Virus keeps on coming back

wolf30 · 07-26-2008, 02:17 PM

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {886EA47A-64DF-4912-909E-205C596F0531} - C:\WINDOWS\system32\tuvULedc.dll (file missing)
O2 - BHO: (no name) - {9C7AC5D2-169F-4A41-9365-597BC96C5BF4} - (no file)
O2 - BHO: (no name) - {D8D7A115-9A18-4574-B537-CF13AB6645DB} - (no file)
O2 - BHO: (no name) - {F6D848C2-1681-4BEB-AC57-879C263801D0} - (no file)
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Load.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1212702233991
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...46/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COM+ System Service (COMSS) - Unknown owner - C:\WINDOWS\system32\SSMS.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I scanned a few times with different programs including:

avg
ad-adaware
spybot
and hijackthis

and it would remove the viruses and everything would seem to be normal but then the next morning, I would not be able to use the internet again and both my browsers would just kept on loading.

I just tried vundofix and it removed some viruses but then coming back later in the day, I couldn't access the internet again nor right click on my msn as if I was denied access.

wolf30 · 07-29-2008, 10:19 AM

Anyone?

wolf30 · 07-29-2008, 10:39 AM

I just scanned with smitfraudfix and this is the log I received:

SmitFraudFix v2.332

Scan done at 12:27:35.50, 29/07/2008
Run from C:\Documents and Settings\wolf\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\wolf

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\wolf\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\wolf\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"
"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\SYSTEM32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.100.1

Description: NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport
DNS Server Search Order: 64.71.255.198

HKLM\SYSTEM\CCS\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS2\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

wolf30 · 07-31-2008, 11:38 AM

ComboFix 08-07-30.02 - wolf 2008-07-31 13:19:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.577 [GMT -4:00]
Running from: C:\Documents and Settings\wolf\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\#SharedObjects\B8L7L44M\interclick.com
C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\#SharedObjects\B8L7L44M\interclick.com\ud.sol
C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\#SharedObjects\B8L7L44M\www.broadcaster.com
C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\WINDOWS\BM4bc76ef8.txt
C:\WINDOWS\BM4bc76ef8.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bdJlnUtv.ini
C:\WINDOWS\system32\bdJlnUtv.ini2
C:\WINDOWS\system32\cdeLUvut.ini
C:\WINDOWS\system32\cdeLUvut.ini2
C:\WINDOWS\system32\cmnocfg.xml
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgwngnhc.ini
C:\WINDOWS\system32\ryfymukb.ini
C:\WINDOWS\system32\ssms.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_COMSS

