfh009.dat
+ 2008-05-15 21:25:57396,608----a-wC:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe" [2008-02-26 10:13 40960]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-12-07 03:21 124928 C:\WINDOWS\system32\advpack.dll]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=C:\WINDOWS\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Poi^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Poi\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^DOCUME~1^Poi^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\DOCUME~1\Poi\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-12-13 22:50 88204 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-07-19 10:41 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-19 10:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2005-06-20 13:10 421888 c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
--a------ 2005-05-09 13:19 8192 c:\progra~1\softwin\bitdef~1\bdnagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 00:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2008-02-15 12:46 135168 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-19 10:42 16248320 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 10:42 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-10-15 20:40 2577632 C:\PROGRA~1\Sygate\SPF\smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
--a------ 2007-10-08 10:21 55856 C:\Program Files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"uvnc_service"=2 (0x2)
"LexBceS"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-p2v"=2 (0x2)
"ThreadMaster"=2 (0x2)
"rpcapd"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"LVCOMSer"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"pr2aqvlb"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"dnlsvc"=2 (0x2)
"KService"=2 (0x2)
"XCOMM"=2 (0x2)
"SmcService"=2 (0x2)
"bdss"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SODCPreLoad"=C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pe3aqvlb;XIII Century Environment Driver (pe3aqvlb);C:\WINDOWS\system32\drivers\pe3aqvlb.sys [2008-03-14 15:22]
R0 ps7aqvlb;XIII Century Synchronization Driver (ps7aqvlb);C:\WINDOWS\system32\drivers\ps7aqvlb.sys [2008-03-14 15:21]
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys [2007-01-30 20:41]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2005-11-27 19:25]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 22:25]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 pr2aqvlb;XIII Century Drivers Auto Removal (pr2aqvlb);C:\WINDOWS\system32\pr2aqvlb.exe svc []
S4 ThreadMaster;Thread Master;C:\WINDOWS\system32\ThreadMaster\ThreadMast.exe [2003-03-18 00:27]
S4 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml []
S4 uvnc_service;uvnc_service;"C:\Program Files\UltraVNC\WinVNC.exe" -service []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 23:07:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-05-15 23:08:10
ComboFix-quarantined-files.txt 2008-05-15 22:08:06
ComboFix2.txt 2008-05-15 21:20:27

Pre-Run: 7,603,470,336 bytes free
Post-Run: 7,817,502,720 bytes free

263

-----------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:13:26, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\soffice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Poi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://techwhims.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKCU\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

RE: Definately infectaed, but what ?

RichieUK — Thu, 15 May 2008 16:54:25 GMT

Remove your headphones although i cannot understand why you had them on while running Combofix!!

Copy and paste ALL the following text in the code box below into [b]Notepad[/b].
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: [b]CFScript[/b] to your desktop.
[quote]File::
C:\z_Drivers
C:\0xf9.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DriverLoad"=-
"DriverCheck"=-
"SystemDriverLoad"=-
"alpha"=-
"beta"=-
"gamma"=-
"SystemDriver"=-
"FDriver"=-
"ADriver"=-
"CDriver"=-
"DDriver"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"CDriver"=-
"DDriver"=-
"alpha"=-
"beta"=-
"gamma"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alpha]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\beta]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CDriver]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDriver]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverLoad]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FDriver]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gamma]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriver]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriverLoad]
[/quote]
Now drag then drop the [b]CFScript[/b] file onto [b]ComboFix.exe[/b] as seen in the image below.

[img]http://img.photobucket.com/albums/v624/29wood/CFScript.gif[/img]

This will start ComboFix again.
After reboot, (in case it asks to reboot), [b]post the contents of Combofix.txt in your next reply along with a new HijackThis log.[/b]

RE: Definately infectaed, but what ?

Err — Thu, 15 May 2008 16:37:37 GMT

Followed the instructions, I disabled all startup items before using SDFix however svchost.exe is still enabled, all 5 entries plus the 6 blank entries.

I ran both applications without any noticeable problems.

