Virtumonde infection, need help please.

[thecracker25]

A friend of mine was watching movies on a website and he got alot of AV alerts, I scanned with spybot search & destroy and theres 3 virtumonde infections that keep coming back after deletion, help me please.


DDS (Version 1.0) - NTFSx86
Run by Andrew at 18:47:55.18 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2431 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Andrew\Desktop\remover\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\mlJCSLee.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Steam] c:\program files\valve\steam\\Steam.exe -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Notify: mlJCSLee - mlJCSLee.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\mlJCSLee.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-13 33800]
R2 ekrn;Eset Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" [2008-3-13 472320]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\NSDriver.sys []

=============== Created Last 30 ================

2008-12-06 15:40 198,710 a------- c:\windows\system32\wpv521228549885.cpx
2008-12-06 15:39 34,816 a------- c:\windows\system32\mlJCSLee.dll
2008-12-06 07:32 31,680 a------- c:\windows\system32\~.exe
2008-12-04 18:04 <DIR> --d----- c:\docume~1\andrew\applic~1\uTorrent
2008-11-25 17:17 <DIR> --d----- C:\wu-yi tea_files
2008-11-25 17:17 48,955 a------- C:\wu-yi tea.htm
2008-11-22 19:53 <DIR> --d----- C:\ComboFix
2008-11-22 17:41 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-22 17:41 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-22 15:21 <DIR> a-dshr-- C:\cmdcons
2008-11-21 20:54 250 a------- c:\windows\gmer.ini
2008-11-21 15:38 91 a------- c:\windows\wininit.ini
2008-11-21 15:23 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-21 15:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-20 20:07 805,400 a----r-- c:\windows\system32\tmpC923.tmp
2008-11-20 19:31 <DIR> --d----- C:\Temp
2008-11-20 19:16 115,016 a------- c:\windows\system32\MSINET.OCX
2008-11-20 19:16 2,407 a------- c:\windows\system32\MSINET.DEP
2008-11-15 17:57 <DIR> --d----- c:\windows\system32\AGEIA
2008-11-15 17:57 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-12 15:13 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:12 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:04 507,400 a------- c:\windows\system32\XAudio2_1.dll
2008-11-09 17:04 238,088 a------- c:\windows\system32\xactengine3_1.dll
2008-11-09 17:04 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2008-11-09 17:04 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2008-11-09 17:04 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2008-11-09 17:04 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2008-11-09 17:04 467,984 a------- c:\windows\system32\d3dx10_38.dll
2008-11-09 17:04 <DIR> --d----- c:\windows\Logs
2008-11-09 17:03 <DIR> --d----- c:\windows\system32\xlive
2008-11-09 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2008-11-09 17:00 <DIR> --d----- c:\program files\DAEMON Tools Pro

==================== Find3M ====================

2008-10-29 17:24 42,320 a------- c:\windows\system32\xfcodec.dll
2008-10-24 03:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-02 10:07 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-24 20:38 159,868 a------- c:\windows\Marsu-Fix Uninstaller.exe
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-05-30 16:12 22,328 a------- c:\docume~1\andrew\applic~1\PnkBstrK.sys
2008-05-02 16:54 47,360 a------- c:\docume~1\andrew\applic~1\pcouffin.sys
2008-05-02 16:52 87,608 a------- c:\docume~1\andrew\applic~1\ezpinst.exe
2008-04-26 15:24 94 a------- c:\docume~1\andrew\applic~1\22.cmd
2008-05-16 15:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat

============= FINISH: 18:48:01.56 ===============

[sUBs]

Delete your existing copy of ComboFix.exe. Then visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

File::
C:\windows\system32\wpv521228549885.cpx
C:\windows\system32\mlJCSLee.dll
C:\windows\system32\~.exe
C:\windows\system32\tmpC923.tmp
C:\docume~1\andrew\applic~1\22.cmd

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.

[thecracker25]

