Downloader.Agent.APKO and Crypt.AXH

tybomb · 12-04-2008, 03:19 AM

This virus keeps trying to install C:\WINDOWS\system32\x which AVG alerts me to and calls it Downloader.Agent.APKO.
Also there is a file here C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D72395MZ\syiqykou[1].jpg
which is also APKO. for some reason however I can only get in to the "local settings" folder and can't find any "Temporary Internet Files". If I type in the direct address for the content.IE5 folder it shows it as being empty. I do have "show hidden" checked in the settings. AVG keeps deleting these files it finds (or so it says) but they just keep coming.
I also keep getting a mysterious alert from AVG that I have Crypt.AXH.
This seems to be a relatively new trojan with no solution (at least not in english) on the net.
Update manager in AVG won't work and also I've been having connection problems. IE and Firefox suddenly wont be able to open any webpages even though I am connected and messenger is working. To fix this I must Dissable and then re enable the network connection.
I've never used Gmer before but it did allow me to get in and erase the temp files finally.
Here's the log.
I do use a vpn sometimes just so you know. I've found files associated with my vpn to be suspicious looking in the past before I found out what they were.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-04 02:14:28
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF776C0B0]
SSDT sptd.sys ZwEnumerateKey [0xF777184C]
SSDT sptd.sys ZwEnumerateValueKey [0xF7771BEC]
SSDT sptd.sys ZwOpenKey [0xF776C090]
SSDT sptd.sys ZwQueryKey [0xF7771CC4]
SSDT sptd.sys ZwQueryValueKey [0xF7771B44]
SSDT sptd.sys ZwSetValueKey [0xF7771D56]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F6CB062C 5 Bytes JMP 8664F1B8
? System32\Drivers\ax3xt5kw.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[3340] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A166F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1634 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A157C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16AA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F776CABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F776CC00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F776CB82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F776D72E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F776D604] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 867CE1D8

AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.)

Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 866321D8
Device \Driver\usbehci \Device\USBPDO-1 86583980
Device \Driver\dmio \Device\DmControl\DmIoDaemon 867D01D8
Device \Driver\dmio \Device\DmControl\DmConfig 867D01D8
Device \Driver\dmio \Device\DmControl\DmPnP 867D01D8
Device \Driver\dmio \Device\DmControl\DmInfo 867D01D8
Device \Driver\00000099 \Device\00000054 sptd.sys
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 867631D8
Device \Driver\Cdrom \Device\CdRom0 865B8598
Device \Driver\Cdrom \Device\CdRom1 865B8598
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 867621D8
Device \Driver\atapi \Device\Ide\IdePort0 867621D8
Device \Driver\atapi \Device\Ide\IdePort1 867621D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{8F234930-B380-467D-A941-F9267056D4D1} 86355980
Device \Driver\nvata \Device\00000076 867CF1D8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86355980
Device \Driver\NetBT \Device\NetbiosSmb 86355980
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\usbohci \Device\USBFDO-0 866321D8
Device \Driver\nvata \Device\NvAta0 867CF1D8
Device \Driver\usbehci \Device\USBFDO-1 86583980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85E96378
Device \Driver\nvata \Device\NvAta1 867CF1D8
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85E96378
Device \Driver\Ftdisk \Device\FtControl 867631D8
Device \Driver\ax3xt5kw \Device\Scsi\ax3xt5kw1Port4Path0Target0Lun0 864D71D8
Device \Driver\ax3xt5kw \Device\Scsi\ax3xt5kw1 864D71D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{92C427F4-39D4-4C70-8672-B2C40C2B3360} 86355980
Device \FileSystem\Cdfs \Cdfs 8630A980

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1284389899
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -2012823401
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x65 0x6A 0xA0 0x69 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x04 0x34 0xD2 0xB6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x4A 0x76 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x65 0x6A 0xA0 0x69 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x04 0x34 0xD2 0xB6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x4A 0x76 0xC9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xA2 0xD4 0xEA 0xC7 ...

---- EOF - GMER 1.0.14 ----

----------------------------------------------------------------------
HERE IS MY HIJACKTHIS LOG

----------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:20 AM, on 04/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Perfect Privacy SSH Client\ppssh.exe
C:\Program Files\Perfect Privacy SSH Client\plink.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\desk\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8020
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\jre1.5.0_10\bin\javaw.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1228357245453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FSEBCZDWAL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FSEBCZDWAL.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 9243 bytes

ndmmxiaomayi · 12-08-2008, 09:10 AM

Hi tybomb,

You appear to have run Combofix before. Please post the Combofix log which is located at C:\Combofix.txt

Please delete and download a new copy of Combofix from one of these links and run it again:

Link 1
Link 2
Link 3

After that, please post the resultant log.

In your next reply, please post:

First Combofix log
The latest Combofix log

tybomb · 12-08-2008, 07:39 PM

OK. I haven't had any detections for a couple days now. I managed to delete all my temorary internet files and I found that the jpg was in two different places in my local settings. Avg update manager was working but now it's not again and also adaware won't update either. I guess that could be a seperate issue though.
I also still can't get in to my temporary internet files from windows explorer.

Here's my two logs. The first one is the earliest but they were both created after getting this virus.

