HJT log[ F]

[KiLiCatLet]

Hi,

I think I caught something today since Avast pick up something called "Win32:Trojan-gen {Other}" multiple times. I try remove it with avast, but every time it come back with a different file name. MBAM didn't pick up anything. I upload the file to VirusTotal - Free Online Virus and Malware Scan I attach the result and HJT log below.


Thanks
Kilicatlet

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:41 AM, on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\Xi\NetXfer\NetTransport.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &U妏蚚馨譙儂狟婥甜彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\QQ2005En\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\QQ2005En\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\QQ2005En\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\QQ2005En\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6416 bytes



Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.ULPM.Gen
Authentium - - W32/Trojan2.ATAM
Avast - - Win32:Trojan-gen {Other}
AVG - - Generic10.BBXO
BitDefender - - GenPack:Trojan.Agent.AJEQ
CAT-QuickHeal - - TrojanDownloader.Agent.vyy
ClamAV - - -
DrWeb - - Trojan.Click.19619
eSafe - - Win32.Agent.vyy
eTrust-Vet - - Win32/AdClicker.HF
Ewido - - -
F-Prot - - W32/Trojan2.ATAM
F-Secure - - Trojan-Downloader.Win32.Agent.vyy
Fortinet - - W32/Agent.VYY!tr.dldr
GData - - Trojan-Downloader.Win32.Agent.vyy
Ikarus - - Trojan.Crypt.ULPM
Kaspersky - - Trojan-Downloader.Win32.Agent.vyy
McAfee - - Downloader.gen.a
Microsoft - - Trojan:Win32/Adclicker.KU
NOD32v2 - - probably unknown NewHeur_PE virus
Norman - - W32/Smalltroj.FJKA
Panda - - Generic Malware
Prevx1 - - Malicious Software
Rising - - -
Sophos - - Mal/HckPk-A
Sunbelt - - Trojan.Crypt.ULPM.Gen
Symantec - - -
TheHacker - - -
TrendMicro - - TROJ_AGENT.AKGN
VBA32 - - Trojan-Downloader.Win32.Agent.vyy
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.ULPM.Gen

[Mak213]

Hello,

Step 1 | HiJack This

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O8 - Extra context menu item: &U妏蚚馨譙儂狟婥&#2998 0;彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\QQ2005En\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\QQ2005En\AddEmotion.htm
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\QQ2005En\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\QQ2005En\AddToNetDisk.htm

Now close all windows other than HiJackThis, then click Fix Checked.

Those entries spark a lot of interest over the net. If you know of htem. Leave them. If not do that to remove them. Then do as follows:

Step 2 | ComboFixe

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs needed in next post:

ComboFix

Cheers,
Mak

[KiLiCatLet]

Hi Mak,

Logs attached =D

Cheers
Kilicatlet

ComboFix 08-07-19.1 - Candy 2008-07-20 15:04:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.696 [GMT 10:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM335e9ca1.txt