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 14:32 . 2008-07-30 14:32 <DIR> d-------- C:\PSFONTS
2008-07-30 14:32 . 2008-07-30 14:32 <DIR> d-------- C:\Program Files\Finale Viewer 2008
2008-07-29 12:49 . 2008-07-29 12:49 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-26 12:33 . 2008-07-29 03:57 <DIR> d-------- C:\VundoFix Backups
2008-07-24 16:29 . 2008-07-24 16:29 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-22 16:01 . 2008-07-22 16:01 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-07-22 12:16 . 2008-07-22 12:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-22 11:49 . 2008-07-22 16:04 43,693 ---hs---- C:\WINDOWS\system32\sskyfcsl.ini
2008-07-22 00:51 . 2008-07-31 13:27 17,719,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-22 00:51 . 2008-07-31 13:23 210,596 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-22 00:48 . 2008-07-22 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-21 12:56 . 2008-07-30 02:11 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-21 12:50 . 2008-07-21 12:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-21 12:49 . 2008-07-31 13:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-21 12:49 . 2008-07-21 12:49 <DIR> d-------- C:\Program Files\AVG
2008-07-21 12:49 . 2008-07-29 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-21 12:49 . 2008-07-29 12:49 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-20 19:40 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-07-20 19:40 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-07-17 09:50 . 2008-07-17 09:50 <DIR> d-------- C:\Documents and Settings\lisa\Contacts
2008-07-16 17:02 . 2008-07-29 12:57 2,702 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-16 15:59 . 2008-07-25 12:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-16 15:59 . 2008-07-25 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 14:55 . 2008-07-16 14:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-16 14:06 . 2008-07-16 14:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-16 13:20 . 2008-07-16 13:20 <DIR> d-------- C:\kav
2008-07-16 12:58 . 2008-07-16 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 12:57 . 2008-07-16 12:32 155,648 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-15 23:11 . 2008-07-15 23:11 <DIR> d-------- C:\Documents and Settings\wolf\Application Data\Uniblue
2008-07-14 12:53 . 2008-07-14 12:53 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-07-12 21:09 . 2002-07-02 07:59 34,688 --------- C:\WINDOWS\system32\drivers\samfilt.sys
2008-07-12 21:08 . 1998-09-25 00:00 929,844 --a------ C:\WINDOWS\system32\MFC42D.DLL
2008-07-12 21:08 . 1998-09-25 00:00 798,773 --a------ C:\WINDOWS\system32\MFCO42D.DLL
2008-07-12 21:08 . 1999-01-05 00:00 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL
2008-07-04 12:09 . 2008-07-15 23:38 <DIR> d-------- C:\Program Files\Unity
2008-06-25 23:26 . 2000-10-03 19:01 944,912 --a------ C:\WINDOWS\system32\msjava.dll
2008-06-06 13:26 . 2008-06-06 13:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-06-05 23:48 . 2008-06-05 23:48 <DIR> d-------- C:\Program Files\CDisplay
2008-06-05 17:48 . 2008-07-15 23:38 <DIR> d-------- C:\Program Files\Windows Live
2008-06-05 17:48 . 2008-06-05 17:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-05 17:48 . 2008-07-14 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-05 17:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-05 17:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-05 17:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-05 17:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-05 17:36 . 2008-06-05 17:36 2,400,784 --a------ C:\Program Files\WLinstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 17:23 1,441,280 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-07-31 17:23 1,170,432 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-07-31 17:11 2,864,128 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-07-31 17:11 1,445,888 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-07-31 17:11 --------- d-----w C:\Documents and Settings\wolf\Application Data\Azureus
2008-07-31 16:58 --------- d-----w C:\Program Files\Winamp
2008-07-26 17:05 2,810,880 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-07-26 17:05 1,399,808 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-07-26 16:09 3,014,144 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-07-23 17:54 2,064,384 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-23 16:25 2,720,256 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-07-21 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-20 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-20 23:40 --------- d-----w C:\Program Files\Macromedia
2008-07-20 23:40 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-07-17 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-16 21:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-16 17:36 7,219 ----a-w C:\WINDOWS\system32\drivers\services.xml
2008-07-14 16:53 --------- d-----w C:\Program Files\MSECache
2008-07-09 13:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-02-19 17:38 56 --sh--r C:\WINDOWS\system32\EB189723C7.sys
2006-03-12 07:19 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 212,992 2004-07-01 21:20:20 C:\bak\Updater.exe

----a-w 1,957,888 2005-06-02 21:03:08 C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe

----a-r 925,696 2005-05-20 01:11:06 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe

----a-w 716,800 2005-07-26 14:54:28 C:\Program Files\Analog Devices\SoundMAX\bak\smax4.exe

----a-w 61,440 2005-08-06 06:07:30 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe

----a-w 180,269 2006-07-11 04:16:12 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2007-04-04 01:10:59 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 49,263 2006-11-09 20:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe

----a-w 155,648 2006-02-18 03:19:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-03-29 03:37:20 C:\Program Files\QuickTime\QTTask.exe

----a-w 35,328 2006-03-10 17:45:12 C:\Program Files\Winamp\bak\winampa.exe

----a-w 331,776 2005-12-21 20:05:24 C:\Program Files\WinFast\WFTVFM\bak\WFWIZ.exe

----a-w 2,109,440 2005-12-21 17:56:52 C:\Program Files\XemiComputers\Active Desktop Calendar\bak\ADC.exe
----a-w 2,109,440 2005-12-21 17:56:52 C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