----------------------------------------------------------------------

ComboFix 08-12-02.02 - Administrator 2008-12-03 19:14:19.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.773 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mxp.dll
c:\windows\system32\Scrax.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 18:05 . 2008-12-03 18:21 <DIR> d-------- c:\windows\LastGood
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-03 02:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-26 21:27 . 2008-11-26 21:27 <DIR> d-------- c:\program files\Goldeneye
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-22 00:58 . 2008-12-03 18:00 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache
2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder
2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi
2008-11-07 00:00 . 2008-11-07 00:00 <DIR> d-------- c:\program files\Perfect Privacy SSH Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-03 06:02 --------- d-----w c:\program files\MetFileRegenerator
2008-12-03 06:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-21 02:12 --------- d-----w c:\program files\eMule
2008-11-07 00:08 --------- d-----w c:\program files\Eraser
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-30 08:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S2 aqqamk;aqqamk;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S2 hwdorvtqi;hwdorvtqi;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hwdorvtqi
aqqamk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}]
c:\windows\system32:messagetec.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 19:15:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-03 19:16:56
ComboFix-quarantined-files.txt 2008-12-04 03:16:54

Pre-Run: 150,141,743,104 bytes free
Post-Run: 150,137,982,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (bootscreen)" /noexecute=optin /fastdetect /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

212 --- E O F --- 2008-01-10 11:01:27

-------------------------------------------------------------------------
2nd LOG

ComboFix 08-12-07.04 - Administrator 2008-12-08 18:21:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-04 00:37 . 2008-12-08 18:03 250 --a------ c:\windows\gmer.ini
2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-08 06:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-26 21:27 . 2008-11-26 21:27 <DIR> d-------- c:\program files\Goldeneye
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-22 00:58 . 2008-12-08 03:15 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache
2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder
2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-09 02:02 --------- d-----w c:\program files\MetFileRegenerator
2008-12-09 01:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 19:21 --------- d-----w c:\program files\eMule
2008-12-08 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client
2008-11-07 00:08 --------- d-----w c:\program files\Eraser
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S2 aqqamk;aqqamk;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S2 hwdorvtqi;hwdorvtqi;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]
S3 VZUXJBFOZUVLW;VZUXJBFOZUVLW;c:\docume~1\ADMINI~1\LOCALS~1\Temp\VZUXJBFOZUVLW.exe []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hwdorvtqi
aqqamk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}]
c:\windows\system32:messagetec.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8020
uInternet Settings,ProxyOverride = *.local
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 18:24:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-08 18:25:35
ComboFix-quarantined-files.txt 2008-12-09 02:25:32
ComboFix2.txt 2008-12-09 02:12:03
ComboFix3.txt 2008-12-04 05:46:05
ComboFix4.txt 2008-12-04 03:16:58

Pre-Run: 137,658,707,968 bytes free
Post-Run: 137,645,658,112 bytes free

218 --- E O F --- 2008-12-09 01:34:17

ndmmxiaomayi · 12-09-2008, 07:27 AM

Hi tybomb,

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/320002-downloader-agent-apko-crypt-axh.html

Netsvc::
hwdorvtqi
aqqamk

Driver::
hwdorvtqi
aqqamk
VZUXJBFOZUVLW

Collect::
c:\windows\system32:messagetec.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}]

Warning: The above script is just for tybomb. If you are not tybomb, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

Click OK.

Your web browser (by default it's Internet Explorer) will open.

Please refer to the image below to submit the file for analysis.

http://i35.photobucket.com/albums/d1.../submit_CF.gif

Do not mouse click on Combofix while it is running. That may cause it to stall.

About AVG Antivirus not being able to update, one thing to note - even after we fix your malware issues and AVG is able to update after that, your computer isn't protected.

AVG is no longer updating AVG Antivirus 7, and support for AVG 7.5 is ending this month. You will need to upgrade AVG to AVG 8 for it to continue to protect you.

Please let me know if you don't want to upgrade to AVG 8 so that I recommend alternatives.

Please post the Combofix log in your next reply.

tybomb · 12-09-2008, 09:08 AM

K I did that but I wasn't asked to submit anything. Here is the log.
As for AVG, the problem seems to be that when I update avg it then shows as being in error until I restart the computer and let the updates take effect. Perhaps at some point I clicked to no longer prompt for a restart after updating. Adaware however still wont update. It says "error retrieving updates" but I guess that could be my ethernet switch configuration or windows firewall or anything really.
A good alternative to AVG would be great. Especially something that doesn't take over my whole computer.

ComboFix 08-12-07.04 - Administrator 2008-12-09 7:39:20.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\virus\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-04 00:37 . 2008-12-08 18:03 250 --a------ c:\windows\gmer.ini
2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-08 21:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-22 00:58 . 2008-12-08 03:15 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache
2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder
2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 15:29 --------- d-----w c:\program files\MetFileRegenerator
2008-12-09 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-08 19:21 --------- d-----w c:\program files\eMule
2008-12-08 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client
2008-11-07 00:08 --------- d-----w c:\program files\Eraser
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2008-12-08_18.11.17.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8020
uInternet Settings,ProxyOverride = *.local
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 07:41:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-09 7:42:33
ComboFix-quarantined-files.txt 2008-12-09 15:42:30
ComboFix2.txt 2008-12-09 15:35:44
ComboFix3.txt 2008-12-09 02:25:36
ComboFix4.txt 2008-12-09 02:12:03
ComboFix5.txt 2008-12-09 15:38:45

Pre-Run: 136,717,832,192 bytes free
Post-Run: 136,705,081,344 bytes free

209 --- E O F --- 2008-12-09 01:34:17

ndmmxiaomayi · 12-09-2008, 09:16 AM

Hi tybomb,

Please click on Start > Run and copy and paste the following into the Run box:

C:\Qoobox\CF-Submit-Previous.htm

Press Enter.

After that, follow the instructions in this image to submit the file.

http://i35.photobucket.com/albums/d1.../submit_CF.gif

As for your Internet connections issue, it could be because of your proxy settings.