Here's my combofix log


ComboFix 08-12-06.04 - Andrew 2008-12-06 20:37:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2531 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Application Data\GetModule
c:\documents and settings\Mom\Application Data\GetModule\dicik.gz
c:\documents and settings\Mom\Application Data\GetModule\kwdik.gz
c:\documents and settings\Mom\Application Data\GetModule\ofadik.gz
c:\windows\system32\~.exe
c:\windows\system32\CMDLineExt.dll
c:\windows\system32\wpv521228549885.cpx
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 15:39 . 2008-12-06 15:39 34,816 --a------ c:\windows\system32\mlJCSLee.dll
2008-12-04 18:04 . 2008-12-06 17:24 <DIR> d-------- c:\documents and settings\Andrew\Application Data\uTorrent
2008-11-25 17:17 . 2008-11-25 17:17 <DIR> d-------- C:\wu-yi tea_files
2008-11-25 17:17 . 2008-11-25 17:17 48,955 --a------ C:\wu-yi tea.htm
2008-11-22 17:41 . 2008-11-22 17:40 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 17:41 . 2008-11-22 17:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-22 17:40 . 2008-11-22 17:40 <DIR> d-------- c:\program files\Java
2008-11-21 20:54 . 2008-12-06 18:37 250 --a------ c:\windows\gmer.ini
2008-11-21 16:19 . 2008-11-21 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-21 15:38 . 2008-11-21 15:38 91 --a------ c:\windows\wininit.ini
2008-11-21 15:23 . 2008-11-21 18:27 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 15:23 . 2008-11-21 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 20:07 . 2008-04-28 14:53 805,400 -ra------ c:\windows\system32\tmpC923.tmp
2008-11-20 19:31 . 2008-11-20 19:31 <DIR> d-------- C:\Temp
2008-11-20 19:16 . 2008-11-20 19:31 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-20 19:16 . 2008-11-20 19:31 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-15 17:57 . 2008-12-06 18:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-12 15:13 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:12 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:04 . 2008-11-09 17:04 <DIR> d-------- c:\windows\Logs
2008-11-09 17:04 . 2008-11-09 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-11-09 17:04 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-09 17:04 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-09 17:04 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-11-09 17:04 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-09 17:04 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-11-09 17:04 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-11-09 17:04 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-11-09 17:03 . 2008-11-09 17:03 <DIR> d-------- c:\windows\system32\xlive
2008-11-09 17:01 . 2008-11-09 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-09 17:00 . 2008-11-11 17:24 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:36 --------- d-----w c:\program files\PeerGuardian2
2008-12-07 01:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 01:28 --------- d-----w c:\program files\NCSoft
2008-12-07 01:26 --------- d-----w c:\program files\Silkroad
2008-12-01 00:27 --------- d-----w c:\program files\Warcraft III
2008-11-22 22:15 --------- d-----w c:\program files\FrostWire
2008-11-12 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 01:04 --------- d-----w c:\program files\Bethesda Softworks
2008-11-09 13:09 --------- d-----w c:\program files\Xfire
2008-11-09 01:37 --------- d-----w c:\program files\DVDFab 5
2008-11-09 01:15 --------- d-----w c:\documents and settings\Andrew\Application Data\Xfire
2008-11-02 17:58 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-30 01:24 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-10-28 23:04 --------- d-----w c:\program files\AIM6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:14 --------- d-----w c:\program files\Unlocker
2008-10-18 23:54 --------- d-----w c:\program files\xTyFileCrypter
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-08 00:21 --------- d-----w c:\documents and settings\Andrew\Application Data\Vso
2008-10-02 18:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 04:38 159,868 ----a-w c:\windows\Marsu-Fix Uninstaller.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-05-31 00:12 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-05-03 00:54 47,360 ----a-w c:\documents and settings\Andrew\Application Data\pcouffin.sys
2008-05-03 00:52 87,608 ----a-w c:\documents and settings\Andrew\Application Data\ezpinst.exe
2008-04-26 23:24 94 ----a-w c:\documents and settings\Andrew\Application Data\22.cmd
2008-05-16 23:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-06 15:39 34816 --a------ c:\windows\system32\mlJCSLee.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\\Steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\mlJCSLee.dll" [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCSLee]
2008-12-06 15:39 34816 c:\windows\system32\mlJCSLee.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-ra------ 2007-11-19 10:01 1970176 c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-06-22 04:45 133576 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 13:36 36864 c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-22 17:40 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:*:Disabled:warcraft III
"6112:UDP"= 6112:UDP:*:Disabled:warcraft UDP
"6881:TCP"= 6881:TCP:*:Disabled:utorrent
"6881:UDP"= 6881:UDP:*:Disabled:utorrrent udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03777a16-47eb-11dd-b01d-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6200862b-4c64-11dd-b02a-001d92346ae8}]
\Shell\AutoRun\command - E:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667797f0-47ca-11dd-b01b-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
.
- - - - ORPHANS REMOVED - - - -

BHO-{1a000b78-4ccb-43f9-90d9-ce7e0a3056dc} - (no file)
BHO-{5BEA5865-3E09-47A5-9E9E-FFB4F94CDA52} - (no file)
BHO-{6D6989F9-38CB-424A-97A6-1F13D28A7B6E} - (no file)
BHO-{7C0A898C-08BA-4522-995C-6BEA6D509481} - (no file)
BHO-{b7e8e46c-2cf1-4cd1-a17b-2ac77082faff} - (no file)
Notify-cbXNHXRj - (no file)
MSConfigStartUp-PlayNC Launcher - c:\program files\NCSoft\Launcher\NCLauncher.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\k3enytmo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 20:38:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\mlJCSLee.dll

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-12-06 20:38:54
ComboFix-quarantined-files.txt 2008-12-07 04:38:34
ComboFix2.txt 2008-11-22 23:27:57

Pre-Run: 157,212,188,672 bytes free
Post-Run: 157,217,136,640 bytes free

221 --- E O F --- 2008-11-12 23:20:05

[sUBs]

Appears that you ran the previous fix incorrectly. Mind repeating it?