----a-w 4,670,968 2007-01-19 17:49:28 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe

----a-w 208,952 2004-08-04 02:32:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-04 02:32:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

----a-w 44,032 2001-08-23 12:00:00 C:\WINDOWS\ime\imkr6_1\bak\IMEKRMIG.EXE
----a-w 44,032 2001-08-23 12:00:00 C:\WINDOWS\ime\imkr6_1\imekrmig.exe

----a-w 59,392 2004-08-04 02:31:50 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
----a-w 59,392 2004-08-04 02:31:50 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

----a-w 455,168 2004-08-04 02:32:16 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-08-04 02:32:16 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

----a-w 220,672 2001-09-13 18:53:16 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_AICN03.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2005-12-21 13:56 2109440]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"PowerBar"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe" [2007-02-12 16:22 397312]
"iRiver Updater"="\Updater.exe" [N/A]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-29 12:48 1235736]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Load.exe [2005-08-06 02:07:30 36864]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-12-18 20:32:22 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i263_32.drv
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Multimedia keyboard driver.lnk]
backup=C:\WINDOWS\pss\Multimedia keyboard driver.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\48f45d64]
C:\WINDOWS\system32\lrfvucgo.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4bc76ef8]
C:\WINDOWS\system32\eshgiklq.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 10:57 133016 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2001-08-23 08:00 44032 C:\WINDOWS\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 22:32 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-03 22:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
--a------ 2004-07-29 05:41 1122304 C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-04-03 21:10 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-10-27 16:21 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 04:33]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-29 12:49]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 05:13]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-29 12:48]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-29 12:49]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-29 12:49]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS []
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{D8D7A115-9A18-4574-B537-CF13AB6645DB} - (no file)
ShellExecuteHooks-{59CF8D60-F8D7-42F5-9808-CD4594816FD0} - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\wolf\Application Data\Mozilla\Firefox\Profiles\iqhe3zo2.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - acfmovies.com/board
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvideoegg-loader.dll
FF -: plugin - C:\Program Files\VideoEgg\Loader\2663\npvideoegg-loader.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 13:26:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-31 13:32:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-31 17:32:48

Pre-Run: 46,329,085,952 bytes free
Post-Run: 46,445,871,104 bytes free

278

wolf30 · 08-03-2008, 10:17 AM

Please Anyone?

07-26-2008, 02:17 PM	#1 (permalink)
wolf30 Registered User Join Date: Jul 2008 Posts: 5 OS: xp pro service pack 2	Virus keeps on coming back Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {886EA47A-64DF-4912-909E-205C596F0531} - C:\WINDOWS\system32\tuvULedc.dll (file missing) O2 - BHO: (no name) - {9C7AC5D2-169F-4A41-9365-597BC96C5BF4} - (no file) O2 - BHO: (no name) - {D8D7A115-9A18-4574-B537-CF13AB6645DB} - (no file) O2 - BHO: (no name) - {F6D848C2-1681-4BEB-AC57-879C263801D0} - (no file) O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Load.exe O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1212702233991 O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...46/mcfscan.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: COM+ System Service (COMSS) - Unknown owner - C:\WINDOWS\system32\SSMS.EXE O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe I scanned a few times with different programs including: avg ad-adaware spybot and hijackthis and it would remove the viruses and everything would seem to be normal but then the next morning, I would not be able to use the internet again and both my browsers would just kept on loading. I just tried vundofix and it removed some viruses but then coming back later in the day, I couldn't access the internet again nor right click on my msn as if I was denied access.

07-29-2008, 10:19 AM	#2 (permalink)
wolf30 Registered User Join Date: Jul 2008 Posts: 5 OS: xp pro service pack 2	Re: Virus keeps on coming back Anyone?