Quote:

uInternet Settings,ProxyServer = localhost:8020

Did you set this yourself?

tybomb · 12-09-2008, 08:40 PM

Hi. When I type that in to the run box it says windows cannot find the file.
I did set the proxy settings myself. I've never had any problems in the past but I also haven't used adaware much.
I'm not sure why this file isn't here?

ndmmxiaomayi · 12-10-2008, 05:46 AM

Hi tybomb,

I would like to see this file - ComboFix-quarantined-files.txt

Please click on Start > Run and copy and paste in the following:

C:\QooBox\ComboFix-quarantined-files.txt

Press Enter.

A Notepad file will open. Please post the contents of this log in your next reply.

tybomb · 12-10-2008, 04:27 PM

That one worked. A lot of this stuff may be related to QQ which is a popular Chinese chat program I had to install. Unfortunatly it comes bundled with tons of crap. I don't think this new trojan is related to QQ though.
I think scrax.dll is related to QQ but I have no clue about the rest.

2007-02-13 16:12:43 A------- 106,496 C:\Qoobox\Quarantine\C\WINDOWS\system32\scrax.dll.vir
2008-11-23 04:27:41 A------- 136 C:\Qoobox\Quarantine\C\WINDOWS\system32\mxp.dll.vir
2008-12-03 19:07:20 A------- 324 C:\Qoobox\Quarantine\catchme.log
2008-12-03 19:15:25 A------- 8,197 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-03 19:16:18 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-03 19:16:18 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-03 19:16:18 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-12-03 19:16:35 A------- 332 C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2008-12-09 07:21:34 A------- 220 C:\Qoobox\Quarantine\catchme.txt
2008-12-09 07:26:03 A------- 1,014 C:\Qoobox\Quarantine\Registry_backups\Legacy_AQQAMK.reg.dat
2008-12-09 07:26:03 A------- 1,050 C:\Qoobox\Quarantine\Registry_backups\Legacy_HWDORVTQI.reg.dat
2008-12-09 07:26:04 A------- 846 C:\Qoobox\Quarantine\Registry_backups\Legacy_VZUXJBFOZUVLW.reg.dat
2008-12-09 07:26:04 A------- 1,988 C:\Qoobox\Quarantine\Registry_backups\Service_aqqamk.reg.dat
2008-12-09 07:26:04 A------- 2,012 C:\Qoobox\Quarantine\Registry_backups\Service_hwdorvtqi.reg.dat
2008-12-09 07:26:04 A------- 2,814 C:\Qoobox\Quarantine\Registry_backups\Service_VZUXJBFOZUVLW.reg.dat

ndmmxiaomayi · 12-11-2008, 08:06 AM

Hmm... looks like no file was collected for you to upload it.

Please run Combofix again by double clicking on it and post back the log that it creates. You don't have to drag CFScript into Combofix.

tybomb · 12-15-2008, 07:31 PM

Sorry about the delay I've been out of town. Here's the latest log.

ComboFix 08-12-07.04 - Administrator 2008-12-15 18:16:14.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.555 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 01:45 . 2008-12-15 01:45 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-15 01:45 . 2008-12-15 01:45 1,409 --a------ c:\windows\QTFont.for
2008-12-11 20:22 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2008-12-11 20:22 . 2006-11-29 13:06 3,426,072 --a------ c:\windows\system32\d3dx9_32.dll
2008-12-11 20:22 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll
2008-12-11 20:22 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll
2008-12-11 20:22 . 2006-09-28 16:05 237,848 --a------ c:\windows\system32\xactengine2_4.dll
2008-12-11 20:22 . 2007-03-05 12:42 15,128 --a------ c:\windows\system32\x3daudio1_1.dll
2008-12-11 20:21 . 2008-12-11 20:21 <DIR> d-------- c:\windows\Logs
2008-12-11 20:09 . 2008-12-11 20:09 <DIR> d-------- c:\program files\Activision
2008-12-04 00:37 . 2008-12-09 07:45 250 --a------ c:\windows\gmer.ini
2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-15 18:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-15 17:36 --------- d-----w c:\program files\eMule
2008-12-15 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-12-15 05:12 --------- d-----w c:\program files\MetFileRegenerator
2008-12-12 04:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-16 03:45 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2008-12-08_18.11.17.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-22 09:47:25 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP2QFE\tzchange.exe
+ 2008-10-23 10