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-20 01:08 . 2008-07-20 14:58 <DIR> d-------- C:\Program Files\HJT
2008-07-20 00:53 . 2008-07-20 00:53 1,336 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-19 22:35 . 2008-07-19 22:35 <DIR> d-------- C:\VundoFix Backups
2008-07-19 20:15 . 2008-07-19 20:15 <DIR> d-------- C:\Suspect
2008-07-19 17:52 . 2008-07-19 17:52 29,760 --a------ C:\WINDOWS\system32\B5MDrMM7.exe
2008-07-19 17:52 . 2008-07-19 17:52 0 --a------ C:\WINDOWS\system32\B5MDrMM7.exe.a_a
2008-07-02 22:37 . 2008-07-02 22:37 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\NCH Swift Sound
2008-06-27 23:34 . 2008-07-08 21:15 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-19 17:49 --------- d-----w C:\Documents and Settings\Candy\Application Data\U3
2008-07-19 10:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 10:06 --------- d-----w C:\Program Files\Trojan Remover
2008-07-19 06:20 --------- d-----w C:\Program Files\eMule
2008-07-17 10:06 --------- d-----w C:\Program Files\FlashGet
2008-07-11 12:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 07:12 24,576 ----a-w C:\WINDOWS\system32\rqRJYpqN.dll.vir
2008-06-16 01:28 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 01:28 --------- d-----w C:\Documents and Settings\Candy\Application Data\Malwarebytes
2008-06-16 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 03:39 --------- d-----w C:\Documents and Settings\Candy\Application Data\AdobeUM
2008-06-13 16:05 --------- d-----w C:\Documents and Settings\Candy\Application Data\Simply Super Software
2008-06-13 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-13 14:48 --------- d-----w C:\Program Files\CleanUp!
2008-06-13 14:48 --------- d-----w C:\Program Files\CCleaner
2008-06-13 14:47 --------- d-----w C:\Program Files\MSConfig CleanUp
2008-06-13 13:00 --------- d-----w C:\Program Files\Real Alternative
2008-06-13 13:00 --------- d-----w C:\Program Files\Photoshop CS2
2008-06-13 13:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-13 13:00 --------- d-----w C:\Program Files\DivX
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Azureus
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Ahead
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-13 12:41 --------- d-----w C:\Documents and Settings\Candy\Application Data\GlarySoft
2008-06-13 12:33 --------- d-----w C:\Program Files\Glary Utilities
2008-06-13 08:24 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-12 05:00 --------- d-----w C:\Program Files\Lavasoft
2008-06-12 04:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 09:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 09:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 12:04 --------- d-----w C:\Program Files\NextLink
2008-05-22 22:07 --------- d-----w C:\Program Files\NamiRobot
2008-05-16 01:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-31 12:39 69,568 -c--a-w C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2008-05-16 09:19 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr .exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"15789:TCP"= 15789:TCP:BitComet 15789 TCP
"15789:UDP"= 15789:UDP:BitComet 15789 UDP
"23829:TCP"= 23829:TCP:BitComet 23829 TCP
"23829:UDP"= 23829:UDP:BitComet 23829 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6881:TCP"= 6881:TCP:Azureus
"22288:TCP"= 22288:TCP:Azureus

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswF sBlk.sys [2008-05-16 09:16]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [2005-11-02 12:23]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacd cacm.sys [2005-06-15 12:28]
S3 PciCon;PciCon;E:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ae2ce9ea-f5a6-11da-ac33-00138f60d5f8}]
\Shell\Auto\command - Windir.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windir.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-19 14:39:02 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-20 05:00:01 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 08:00:01 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 15:00:02 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 09:00:01 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 10:00:02 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 11:01:10 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 12:00:01 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 13:00:01 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 16:00:02 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 17:00:01 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-19 07:52:40 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\B5MDrMM7.exe
"2008-07-20 04:54:48 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 15:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-07-20 15:07:43
ComboFix-quarantined-files.txt 2008-07-20 05:07:25
ComboFix2.txt 2008-06-16 01:26:54

Pre-Run: 1,988,665,344 bytes free
Post-Run: 1,975,824,384 bytes free

194


----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:31 PM, on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5726 bytes

[KiLiCatLet]

Hi,

That Trojan keeps coming back, I have cause window to crash down and restart last night.
So I uninstall Avast and install Kaspersky.
I done a scan, it removed something then I scan with HJT again.
Could someone help me to see if it's clean?

Thanks
kilicatlet

------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:14 AM, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5768 bytes

------

[Mak213]

Hello,

Download ComboFix from Here or Here to your Desktop.

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\B5MDrMM7.exe
C:\WINDOWS\system32\B5MDrMM7.exe.a_a
C:\WINDOWS\system32\rqRJYpqN.dll.vir
Folder::
C:\Suspect

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in next post:

ComboFix

Cheers,
Mak

[KiLiCatLet]

Hi Mak,

Log attached.