Here are the results

[b]SDFix: Version 1.182 [/b]
Run by Poi on 15/05/2008 at 21:54

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
dnlsvc
msdirect

[b]Path [/b]:
"C:\DOCUME~1\Poi\LOCALS~1\Temp\dnlsvc.exe"
\??\C:\WINDOWS\system32\msdirect.sys

dnlsvc - Deleted
msdirect - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

[b]Checking Files [/b]:

Trojan Files Found:

C:\WINDOWS\system32\msdirect.sys - Deleted

Removing Temp Files

[b]ADS Check [/b]:

[b]Final Check [/b]:

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 22:00:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:73,77,9d,44,52,04,3a,96,64,2c,89,59,f4,05,3c,2c,b1,76,a7,38,16,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,25,5d,36,3f,12,c8,45,c9,6d,c9,2b,96,e3,42,a1,87,db,..
"khjeh"=hex:91,6e,b0,e0,15,28,5d,87,f6,0a,45,2e,2f,5f,db,77,e8,a0,53,1a,89,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:71,4f,4c,8a,c1,fc,63,1e,3d,c3,12,7f,71,99,fc,44,96,b4,cc,df,e3,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:73,77,9d,44,52,04,3a,96,64,2c,89,59,f4,05,3c,2c,b1,76,a7,38,16,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,25,5d,36,3f,12,c8,45,c9,6d,c9,2b,96,e3,42,a1,87,db,..
"khjeh"=hex:91,6e,b0,e0,15,28,5d,87,f6,0a,45,2e,2f,5f,db,77,e8,a0,53,1a,89,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:71,4f,4c,8a,c1,fc,63,1e,3d,c3,12,7f,71,99,fc,44,96,b4,cc,df,e3,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\UltraVNC\\vncviewer.exe"="C:\\Program Files\\UltraVNC\\vncviewer.exe:*:Enabled:vncviewer.exe"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe"="C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe:*:Enabled:bsP2pHubDemo"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 16 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 16 Mar 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 12 Mar 2008 165,232 A..H. --- "C:\Documents and Settings\Poi\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"

[b]Finished![/b]

--------------------------------------------------------------------------

ComboFix 08-05-12.1 - Poi 2008-05-15 22:13:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT 1:00]
Running from: C:\Documents and Settings\Poi\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Desktop_.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSDIRECT
-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2008-04-15 to 2008-05-15 )))))))))))))))))))))))))))))))
.