59 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3GDR\tzchange.exe
+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll
+ 2008-10-23 12:51:04 284,160 ----a-w c:\windows\$hf_mig$\KB956802\SP2QFE\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3GDR\gdi32.dll
+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll
+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll
+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe
+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll
- 2007-03-17 09:39:55 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-12-12 04:22:30 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2007-03-17 09:39:55 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-12-12 04:22:30 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2007-03-17 09:39:55 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-12-12 04:22:30 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2007-02-04 19:26:00 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:26 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:00 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:27 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:01 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:27 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:01 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:28 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-03-17 09:39:56 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:28 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:02 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:28 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:02 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:28 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:03 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:29 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:03 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:29 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-02-04 19:26:05 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-12-12 04:22:31 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-03-17 09:39:56 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-12-12 04:22:31 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2007-03-17 09:39:56 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-12-12 04:22:31 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2007-03-17 09:39:56 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-12-12 04:22:31 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2007-03-17 09:39:56 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-12-12 04:22:31 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2007-03-17 09:39:55 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-12-12 04:22:30 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\ie7updates\KB958215-IE7\mshtml.dll
+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
+ 2008-12-12 04:21:27 11,502 ----a-r c:\windows\Installer\{D80A6A73-E58A-4673-AFF5-F12D7110661F}\ARPPRODUCTICON.exe
- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2007-03-13 00:42:30 1,123,696 ----a-w c:\windows\system32\D3DCompiler_33.dll
+ 2007-05-17 00:45:16 1,124,720 ----a-w c:\windows\system32\D3DCompiler_34.dll
+ 2007-07-20 02:14:42 1,358,192 ----a-w c:\windows\system32\D3DCompiler_35.dll
+ 2007-10-12 23:14:00 1,374,232 ----a-w c:\windows\system32\D3DCompiler_36.dll
+ 2008-03-05 23:56:58 1,420,824 ----a-w c:\windows\system32\D3DCompiler_37.dll
+ 2008-05-30 22:11:46 1,491,992 ----a-w c:\windows\system32\D3DCompiler_38.dll
+ 2007-03-16 00:57:58 443,752 ----a-w c:\windows\system32\d3dx10_33.dll
+ 2007-05-17 00:45:16 443,752 ----a-w c:\windows\system32\d3dx10_34.dll
+ 2007-07-20 02:14:42 444,776 ----a-w c:\windows\system32\d3dx10_35.dll
+ 2007-10-02 17:56:34 444,776 ----a-w c:\windows\system32\d3dx10_36.dll
+ 2008-02-06 07:07:36 462,864 ----a-w c:\windows\system32\d3dx10_37.dll
+ 2008-05-30 22:11:46 467,984 ----a-w c:\windows\system32\d3dx10_38.dll
+ 2007-05-17 00:45:16 3,497,832 ----a-w c:\windows\system32\d3dx9_34.dll
+ 2007-07-20 02:14:42 3,727,720 ----a-w c:\windows\system32\d3dx9_35.dll
+ 2007-10-12 23:14:00 3,734,536 ----a-w c:\windows\system32\d3dx9_36.dll
+ 2008-03-05 23:56:58 3,786,760 ----a-w c:\windows\system32\D3DX9_37.dll
+ 2008-05-30 22:11:46 3,850,760 ----a-w c:\windows\system32\D3DX9_38.dll
- 2008-08-26 07:24:28 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:38:34 124,928 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 07:24:28 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:24:28 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2007-06-19 13:31:19 282,112 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-26 07:24:28 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-08-25 08:37:59 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:24:28 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 05:54:51 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 07:24:28 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 07:24:29 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:38:37 44,544 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 07:24:29 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-25 08:38:00 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-08-23 05:56:15 635,848 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07

26 633,632 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 07:24:30 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-19 03:03:58 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 09:09:22 100,864 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-26 07:24:30 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:24:30 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-17 10:08:40 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-26 07:24:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 07:24:30 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:24:30 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:24:30 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:38:39 102,912 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:24:30 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2006-08-21 17:52:08 246,814 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-26 07:24:30 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:38:39 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:24:31 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 07:24:31 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:38:39 233,472 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:24:31 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 04:47:20 937,984 -c--a-w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-19 04:47:22 2,450,944 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:24:28 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 08:37:59 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:24:28 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 07:24:29 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 07:24:29 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-08-26 07:24:30 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-19 03:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 09:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-10-31 00:56:16 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-12-11 20:41:49 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 07:24:30 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-07-27 17:41:40 16,760 ------w c:\windows\system32\spmsg.dll
- 2008-07-14 11:09:18 62,976 ------w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2006-10-19 04:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 13:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-19 04:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 13:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
+ 2007-10-22 11:37:16 17,928 ----a-w c:\windows\system32\X3DAudio1_2.dll
+ 2008-03-06 00:00:06 25,608 ----a-w c:\windows\system32\X3DAudio1_3.dll
+ 2008-05-30 22:17:00 25,608 ----a-w c:\windows\system32\X3DAudio1_4.dll
+ 2007-10-22 11:39:54 267,272 ----a-w c:\windows\system32\xactengine2_10.dll
+ 2007-04-05 02:55:00 261,480 ----a-w c:\windows\system32\xactengine2_7.dll
+ 2007-06-21 04:46:04 266,088 ----a-w c:\windows\system32\xactengine2_8.dll
+ 2007-07-20 08:57:12 267,112 ----a-w c:\windows\system32\xactengine2_9.dll
+ 2008-03-06 00:03:20 238,088 ----a-w c:\windows\system32\xactengine3_0.dll
+ 2008-05-30 22:18:52 238,088 ----a-w c:\windows\system32\xactengine3_1.dll
+ 2008-05-30 22:17:30 65,032 ----a-w c:\windows\system32\XAPOFX1_0.dll
+ 2008-03-06 00:03:54 479,752 ----a-w c:\windows\system32\XAudio2_0.dll
+ 2008-05-30 22:19:18 507,400 ----a-w c:\windows\system32\XAudio2_1.dll
- 2006-09-29 00:04:02 68,888 ----a-w c:\windows\system32\xinput1_3.dll
+ 2007-04-05 02:53:42 81,768 ----a-w c:\windows\system32\xinput1_3.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
R3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - f:\setup\rsrc\Autorun.exe
\Shell\dinstall\command - f:\directx\dxsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8020
uInternet Settings,ProxyOverride = *.local
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations -------
.
chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 18:22:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-15 18:23:38
ComboFix-quarantined-files.txt 2008-12-16 02:23:35
ComboFix2.txt 2008-12-09 15:42:34
ComboFix3.txt 2008-12-09 15:35:44
ComboFix4.txt 2008-12-09 02:25:36
ComboFix5.txt 2008-12-16 02:15:49

Pre-Run: 91,947,798,528 bytes free
Post-Run: 91,935,625,216 bytes free

474 --- E O F --- 2008-12-10 11:01:46

ndmmxiaomayi · 12-16-2008, 08:00 AM

Hi tybomb,

The log looks good. Are you still experiencing problems with updating both AVG and Ad-Aware?