07-29-2008, 10:39 AM	#3 (permalink)
wolf30 Registered User Join Date: Jul 2008 Posts: 5 OS: xp pro service pack 2	Re: Virus keeps on coming back I just scanned with smitfraudfix and this is the log I received: SmitFraudFix v2.332 Scan done at 12:27:35.50, 29/07/2008 Run from C:\Documents and Settings\wolf\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Azureus\Azureus.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts hosts file corrupted ! 127.0.0.1 www.legal-at-spybot.info 127.0.0.1 legal-at-spybot.info »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\wolf »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\wolf\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\wolf\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="avgrsstx.dll" "LoadAppInit_DLLs"=dword:00000001 »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\SYSTEM32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport DNS Server Search Order: 192.168.100.1 Description: NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport DNS Server Search Order: 64.71.255.198 HKLM\SYSTEM\CCS\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CS1\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CS2\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CS3\Services\Tcpip\..\{044DDDC3-3F02-49FF-8390-573528F9E347}: DhcpNameServer=192.168.100.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{C8FE4C14-77B2-47EB-9B69-ECE7B3165E1F}: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

07-31-2008, 11:38 AM	#4 (permalink)
wolf30 Registered User Join Date: Jul 2008 Posts: 5 OS: xp pro service pack 2	Re: Virus keeps on coming back ComboFix 08-07-30.02 - wolf 2008-07-31 13:19:02.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.577 [GMT -4:00] Running from: C:\Documents and Settings\wolf\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\#SharedObjects\B8L7L44M\interclick.com C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\#SharedObjects\B8L7L44M\interclick.com\ud.sol C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\#SharedObjects\B8L7L44M\www.broadcaster.com C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\wolf\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\WINDOWS\BM4bc76ef8.txt C:\WINDOWS\BM4bc76ef8.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\bdJlnUtv.ini C:\WINDOWS\system32\bdJlnUtv.ini2 C:\WINDOWS\system32\cdeLUvut.ini C:\WINDOWS\system32\cdeLUvut.ini2 C:\WINDOWS\system32\cmnocfg.xml C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mgwngnhc.ini C:\WINDOWS\system32\ryfymukb.ini C:\WINDOWS\system32\ssms.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_COMSS ((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 ))))))))))))))))))))))))))))))) . 2008-07-30 14:32 . 2008-07-30 14:32 <DIR> d-------- C:\PSFONTS 2008-07-30 14:32 . 2008-07-30 14:32 <DIR> d-------- C:\Program Files\Finale Viewer 2008 2008-07-29 12:49 . 2008-07-29 12:49 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-26 12:33 . 2008-07-29 03:57 <DIR> d-------- C:\VundoFix Backups 2008-07-24 16:29 . 2008-07-24 16:29 <DIR> d-------- C:\WINDOWS\McAfee.com 2008-07-22 16:10 . 2008-07-22 16:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-22 16:01 . 2008-07-22 16:01 <DIR> d-------- C:\Program Files\Bazooka Scanner 2008-07-22 12:16 . 2008-07-22 12:16 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-22 11:49 . 2008-07-22 16:04 43,693 ---hs---- C:\WINDOWS\system32\sskyfcsl.ini 2008-07-22 00:51 . 2008-07-31 13:27 17,719,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-22 00:51 . 2008-07-31 13:23 210,596 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-22 00:48 . 2008-07-22 00:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-07-21 12:56 . 2008-07-30 02:11 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-07-21 12:50 . 2008-07-21 12:50 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-07-21 12:49 . 2008-07-31 13:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-07-21 12:49 . 2008-07-21 12:49 <DIR> d-------- C:\Program Files\AVG 2008-07-21 12:49 . 2008-07-29 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-07-21 12:49 . 2008-07-29 12:49 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-20 19:40 . 2003-12-04 11:19 974,848 --a------ C:\WINDOWS\system32\mfc70.dll 2008-07-20 19:40 . 2003-12-04 11:19 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll 2008-07-17 09:50 . 2008-07-17 09:50 <DIR> d-------- C:\Documents and Settings\lisa\Contacts 2008-07-16 17:02 . 2008-07-29 12:57 2,702 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-16 15:59 . 2008-07-25 12:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-16 15:59 . 2008-07-25 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-16 14:55 . 2008-07-16 14:55 <DIR> d-------- C:\Program Files\Lavasoft 2008-07-16 14:06 . 