2008-05-15 21:49 . 2008-05-15 21:49d--------C:\WINDOWS\ERUNT
2008-05-15 21:44 . 2008-05-15 22:05d--------C:\SDFix
2008-05-15 11:38 . 2008-05-15 11:38d--------C:\z_Drivers
2008-05-15 11:38 . 2008-05-15 14:43980--a------C:\[u]0[/u]xf9.exe
2008-05-09 08:05 . 2008-05-09 08:05d--------C:\Documents and Settings\Poi\Application Data\Talkback
2008-05-02 18:25 . 2008-05-02 18:25d--------C:\Program Files\Rockstar Games
2008-04-28 22:23 . 2008-04-28 22:23d--------C:\Program Files\Hotspot Shield
2008-04-26 22:02 . 2008-04-26 22:04d--------C:\Documents and Settings\Poi\Application Data\Dimdim
2008-04-26 22:02 . 2005-11-27 19:2531,896--a------C:\WINDOWS\system32\drivers\dfmirage.sys
2008-04-26 22:02 . 2005-11-27 19:2530,360--a------C:\WINDOWS\system32\dfmirage.dll
2008-04-25 14:12 . 2004-08-30 14:25438,272--a------C:\WINDOWS\system32\vp6vfw.dll
2008-04-25 14:12 . 2004-12-10 10:06327,680--a------C:\WINDOWS\system32\vp6dec.ax
2008-04-25 14:12 . 2007-04-12 15:01118,832--a------C:\WINDOWS\system32\SHW32.DLL
2008-04-23 12:17 . 2008-04-23 13:06d--------C:\Program Files\PeerGuardian2
2008-04-22 10:31 . 2008-04-22 10:31dr-h-----C:\Documents and Settings\Poi\Application Data\SecuROM
2008-04-22 06:17 . 2008-04-22 08:42d--------C:\Program Files\Desktop Activity Recorder
2008-04-20 12:51 . 2008-04-20 12:51d--------C:\Program Files\OpenAL
2008-04-20 12:51 . 2008-04-20 12:51409,600--a------C:\WINDOWS\system32\wrap_oal.dll
2008-04-20 12:51 . 2008-04-20 12:51114,688--a------C:\WINDOWS\system32\OpenAL32.dll
2008-04-20 12:47 . 2008-04-20 12:47d--------C:\Program Files\Paradox Interactive
2008-04-19 00:30 . 2008-04-19 00:30d--------C:\Program Files\Network Stumbler
2008-04-18 20:04 . 2008-04-18 20:03737,280--a------C:\WINDOWS\iun6002.exe
2008-04-18 13:21 . 2008-04-18 13:21d--------C:\Documents and Settings\All Users\Application Data\Default
2008-04-17 16:43 . 2008-04-17 16:43107,888--a------C:\WINDOWS\system32\CmdLineExt.dll
2008-04-17 08:42 . 2008-04-17 08:42d--------C:\Program Files\BIGSPEED Peer-to-Peer SDK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 20:2014----a-wC:\Documents and Settings\Poi\getfile.dat
2008-05-15 18:47---------d-----wC:\Documents and Settings\Poi\Application Data\OpenOffice.org2
2008-05-15 17:08---------d-----wC:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-15 16:28---------d-----wC:\Program Files\BOINC
2008-05-14 10:54---------d-----wC:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-08 14:33---------d--h--wC:\Program Files\InstallShield Installation Information
2008-04-25 13:06---------d-----wC:\Program Files\EA Sports
2008-04-25 12:56---------d-----wC:\Program Files\Common Files\LogiShrd
2008-04-25 12:38---------d-----wC:\Documents and Settings\All Users\Application Data\Logishrd
2008-04-18 19:16---------d-----wC:\Program Files\Atheros
2008-04-17 13:40---------d-----wC:\Documents and Settings\Poi\Application Data\Hamachi
2008-04-13 18:51---------d-----wC:\Program Files\New Star Soccer 3
2008-04-11 00:44---------d-----wC:\Program Files\Project64 1.6
2008-04-10 13:19---------d-----wC:\Program Files\1964
2008-04-10 12:18---------d-----wC:\Program Files\mupen64 0.5
2008-04-09 20:07---------d-----wC:\Program Files\mupen64 0.4
2008-04-05 14:35---------d-----wC:\Program Files\Microsoft Silverlight
2008-03-28 12:13---------d-----wC:\Program Files\Safari
2008-03-28 12:13---------d-----wC:\Documents and Settings\Poi\Application Data\Apple Computer
2008-03-28 12:12---------d-----wC:\Program Files\Apple Software Update
2008-03-28 12:12---------d-----wC:\Documents and Settings\All Users\Application Data\Apple
2008-03-24 23:03---------d-----wC:\Documents and Settings\Poi\Application Data\Vso
2008-03-22 22:27---------d-----wC:\Program Files\VSO
2008-03-19 15:37---------d-----wC:\Documents and Settings\All Users\Application Data\Logitech
2008-03-19 15:07---------d-----wC:\Program Files\SiSoftware
2008-03-19 15:00---------d-----wC:\Program Files\Belarc
2008-03-18 17:32---------d--h--wC:\Documents and Settings\All Users\Application Data\{3DABBC31-9BB8-45D8-BE78-353E801E5DBA}
2008-03-18 17:32---------d-----wC:\Program Files\GGPO Client
2008-03-17 18:11---------d-----wC:\Program Files\mosaic
2008-03-16 21:05---------d-----wC:\Program Files\Windows Media Connect 2
2008-03-16 20:54---------d-----wC:\Program Files\Kontiki
2008-03-16 20:54---------d-----wC:\Program Files\Channel4
2008-03-16 20:54---------d-----wC:\Documents and Settings\All Users\Application Data\Channel4
2008-03-06 18:20691,545----a-wC:\WINDOWS\unins000.exe
2008-03-04 13:00811,776----a-wC:\WINDOWS\boinc.scr
.