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Uncheck (untick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

12-04-2008, 03:19 AM	#1 (permalink)
tybomb Registered User Join Date: Dec 2006 Posts: 10 OS: XP	Downloader.Agent.APKO and Crypt.AXH This virus keeps trying to install C:\WINDOWS\system32\x which AVG alerts me to and calls it Downloader.Agent.APKO. Also there is a file here C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D72395MZ\syiqykou[1].jpg which is also APKO. for some reason however I can only get in to the "local settings" folder and can't find any "Temporary Internet Files". If I type in the direct address for the content.IE5 folder it shows it as being empty. I do have "show hidden" checked in the settings. AVG keeps deleting these files it finds (or so it says) but they just keep coming. I also keep getting a mysterious alert from AVG that I have Crypt.AXH. This seems to be a relatively new trojan with no solution (at least not in english) on the net. Update manager in AVG won't work and also I've been having connection problems. IE and Firefox suddenly wont be able to open any webpages even though I am connected and messenger is working. To fix this I must Dissable and then re enable the network connection. I've never used Gmer before but it did allow me to get in and erase the temp files finally. Here's the log. I do use a vpn sometimes just so you know. I've found files associated with my vpn to be suspicious looking in the past before I found out what they were. GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-12-04 02:14:28 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT sptd.sys ZwCreateKey [0xF776C0B0] SSDT sptd.sys ZwEnumerateKey [0xF777184C] SSDT sptd.sys ZwEnumerateValueKey [0xF7771BEC] SSDT sptd.sys ZwOpenKey [0xF776C090] SSDT sptd.sys ZwQueryKey [0xF7771CC4] SSDT sptd.sys ZwQueryValueKey [0xF7771B44] SSDT sptd.sys ZwSetValueKey [0xF7771D56] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text USBPORT.SYS!DllUnload F6CB062C 5 Bytes JMP 8664F1B8 ? System32\Drivers\ax3xt5kw.SYS The system cannot find the file specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. ! ? C:\ComboFix\catchme.sys The system cannot find the path specified. ! ? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. ! ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\MSN Messenger\msnmsgr.exe[3340] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A166F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15F0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1634 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A157C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16AA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4068] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F776CABA] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F776CC00] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F776CB82] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F776D72E] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F776D604] sptd.sys ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 867CE1D8 AttachedDevice \FileSystem\Ntfs \Ntfs avg7rsw.sys (AVG Resident Shield Unload Helper/GRISOFT, s.r.o.) Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.) Device \Driver\usbohci \Device\USBPDO-0 866321D8 Device \Driver\usbehci \Device\USBPDO-1 86583980 Device \Driver\dmio \Device\DmControl\DmIoDaemon 867D01D8 Device \Driver\dmio \Device\DmControl\DmConfig 867D01D8 Device \Driver\dmio \Device\DmControl\DmPnP 867D01D8 Device \Driver\dmio \Device\DmControl\DmInfo 867D01D8 Device \Driver\00000099 \Device\00000054 sptd.sys Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.) Device \Driver\Ftdisk \Device\HarddiskVolume1 867631D8 Device \Driver\Cdrom \Device\CdRom0 865B8598 Device \Driver\Cdrom \Device\CdRom1 865B8598 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 867621D8 Device \Driver\atapi \Device\Ide\IdePort0 867621D8 Device \Driver\atapi \Device\Ide\IdePort1 867621D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8F234930-B380-467D-A941-F9267056D4D1} 86355980 Device \Driver\nvata \Device\00000076 867CF1D8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86355980 Device \Driver\NetBT \Device\NetbiosSmb 86355980 Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.) Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.) Device \Driver\usbohci \Device\USBFDO-0 866321D8 Device \Driver\nvata \Device\NvAta0 867CF1D8 Device \Driver\usbehci \Device\USBFDO-1 86583980 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85E96378 Device \Driver\nvata \Device\NvAta1 867CF1D8 Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.) Device \FileSystem\MRxSmb \Device\LanmanRedirector 85E96378 Device \Driver\Ftdisk \Device\FtControl 867631D8 Device \Driver\ax3xt5kw \Device\Scsi\ax3xt5kw1Port4Path0Target0Lun0 864D71D8 Device \Driver\ax3xt5kw \Device\Scsi\ax3xt5kw1 864D71D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{92C427F4-39D4-4C70-8672-B2C40C2B3360} 86355980 Device \FileSystem\Cdfs \Cdfs 8630A980 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1284389899 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -2012823401 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x65 0x6A 0xA0 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x04 0x34 0xD2 0xB6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x4A 0x76 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x65 0x6A 0xA0 0x69 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x04 0x34 0xD2 0xB6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x4A 0x76 0xC9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xA2 0xD4 0xEA 0xC7 ... ---- EOF - GMER 1.0.14 ---- ---------------------------------------------------------------------- HERE IS MY HIJACKTHIS LOG ---------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:21:20 AM, on 04/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\smax4.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\OpenVPN\bin\openvpn-gui.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\sndvol32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Tencent\QQ\QQ.exe C:\Program Files\Tencent\QQ\TIMPlatform.exe C:\Program Files\Perfect Privacy SSH Client\ppssh.exe C:\Program Files\Perfect Privacy SSH Client\plink.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Administrator\Desktop\desk\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8020 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\jre1.5.0_10\bin\javaw.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\Tencent\QQ\AddPanel.htm O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\Tencent\QQ\AddEmotion.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send picture by MMS - C:\Program Files\Tencent\QQ\SendMMS.htm O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\Tencent\QQ\AddToNetDisk.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://download.windowsupdate.com O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1228357245453 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: FSEBCZDWAL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FSEBCZDWAL.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe -- End of file - 9243 bytes Last edited by tybomb; 12-04-2008 at 03:25 AM.*