2008-07-16 14:06 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-07-16 13:20 . 2008-07-16 13:20 <DIR> d-------- C:\kav 2008-07-16 12:58 . 2008-07-16 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-07-16 12:57 . 2008-07-16 12:32 155,648 --a------ C:\WINDOWS\agpqlrfm.exe 2008-07-15 23:11 . 2008-07-15 23:11 <DIR> d-------- C:\Documents and Settings\wolf\Application Data\Uniblue 2008-07-14 12:53 . 2008-07-14 12:53 <DIR> d-------- C:\Program Files\Microsoft Office Outlook Connector 2008-07-12 21:09 . 2002-07-02 07:59 34,688 --------- C:\WINDOWS\system32\drivers\samfilt.sys 2008-07-12 21:08 . 1998-09-25 00:00 929,844 --a------ C:\WINDOWS\system32\MFC42D.DLL 2008-07-12 21:08 . 1998-09-25 00:00 798,773 --a------ C:\WINDOWS\system32\MFCO42D.DLL 2008-07-12 21:08 . 1999-01-05 00:00 401,484 --a------ C:\WINDOWS\system32\MSVCRTD.DLL 2008-07-04 12:09 . 2008-07-15 23:38 <DIR> d-------- C:\Program Files\Unity 2008-06-25 23:26 . 2000-10-03 19:01 944,912 --a------ C:\WINDOWS\system32\msjava.dll 2008-06-06 13:26 . 2008-06-06 13:26 <DIR> d-------- C:\Program Files\Common Files\DirectX 2008-06-05 23:48 . 2008-06-05 23:48 <DIR> d-------- C:\Program Files\CDisplay 2008-06-05 17:48 . 2008-07-15 23:38 <DIR> d-------- C:\Program Files\Windows Live 2008-06-05 17:48 . 2008-06-05 17:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-05 17:48 . 2008-07-14 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-05 17:46 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2008-06-05 17:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2008-06-05 17:46 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-06-05 17:46 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2008-06-05 17:36 . 2008-06-05 17:36 2,400,784 --a------ C:\Program Files\WLinstaller.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-31 17:23 1,441,280 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp 2008-07-31 17:23 1,170,432 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp 2008-07-31 17:11 2,864,128 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp 2008-07-31 17:11 1,445,888 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp 2008-07-31 17:11 --------- d-----w C:\Documents and Settings\wolf\Application Data\Azureus 2008-07-31 16:58 --------- d-----w C:\Program Files\Winamp 2008-07-26 17:05 2,810,880 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp 2008-07-26 17:05 1,399,808 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp 2008-07-26 16:09 3,014,144 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp 2008-07-23 17:54 2,064,384 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp 2008-07-23 16:25 2,720,256 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp 2008-07-21 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2008-07-20 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-20 23:40 --------- d-----w C:\Program Files\Macromedia 2008-07-20 23:40 --------- d-----w C:\Program Files\Common Files\Macromedia 2008-07-17 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-07-16 21:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-16 18:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-07-16 17:36 7,219 ----a-w C:\WINDOWS\system32\drivers\services.xml 2008-07-14 16:53 --------- d-----w C:\Program Files\MSECache 2008-07-09 13:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2006-02-19 17:38 56 --sh--r C:\WINDOWS\system32\EB189723C7.sys 2006-03-12 07:19 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 212,992 2004-07-01 21:20:20 C:\bak\Updater.exe ----a-w 1,957,888 2005-06-02 21:03:08 C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe ----a-r 925,696 2005-05-20 01:11:06 C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe ----a-w 716,800 2005-07-26 14:54:28 C:\Program Files\Analog Devices\SoundMAX\bak\smax4.exe ----a-w 61,440 2005-08-06 06:07:30 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe ----a-w 180,269 2006-07-11 04:16:12 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 185,896 2007-04-04 01:10:59 C:\Program Files\Common Files\Real\Update_OB\realsched.exe ----a-w 49,263 2006-11-09 20:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe ----a-w 155,648 2006-02-18 03:19:18 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 413,696 2008-03-29 03:37:20 C:\Program Files\QuickTime\QTTask.exe ----a-w 35,328 2006-03-10 17:45:12 C:\Program Files\Winamp\bak\winampa.exe ----a-w 331,776 2005-12-21 20:05:24 C:\Program Files\WinFast\WFTVFM\bak\WFWIZ.exe ----a-w 2,109,440 2005-12-21 17:56:52 C:\Program Files\XemiComputers\Active Desktop Calendar\bak\ADC.exe ----a-w 2,109,440 2005-12-21 17:56:52 C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe ----a-w 4,670,968 2007-01-19 17:49:28 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe ----a-w 208,952 2004-08-04 02:32:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE ----a-w 208,952 2004-08-04 02:32:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe ----a-w 44,032 2001-08-23 12:00:00 C:\WINDOWS\ime\imkr6_1\bak\IMEKRMIG.EXE ----a-w 44,032 2001-08-23 12:00:00 C:\WINDOWS\ime\imkr6_1\imekrmig.exe ----a-w 59,392 2004-08-04 02:31:50 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe ----a-w 59,392 2004-08-04 02:31:50 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe ----a-w 455,168 2004-08-04 02:32:16 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE ----a-w 455,168 2004-08-04 02:32:16 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe ----a-w 220,672 2001-09-13 18:53:16 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_AICN03.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2005-12-21 13:56 2109440] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368] "PowerBar"="" [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinFast Schedule"="C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe" [2007-02-12 16:22 397312] "iRiver Updater"="\Updater.exe" [N/A] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-29 12:48 1235736] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Load.exe [2005-08-06 02:07:30 36864] Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2006-12-18 20:32:22 110592] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I420"= i263_32.drv "VIDC.HFYU"= huffyuv.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax "msacm.g723"= g723.acm "vidc.I263"= I263_32.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli scecli scecli scecli [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Multimedia keyboard driver.lnk] backup=C:\WINDOWS\pss\Multimedia keyboard driver.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysRestore HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\48f45d64] C:\WINDOWS\system32\lrfvucgo.dll [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4bc76ef8] C:\WINDOWS\system32\eshgiklq.dll [N/A] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2005-12-10 10:57 133016 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1] --a------ 2001-08-23 08:00 44032 C:\WINDOWS\ime\imkr6_1\imekrmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-03 22:32 208952 C:\WINDOWS\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2004-08-03 22:31 59392 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0] --a------ 2004-07-29 05:41 1122304 C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-04-03 21:10 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut] --a------ 2004-10-27 16:21 61952 C:\WINDOWS\system32\HdAShCut.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 04:33] R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-29 12:49] R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 05:13] R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-29 12:48] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-29 12:49] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-29 12:49] S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [] . - - - - ORPHANS REMOVED - - - - ShellExecuteHooks-{D8D7A115-9A18-4574-B537-CF13AB6645DB} - (no file) ShellExecuteHooks-{59CF8D60-F8D7-42F5-9808-CD4594816FD0} - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\wolf\Application Data\Mozilla\Firefox\Profiles\iqhe3zo2.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - acfmovies.com/board FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava11.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava12.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava13.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava14.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjava32.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll FF -: plugin - C:\Program Files\Java\jre1.6.0_03\bin\npoji610.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmozax.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npmusicn.dll FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npvideoegg-loader.dll FF -: plugin - C:\Program Files\VideoEgg\Loader\2663\npvideoegg-loader.dll FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-31 13:26:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\gearsec.exe C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe C:\Program Files\AVG\AVG8\avgrsx.exe . ************************************************************************ . Completion time: 2008-07-31 13:32:58 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-31 17:32:48 Pre-Run: 46,329,085,952 bytes free Post-Run: 46,445,871,104 bytes free 278

08-03-2008, 10:17 AM	#5 (permalink)
wolf30 Registered User Join Date: Jul 2008 Posts: 5 OS: xp pro service pack 2	Re: Virus keeps on coming back Please Anyone?