Cheers
kilicatlet

ComboFix 08-07-19.1 - Candy 2008-07-23 20:16:16.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.682 [GMT 10:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\B5MDrMM7.exe
C:\WINDOWS\system32\B5MDrMM7.exe.a_a
C:\WINDOWS\system32\rqRJYpqN.dll.vir
C:\WINDOWS\system32\tmp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\B5MDrMM7.exe.a_a
C:\WINDOWS\system32\rqRJYpqN.dll.vir
C:\WINDOWS\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 23:37 . 2008-07-22 23:37 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-22 23:37 . 2008-07-23 20:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-22 23:37 . 2008-07-23 20:18 2,766,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-22 23:37 . 2008-07-23 20:21 237,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-22 23:37 . 2008-07-22 23:47 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-22 23:37 . 2008-07-22 23:47 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-22 23:37 . 2008-07-23 20:18 23,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-22 23:37 . 2008-07-23 20:20 1,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-22 23:31 . 2008-07-22 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-20 01:08 . 2008-07-23 08:53 <DIR> d-------- C:\Program Files\HJT
2008-07-02 22:37 . 2008-07-02 22:37 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\NCH Swift Sound
2008-06-27 23:34 . 2008-07-08 21:15 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-23 10:15 --------- d-----w C:\Documents and Settings\Candy\Application Data\U3
2008-07-21 14:05 --------- d-----w C:\Program Files\FlashGet
2008-07-21 11:09 --------- d-----w C:\Program Files\eMule
2008-07-20 08:06 72,648 -c--a-w C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT
2008-07-19 10:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 10:06 --------- d-----w C:\Program Files\Trojan Remover
2008-07-11 12:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 01:28 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 01:28 --------- d-----w C:\Documents and Settings\Candy\Application Data\Malwarebytes
2008-06-16 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 03:39 --------- d-----w C:\Documents and Settings\Candy\Application Data\AdobeUM
2008-06-13 16:05 --------- d-----w C:\Documents and Settings\Candy\Application Data\Simply Super Software
2008-06-13 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-13 14:48 --------- d-----w C:\Program Files\CleanUp!
2008-06-13 14:48 --------- d-----w C:\Program Files\CCleaner
2008-06-13 14:47 --------- d-----w C:\Program Files\MSConfig CleanUp
2008-06-13 13:00 --------- d-----w C:\Program Files\Real Alternative
2008-06-13 13:00 --------- d-----w C:\Program Files\Photoshop CS2
2008-06-13 13:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-13 13:00 --------- d-----w C:\Program Files\DivX
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Azureus
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Ahead
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-13 12:41 --------- d-----w C:\Documents and Settings\Candy\Application Data\GlarySoft
2008-06-13 12:33 --------- d-----w C:\Program Files\Glary Utilities
2008-06-13 08:24 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-12 05:00 --------- d-----w C:\Program Files\Lavasoft
2008-06-12 04:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 09:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 09:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 12:04 --------- d-----w C:\Program Files\NextLink
2008-05-16 01:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-25 08:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

------- Sigcheck -------

2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-20_15.07.14.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2006-05-18 17:02:52 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-07-22 22:13:46 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
- 2006-05-18 17:02:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-22 22:13:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-18 17:02:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 22:13:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-16 04:23:44 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2008-01-29 08:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-07-22 13:47:27 187,920 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-03-25 10:07:10 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2008-04-25 08:21:06 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr .exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"15789:TCP"= 15789:TCP:BitComet 15789 TCP
"15789:UDP"= 15789:UDP:BitComet 15789 UDP
"23829:TCP"= 23829:TCP:BitComet 23829 TCP
"23829:UDP"= 23829:UDP:BitComet 23829 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6881:TCP"= 6881:TCP:Azureus
"22288:TCP"= 22288:TCP:Azureus

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [2005-11-02 12:23]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacd cacm.sys [2005-06-15 12:28]
S3 PciCon;PciCon;E:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ae2ce9ea-f5a6-11da-ac33-00138f60d5f8}]
\Shell\Auto\command - Windir.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windir.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-22 14:41:09 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 15:03:39 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 23:03:24 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 10:06:29 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 10:20:23 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 20:20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\conime.exe
.
************************************************** ************************
.
Completion time: 2008-07-23 20:27:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-23 10:27:47
ComboFix2.txt 2008-07-20 05:07:44
ComboFix3.txt 2008-06-16 01:26:54

Pre-Run: 2,579,193,856 bytes free
Post-Run: 2,826,784,768 bytes free

232

[Mak213]

Hello,

Just one last CF Script to run. To remove the last bit of junk on your PC.

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Logs needed in next post:

combofix

Cheers,
Mak

[KiLiCatLet]

Hi Mak,

Logs attached =D

Cheers
Kilicatlet

ComboFix 08-07-19.1 - Candy 2008-07-24 8:16:17.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.702 [GMT 10:00]
Running from: C:\Documents and Settings\Candy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT

.
((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))
.