12-08-2008, 09:10 AM	#2 (permalink)
ndmmxiaomayi Analyst, Security Team Join Date: Jun 2006 Posts: 714 OS: immune system, circulatory system, central nervous system, muscular system, skeletal system, digesti	Re: Downloader.Agent.APKO and Crypt.AXH Hi tybomb, You appear to have run Combofix before. Please post the Combofix log which is located at C:\Combofix.txt Please delete and download a new copy of Combofix from one of these links and run it again: Link 1 Link 2 Link 3 After that, please post the resultant log. In your next reply, please post: First Combofix log The latest Combofix log __________________ Done your best? Really?

12-08-2008, 07:39 PM	#3 (permalink)
tybomb Registered User Join Date: Dec 2006 Posts: 10 OS: XP	Re: Downloader.Agent.APKO and Crypt.AXH OK. I haven't had any detections for a couple days now. I managed to delete all my temorary internet files and I found that the jpg was in two different places in my local settings. Avg update manager was working but now it's not again and also adaware won't update either. I guess that could be a seperate issue though. I also still can't get in to my temporary internet files from windows explorer. Here's my two logs. The first one is the earliest but they were both created after getting this virus. ---------------------------------------------------------------------- ComboFix 08-12-02.02 - Administrator 2008-12-03 19:14:19.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.773 [GMT -8:00] Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\mxp.dll c:\windows\system32\Scrax.dll . ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 ))))))))))))))))))))))))))))))) . 2008-12-03 18:05 . 2008-12-03 18:21 <DIR> d-------- c:\windows\LastGood 2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys 2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent 2008-11-27 17:56 . 2008-12-03 02:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent 2008-11-26 21:27 . 2008-11-26 21:27 <DIR> d-------- c:\program files\Goldeneye 2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks 2008-11-22 00:58 . 2008-12-03 18:00 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for 2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll 2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild 2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works 2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8 2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache 2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks 2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder 2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi 2008-11-07 00:00 . 2008-11-07 00:00 <DIR> d-------- c:\program files\Perfect Privacy SSH Client . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-03 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7 2008-12-03 06:02 --------- d-----w c:\program files\MetFileRegenerator 2008-12-03 06:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater 2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss 2008-11-21 02:12 --------- d-----w c:\program files\eMule 2008-11-07 00:08 --------- d-----w c:\program files\Eraser 2008-11-02 17:17 --------- d-----w c:\program files\DC++ 2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN 2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ 2008-10-30 20:47 --------- d-----w c:\program files\Tencent 2008-10-30 08:37 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys 2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys 2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys 2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys 2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys 2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys 2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys 2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys 2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys 2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760] "AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346] c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"= "c:\\dc\\DCPlusPlus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Tencent\\QQ\\QQ.exe"= "c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"= "c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "c:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "c:\\Program Files\\Autodesk\\Backburner\\server.exe"= "c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"= "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"= "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\stuff\\Mirc\\mirc.exe"= "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "c:\\stuff\\PI\\pi232.1146921652.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8681:TCP"= 8681:TCP:WWW R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792] R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624] S2 aqqamk;aqqamk;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336] S2 hwdorvtqi;hwdorvtqi;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys [] S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576] S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs hwdorvtqi aqqamk [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\SETUP.EXE \Shell\configure\command - F:\SETUP.EXE \Shell\install\command - F:\SETUP.EXE Newly Created Service - PROCEXP90 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}] c:\windows\system32:messagetec.exe . Contents of the 'Scheduled Tasks' folder 2008-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13] . - - - - ORPHANS REMOVED - - - - Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll . . ------- File Associations ------- . chm.file="hh.exe" %1 txtfile=c:\windows\notepad.exe %1 . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 19:15:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(896) c:\windows\system32\Ati2evxx.dll . Completion time: 2008-12-03 19:16:56 ComboFix-quarantined-files.txt 2008-12-04 03:16:54 Pre-Run: 150,141,743,104 bytes free Post-Run: 150,137,982,976 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (bootscreen)" /noexecute=optin /fastdetect /KERNEL=kernel1.exe multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 212 --- E O F --- 2008-01-10 11:01:27 ------------------------------------------------------------------------- 2nd LOG ComboFix 08-12-07.04 - Administrator 2008-12-08 18:21:16.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))) . 2008-12-04 00:37 . 2008-12-08 18:03 250 --a------ c:\windows\gmer.ini 2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak 2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys 2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys 2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent 2008-11-27 17:56 . 2008-12-08 06:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent 2008-11-26 21:27 . 2008-11-26 21:27 <DIR> d-------- c:\program files\Goldeneye 2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks 2008-11-22 00:58 . 2008-12-08 03:15 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for 2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll 2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild 2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works 2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8 2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache 2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks 2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder 2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-09 02:02 --------- d-----w c:\program files\MetFileRegenerator 2008-12-09 01:31 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-08 19:21 --------- d-----w c:\program files\eMule 2008-12-08 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7 2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater 2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss 2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client 2008-11-07 00:08 --------- d-----w c:\program files\Eraser 2008-11-02 17:17 --------- d-----w c:\program files\DC++ 2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN 2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ 2008-10-30 20:47 --------- d-----w c:\program files\Tencent 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys 2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys 2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys 2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys 2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys 2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys 2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys 2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys 2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys 2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760] "AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346] c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon] [BU] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"= "c:\\dc\\DCPlusPlus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Tencent\\QQ\\QQ.exe"= "c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"= "c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "c:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "c:\\Program Files\\Autodesk\\Backburner\\server.exe"= "c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"= "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"= "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\stuff\\Mirc\\mirc.exe"= "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "c:\\stuff\\PI\\pi232.1146921652.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8681:TCP"= 8681:TCP:WWW R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792] R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624] S2 aqqamk;aqqamk;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336] S2 hwdorvtqi;hwdorvtqi;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys [] S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576] S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584] S3 VZUXJBFOZUVLW;VZUXJBFOZUVLW;c:\docume~1\ADMINI~1\LOCALS~1\Temp\VZUXJBFOZUVLW.exe [] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs hwdorvtqi aqqamk [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\SETUP.EXE \Shell\configure\command - F:\SETUP.EXE \Shell\install\command - F:\SETUP.EXE Newly Created Service - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}] c:\windows\system32:messagetec.exe . Contents of the 'Scheduled Tasks' folder 2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyServer = localhost:8020 uInternet Settings,ProxyOverride = .local IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll . . ------- File Associations ------- . chm.file="hh.exe" %1 txtfile=c:\windows\notepad.exe %1 . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-08 18:24:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1000) c:\windows\system32\Ati2evxx.dll . Completion time: 2008-12-08 18:25:35 ComboFix-quarantined-files.txt 2008-12-09 02:25:32 ComboFix2.txt 2008-12-09 02:12:03 ComboFix3.txt 2008-12-04 05:46:05 ComboFix4.txt 2008-12-04 03:16:58 Pre-Run: 137,658,707,968 bytes free Post-Run: 137,645,658,112 bytes free 218 --- E O F --- 2008-12-09 01:34:17