------- Sigcheck -------

2007-12-21 00:32 359040 a14fafd66adbd55a86f17a37e5ec4263C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SODCPreLoad"="C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe" [2008-02-26 10:13 40960]
"DriverLoad"="" []
"DriverCheck"="" []
"SystemDriverLoad"="" []
"alpha"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"beta"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"gamma"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SystemDriver"="" []
"FDriver"="" []
"ADriver"="" []
"CDriver"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]
"DDriver"="c:\z_Drivers\svchost.exe" [2008-05-15 11:38 198144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-12-07 03:21 124928 C:\WINDOWS\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"CDriver"= c:\z_Drivers\svchost.exe
"DDriver"= c:\z_Drivers\svchost.exe
"alpha"= c:\z_Drivers\svchost.exe
"beta"= c:\z_Drivers\svchost.exe
"gamma"= c:\z_Drivers\svchost.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=C:\WINDOWS\pss\Launchy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Poi^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
path=C:\Documents and Settings\Poi\Start Menu\Programs\Startup\GameSpot Download Manager.lnk
backup=C:\WINDOWS\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^DOCUME~1^Poi^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\DOCUME~1\Poi\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-12-13 22:50 88204 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-07-19 10:41 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alpha]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2006-07-19 10:41 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDMCon]
--a------ 2005-06-20 13:10 421888 c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDNewsAgent]
--a------ 2005-05-09 13:19 8192 c:\progra~1\softwin\bitdef~1\bdnagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\beta]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CDriver]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-14 00:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDriver]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverLoad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FDriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gamma]
--a------ 2008-05-15 11:38 198144 c:\z_Drivers\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2008-02-15 12:46 159744 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2008-02-15 12:46 135168 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 12:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-02-15 12:46 131072 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-19 10:42 16248320 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 10:42 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-10-15 20:40 2577632 C:\PROGRA~1\Sygate\SPF\smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 12:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDriverLoad]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMware hqtray]
--a------ 2007-10-08 10:21 55856 C:\Program Files\VMware\VMware Player\hqtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"uvnc_service"=2 (0x2)
"LexBceS"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-p2v"=2 (0x2)
"ThreadMaster"=2 (0x2)
"rpcapd"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"LVCOMSer"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"pr2aqvlb"=2 (0x2)
"HotspotShieldService"=2 (0x2)
"dnlsvc"=2 (0x2)
"KService"=2 (0x2)
"XCOMM"=2 (0x2)
"SmcService"=2 (0x2)
"bdss"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SODCPreLoad"=C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\BIGSPEED Peer-to-Peer SDK\\bsP2pHubDemo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pe3aqvlb;XIII Century Environment Driver (pe3aqvlb);C:\WINDOWS\system32\drivers\pe3aqvlb.sys [2008-03-14 15:22]
R0 ps7aqvlb;XIII Century Synchronization Driver (ps7aqvlb);C:\WINDOWS\system32\drivers\ps7aqvlb.sys [2008-03-14 15:21]
R2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;C:\Program Files\VMware\VMware Converter\vstor2-p2v30.sys [2007-01-30 20:41]
R3 dfmirage;dfmirage;C:\WINDOWS\system32\DRIVERS\dfmirage.sys [2005-11-27 19:25]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-23 22:25]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 03:12]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S4 pr2aqvlb;XIII Century Drivers Auto Removal (pr2aqvlb);C:\WINDOWS\system32\pr2aqvlb.exe svc []
S4 ThreadMaster;Thread Master;C:\WINDOWS\system32\ThreadMaster\ThreadMast.exe [2003-03-18 00:27]
S4 ufad-p2v;VMware Converter Service;"C:\Program Files\VMware\VMware Converter\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Converter\\" -s ufad-p2v.xml []
S4 uvnc_service;uvnc_service;"C:\Program Files\UltraVNC\WinVNC.exe" -service []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 22:17:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMSCAN]
"ImagePath"="\Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\soffice.exe
.
**************************************************************************
.
Completion time: 2008-05-15 22:20:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 21:20:21

Pre-Run: 7,616,372,736 bytes free
Post-Run: 7,835,357,184 bytes free

277
-----------------------------------------------------------------------------------

In future please warn people to remove any headphones when using ComboFix, the two high pitch beeps at the start; are very unpleasant.

RE: Definately infectaed, but what ?