2008-07-22 23:37 . 2008-07-22 23:37 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-22 23:37 . 2008-07-24 08:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-22 23:37 . 2008-07-24 01:39 2,766,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-22 23:37 . 2008-07-24 01:39 262,176 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-22 23:37 . 2008-07-24 08:12 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-22 23:37 . 2008-07-24 08:12 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-22 23:37 . 2008-07-24 01:39 23,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-22 23:37 . 2008-07-24 01:39 1,976 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-22 23:31 . 2008-07-22 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-20 01:08 . 2008-07-23 08:53 <DIR> d-------- C:\Program Files\HJT
2008-07-02 22:37 . 2008-07-02 22:37 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\NCH Swift Sound
2008-06-27 23:34 . 2008-07-08 21:15 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-23 10:15 --------- d-----w C:\Documents and Settings\Candy\Application Data\U3
2008-07-21 14:05 --------- d-----w C:\Program Files\FlashGet
2008-07-21 11:09 --------- d-----w C:\Program Files\eMule
2008-07-19 10:06 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-19 10:06 --------- d-----w C:\Program Files\Trojan Remover
2008-07-11 12:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-16 01:28 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 01:28 --------- d-----w C:\Documents and Settings\Candy\Application Data\Malwarebytes
2008-06-16 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 03:39 --------- d-----w C:\Documents and Settings\Candy\Application Data\AdobeUM
2008-06-13 16:05 --------- d-----w C:\Documents and Settings\Candy\Application Data\Simply Super Software
2008-06-13 16:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-13 14:48 --------- d-----w C:\Program Files\CleanUp!
2008-06-13 14:48 --------- d-----w C:\Program Files\CCleaner
2008-06-13 14:47 --------- d-----w C:\Program Files\MSConfig CleanUp
2008-06-13 13:00 --------- d-----w C:\Program Files\Real Alternative
2008-06-13 13:00 --------- d-----w C:\Program Files\Photoshop CS2
2008-06-13 13:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-13 13:00 --------- d-----w C:\Program Files\DivX
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Azureus
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Ahead
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-13 12:41 --------- d-----w C:\Documents and Settings\Candy\Application Data\GlarySoft
2008-06-13 12:33 --------- d-----w C:\Program Files\Glary Utilities
2008-06-13 08:24 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-12 05:00 --------- d-----w C:\Program Files\Lavasoft
2008-06-12 04:50 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 09:02 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 09:02 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-07 12:04 --------- d-----w C:\Program Files\NextLink
2008-05-16 01:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-25 08:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

------- Sigcheck -------

2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-20_15.07.14.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 10:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2006-05-18 17:02:52 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
+ 2008-07-22 22:13:46 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
- 2006-05-18 17:02:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-22 22:13:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-18 17:02:52 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-22 22:13:46 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-16 04:23:44 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2008-01-29 08:29:38 32,784 ----a-w C:\WINDOWS\system32\drivers\klbg.sys
+ 2008-07-22 13:47:27 187,920 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-03-25 10:07:10 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2008-04-25 08:21:06 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr .exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"15789:TCP"= 15789:TCP:BitComet 15789 TCP
"15789:UDP"= 15789:UDP:BitComet 15789 UDP
"23829:TCP"= 23829:TCP:BitComet 23829 TCP
"23829:UDP"= 23829:UDP:BitComet 23829 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6881:TCP"= 6881:TCP:Azureus
"22288:TCP"= 22288:TCP:Azureus

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [2005-11-02 12:23]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacd cacm.sys [2005-06-15 12:28]
S3 PciCon;PciCon;E:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{ae2ce9ea-f5a6-11da-ac33-00138f60d5f8}]
\Shell\Auto\command - Windir.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windir.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-23 14:37:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 15:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 23:03:24 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-22 13:11:27 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 10:06:29 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 11:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 12:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 13:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\t1Tu7vuV.exe
"2008-07-23 22:10:29 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 08:18:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


************************************************** ************************
.
Completion time: 2008-07-24 8:20:46
ComboFix-quarantined-files.txt 2008-07-23 22:19:44
ComboFix2.txt 2008-07-23 10:27:55
ComboFix3.txt 2008-07-20 05:07:44
ComboFix4.txt 2008-06-16 01:26:54

Pre-Run: 2,580,086,784 bytes free
Post-Run: 2,657,251,328 bytes free

216

[Mak213]

Hello,

How is the machine running now? Any problems with it? I do not see anything else in these logs. Everything looks good.

Cheers,
Mak

[KiLiCatLet]

Hi Mak,

It seem fine. Thankyou very much. But I will keep an eye on it for a couple of days in case anything go strange again. =D

Cheers
Kilicatlet