12-09-2008, 07:27 AM	#4 (permalink)
ndmmxiaomayi Analyst, Security Team Join Date: Jun 2006 Posts: 714 OS: immune system, circulatory system, central nervous system, muscular system, skeletal system, digesti	Re: Downloader.Agent.APKO and Crypt.AXH Hi tybomb, Please open Notepad and copy and paste the following in the Code box into Notepad: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/320002-downloader-agent-apko-crypt-axh.html Netsvc:: hwdorvtqi aqqamk Driver:: hwdorvtqi aqqamk VZUXJBFOZUVLW Collect:: c:\windows\system32:messagetec.exe Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B6FBC9D-FB5F-6DC0-12D0-CD6F4752DEA5}] Warning: The above script is just for tybomb. If you are not tybomb, please do not use this script as it may damage the workings of your system. Click on File > Save As.... In the File Name field, copy and paste in CFScript.txt. Do not change the file name. Click Save. Referring to the picture below, drag CFScript into Combofix. Combofix will start running. When done, a log will be produced. Please post this log in your next reply. In addition, it will prompt you to submit some files for analyzing. Click OK. Your web browser (by default it's Internet Explorer) will open. Please refer to the image below to submit the file for analysis. http://i35.photobucket.com/albums/d1.../submit_CF.gif Do not mouse click on Combofix while it is running. That may cause it to stall. About AVG Antivirus not being able to update, one thing to note - even after we fix your malware issues and AVG is able to update after that, your computer isn't protected. AVG is no longer updating AVG Antivirus 7, and support for AVG 7.5 is ending this month. You will need to upgrade AVG to AVG 8 for it to continue to protect you. Please let me know if you don't want to upgrade to AVG 8 so that I recommend alternatives. Please post the Combofix log in your next reply. __________________ Done your best? Really?

12-09-2008, 09:08 AM	#5 (permalink)
tybomb Registered User Join Date: Dec 2006 Posts: 10 OS: XP	Re: Downloader.Agent.APKO and Crypt.AXH K I did that but I wasn't asked to submit anything. Here is the log. As for AVG, the problem seems to be that when I update avg it then shows as being in error until I restart the computer and let the updates take effect. Perhaps at some point I clicked to no longer prompt for a restart after updating. Adaware however still wont update. It says "error retrieving updates" but I guess that could be my ethernet switch configuration or windows firewall or anything really. A good alternative to AVG would be great. Especially something that doesn't take over my whole computer. ComboFix 08-12-07.04 - Administrator 2008-12-09 7:39:20.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00] Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\virus\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 ))))))))))))))))))))))))))))))) . 2008-12-04 00:37 . 2008-12-08 18:03 250 --a------ c:\windows\gmer.ini 2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak 2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys 2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys 2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui 2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys 2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent 2008-11-27 17:56 . 2008-12-08 21:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent 2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks 2008-11-22 00:58 . 2008-12-08 03:15 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for 2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll 2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild 2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works 2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8 2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help 2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache 2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks 2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder 2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-09 15:29 --------- d-----w c:\program files\MetFileRegenerator 2008-12-09 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-08 19:21 --------- d-----w c:\program files\eMule 2008-12-08 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7 2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater 2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss 2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client 2008-11-07 00:08 --------- d-----w c:\program files\Eraser 2008-11-02 17:17 --------- d-----w c:\program files\DC++ 2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN 2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ 2008-10-30 20:47 --------- d-----w c:\program files\Tencent 2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys 2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys 2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys 2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys 2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys 2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys 2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys 2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys 2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys 2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys 2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe . ((((((((((((((((((((((((((((( snapshot_2008-12-08_18.11.17.53 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760] "AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624] "openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328] "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346] c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon] [BU] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"= "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"= "c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"= "c:\\dc\\DCPlusPlus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\Tencent\\QQ\\QQ.exe"= "c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"= "c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"= "c:\\Program Files\\Autodesk\\Backburner\\manager.exe"= "c:\\Program Files\\Autodesk\\Backburner\\server.exe"= "c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"= "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"= "c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\stuff\\Mirc\\mirc.exe"= "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "c:\\stuff\\PI\\pi232.1146921652.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8681:TCP"= 8681:TCP:WWW R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792] R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys [] S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576] S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - F:\SETUP.EXE \Shell\configure\command - F:\SETUP.EXE \Shell\install\command - F:\SETUP.EXE . Contents of the 'Scheduled Tasks' folder 2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyServer = localhost:8020 uInternet Settings,ProxyOverride = .local IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-09 07:41:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1004) c:\windows\system32\Ati2evxx.dll . Completion time: 2008-12-09 7:42:33 ComboFix-quarantined-files.txt 2008-12-09 15:42:30 ComboFix2.txt 2008-12-09 15:35:44 ComboFix3.txt 2008-12-09 02:25:36 ComboFix4.txt 2008-12-09 02:12:03 ComboFix5.txt 2008-12-09 15:38:45 Pre-Run: 136,717,832,192 bytes free Post-Run: 136,705,081,344 bytes free 209 --- E O F --- 2008-12-09 01:34:17