RichieUK — Thu, 15 May 2008 15:24:40 GMT

Welcome:)

[b]Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.[/b]
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
[b]Restart the computer.[/b]
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
[url]http://www.russelltexas.com/malware/teatimer.htm[/url]

Download [b]SDFix.exe[/b] and save it to your desktop:
[url]http://downloads.andymanchesta.com/RemovalTools/SDFix.exe[/url]

* Double click on SDFix on your desktop,and install the fix to [b]C:\[/b]

* [COLOR="blue"][i]You might want to print/copy the following as you need to be in Safe Mode from here on.[/i][/color]

* Please then reboot your computer into Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\[b]SDFix[/b] folder,then double click on [b]RunThis.bat[/b] to start the script.
* Type [b]Y[/b] to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
[b]* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.[/b]

Download [b][url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][color="blue"]Combofix[/color][/url][/b] by [b]sUBs[/b] and save to your desktop.
Alternative Combofix download link [b][url=http://subs.geekstogo.com/ComboFix.exe][color="blue"]HERE[/color][/url][/b].
[color="red"][b][u]Note[/u][/b]
It is important that it is saved directly to your desktop[/color]

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
[b]Post the entire contents of C:\ComboFix.txt into your next reply[/b].
[color="red"][b][u]Note[/u][/b]
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang. [/color]
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
[b][color="RED"][U]Note[/U][/color][/b]
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

[b]Also post a new Hijackthis log please.[/b]

Definately infectaed, but what ?

Err — Thu, 15 May 2008 15:13:22 GMT

XP PRO SP2

I am using Sygate Personal Firewall 5.6 build 2808
I have Spybot - Search & Destroy version 1.5.2.0

Sygate Personal Firewall reports; Application Hijacking, Severity=Critical, Remote Host=77.232.91.127, The full path of
Spybot is listed.
Sygate displays Spybot as Application Hijacking for several minutes anywhere from 5 to 20 minutes, so far.
Sygate eventually list the Security Type for each previous Spybot entry as "Port Scan" and changes the Severity to Minor
and changes the Remote Host to 194.168.8.100

In the past 60 minutes (while connected to the internet) Windows Media Player 11 has automatically launched 4 times.
The first time WMP launched; I did not see the video, the second time; it played a pornographic video, the third time;
a blank 3 second video, the fourth time; a pornographic video. I disabled my network adapter and Windows media player
has not launched since.

I have done a scan using Spybot Search and Destroy; it found nothing.
Task Manager, CPU Usage is fluctuating between 5% to 100%, the graph displays drastic peaks and troughs, at present I have
Firefox, Bitdefender, Spybot Search and Destroy and Sygate Personal Firewall running. These applications when running
at the same time; usually do not consume more than 15% usage.

Checked MSCONFIG - there are 5 entries for svchost, all enabled.
there are 6 entries enabled but Startup item column is blank, the "location" for the blank items is
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I am able to use all my usually applications with only one noticeable interruptions except whatever application I am
using; within a few seconds - the title bar will go grey and the application becomes inactive however no other
application launches. Since I have disabled my network adapter; this has not happened.

Another peculiarity - a dialogue bx appeared while I was connected to the net, it had not reference to any application
or website but it was clearly spyware because it display some text claiming that my computer is infected, which is true
because it's no doubt that vendor of that alert - has infected my PC. I did not click on, I used Alt+Tab but it was not
listed, it disappeared without any action from me.

About 45 minutes previous to all these things; my computer would play an alert similar to when you when you instruct a
computer to perform an action but it returns a message saying that action is not possible. No dialogue box appear on
screen to accompany this alert.

I have not recently installed any new software apart from a FireFox addon "BlockSite 0.7" however this was 2 days ago.
I have not installed any other browser plugins.

I just enabled my network adapter and the CPU usage is even more sporadic and Firefox is hanging but not severely.

I've used the ADS Spy tool in HijackThis but it found nothing.
Here is the result of HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 21:00:58, on 15/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\z_Drivers\svchost.exe
F:\SFW\SECURE\HijackThis.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\z_Drivers\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe
C:\z_Drivers\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://techwhims.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CDriver] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [DDriver] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [alpha] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [beta] c:\z_Drivers\svchost.exe
O4 - HKCU\..\Run: [gamma] c:\z_Drivers\svchost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)