12-09-2008, 08:40 PM	#7 (permalink)
tybomb Registered User Join Date: Dec 2006 Posts: 10 OS: XP	Re: Downloader.Agent.APKO and Crypt.AXH Hi. When I type that in to the run box it says windows cannot find the file. I did set the proxy settings myself. I've never had any problems in the past but I also haven't used adaware much. I'm not sure why this file isn't here?

12-10-2008, 05:46 AM	#8 (permalink)
ndmmxiaomayi Analyst, Security Team Join Date: Jun 2006 Posts: 714 OS: immune system, circulatory system, central nervous system, muscular system, skeletal system, digesti	Re: Downloader.Agent.APKO and Crypt.AXH Hi tybomb, I would like to see this file - ComboFix-quarantined-files.txt Please click on Start > Run and copy and paste in the following: C:\QooBox\ComboFix-quarantined-files.txt Press Enter. A Notepad file will open. Please post the contents of this log in your next reply. __________________ Done your best? Really?

12-10-2008, 04:27 PM	#9 (permalink)
tybomb Registered User Join Date: Dec 2006 Posts: 10 OS: XP	Re: Downloader.Agent.APKO and Crypt.AXH That one worked. A lot of this stuff may be related to QQ which is a popular Chinese chat program I had to install. Unfortunatly it comes bundled with tons of crap. I don't think this new trojan is related to QQ though. I think scrax.dll is related to QQ but I have no clue about the rest. 2007-02-13 16:12:43 A------- 106,496 C:\Qoobox\Quarantine\C\WINDOWS\system32\scrax.dll.vir 2008-11-23 04:27:41 A------- 136 C:\Qoobox\Quarantine\C\WINDOWS\system32\mxp.dll.vir 2008-12-03 19:07:20 A------- 324 C:\Qoobox\Quarantine\catchme.log 2008-12-03 19:15:25 A------- 8,197 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-12-03 19:16:18 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-12-03 19:16:18 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-12-03 19:16:18 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-12-03 19:16:35 A------- 332 C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat 2008-12-09 07:21:34 A------- 220 C:\Qoobox\Quarantine\catchme.txt 2008-12-09 07:26:03 A------- 1,014 C:\Qoobox\Quarantine\Registry_backups\Legacy_AQQAMK.reg.dat 2008-12-09 07:26:03 A------- 1,050 C:\Qoobox\Quarantine\Registry_backups\Legacy_HWDORVTQI.reg.dat 2008-12-09 07:26:04 A------- 846 C:\Qoobox\Quarantine\Registry_backups\Legacy_VZUXJBFOZUVLW.reg.dat 2008-12-09 07:26:04 A------- 1,988 C:\Qoobox\Quarantine\Registry_backups\Service_aqqamk.reg.dat 2008-12-09 07:26:04 A------- 2,012 C:\Qoobox\Quarantine\Registry_backups\Service_hwdorvtqi.reg.dat 2008-12-09 07:26:04 A------- 2,814 C:\Qoobox\Quarantine\Registry_backups\Service_VZUXJBFOZUVLW.reg.dat

12-11-2008, 08:06 AM	#10 (permalink)
ndmmxiaomayi Analyst, Security Team Join Date: Jun 2006 Posts: 714 OS: immune system, circulatory system, central nervous system, muscular system, skeletal system, digesti	Re: Downloader.Agent.APKO and Crypt.AXH Hmm... looks like no file was collected for you to upload it. Please run Combofix again by double clicking on it and post back the log that it creates. You don't have to drag CFScript into Combofix. __________________ Done your best? Really?

12-16-2008, 08:00 AM	#12 (permalink)
ndmmxiaomayi Analyst, Security Team Join Date: Jun 2006 Posts: 714 OS: immune system, circulatory system, central nervous system, muscular system, skeletal system, digesti	Re: Downloader.Agent.APKO and Crypt.AXH Hi tybomb, The log looks good. Are you still experiencing problems with updating both AVG and Ad-Aware? Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX. Check (tick) this box: YES, I accept the Terms of Use. Click on the Start button next to it. When prompted to run ActiveX. click Yes. You will be asked to install an ActiveX. Click Install. Once installed, the scanner will be initialized. After the scanner is initialized, click Start. Uncheck (untick) Remove found threats box. Check (tick) Scan unwanted applications. Click on Scan. It will start scanning. Please be patient. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply. __________________ Done your best? Really?