[thecracker25]

Thanks for quick reply I got this after repeating the fix.

ComboFix 08-12-06.04 - Andrew 2008-12-06 20:51:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2470 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 15:39 . 2008-12-06 15:39 34,816 --a------ c:\windows\system32\mlJCSLee.dll
2008-12-04 18:04 . 2008-12-06 17:24 <DIR> d-------- c:\documents and settings\Andrew\Application Data\uTorrent
2008-11-25 17:17 . 2008-11-25 17:17 <DIR> d-------- C:\wu-yi tea_files
2008-11-25 17:17 . 2008-11-25 17:17 48,955 --a------ C:\wu-yi tea.htm
2008-11-22 17:41 . 2008-11-22 17:40 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 17:41 . 2008-11-22 17:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-22 17:40 . 2008-11-22 17:40 <DIR> d-------- c:\program files\Java
2008-11-21 20:54 . 2008-12-06 18:37 250 --a------ c:\windows\gmer.ini
2008-11-21 16:19 . 2008-11-21 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-21 15:38 . 2008-11-21 15:38 91 --a------ c:\windows\wininit.ini
2008-11-21 15:23 . 2008-11-21 18:27 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 15:23 . 2008-11-21 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 20:07 . 2008-04-28 14:53 805,400 -ra------ c:\windows\system32\tmpC923.tmp
2008-11-20 19:31 . 2008-11-20 19:31 <DIR> d-------- C:\Temp
2008-11-20 19:16 . 2008-11-20 19:31 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-20 19:16 . 2008-11-20 19:31 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-15 17:57 . 2008-12-06 18:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-12 15:13 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:12 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:04 . 2008-11-09 17:04 <DIR> d-------- c:\windows\Logs
2008-11-09 17:04 . 2008-11-09 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-11-09 17:04 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-09 17:04 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-09 17:04 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-11-09 17:04 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-09 17:04 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-11-09 17:04 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-11-09 17:04 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-11-09 17:03 . 2008-11-09 17:03 <DIR> d-------- c:\windows\system32\xlive
2008-11-09 17:01 . 2008-11-09 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-09 17:00 . 2008-11-11 17:24 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:36 --------- d-----w c:\program files\PeerGuardian2
2008-12-07 01:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 01:28 --------- d-----w c:\program files\NCSoft
2008-12-07 01:26 --------- d-----w c:\program files\Silkroad
2008-12-01 00:27 --------- d-----w c:\program files\Warcraft III
2008-11-22 22:15 --------- d-----w c:\program files\FrostWire
2008-11-12 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 01:04 --------- d-----w c:\program files\Bethesda Softworks
2008-11-09 13:09 --------- d-----w c:\program files\Xfire
2008-11-09 01:37 --------- d-----w c:\program files\DVDFab 5
2008-11-09 01:15 --------- d-----w c:\documents and settings\Andrew\Application Data\Xfire
2008-11-02 17:58 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-30 01:24 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-10-28 23:04 --------- d-----w c:\program files\AIM6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:14 --------- d-----w c:\program files\Unlocker
2008-10-18 23:54 --------- d-----w c:\program files\xTyFileCrypter
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-08 00:21 --------- d-----w c:\documents and settings\Andrew\Application Data\Vso
2008-10-02 18:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 04:38 159,868 ----a-w c:\windows\Marsu-Fix Uninstaller.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-05-31 00:12 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-05-03 00:54 47,360 ----a-w c:\documents and settings\Andrew\Application Data\pcouffin.sys
2008-05-03 00:52 87,608 ----a-w c:\documents and settings\Andrew\Application Data\ezpinst.exe
2008-04-26 23:24 94 ----a-w c:\documents and settings\Andrew\Application Data\22.cmd
2008-05-16 23:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-06 15:39 34816 --a------ c:\windows\system32\mlJCSLee.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\\Steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\mlJCSLee.dll" [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNHXRj]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJCSLee]
2008-12-06 15:39 34816 c:\windows\system32\mlJCSLee.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-ra------ 2007-11-19 10:01 1970176 c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-06-22 04:45 133576 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 13:36 36864 c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-22 17:40 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:*:Disabled:warcraft III
"6112:UDP"= 6112:UDP:*:Disabled:warcraft UDP
"6881:TCP"= 6881:TCP:*:Disabled:utorrent
"6881:UDP"= 6881:UDP:*:Disabled:utorrrent udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03777a16-47eb-11dd-b01d-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6200862b-4c64-11dd-b02a-001d92346ae8}]
\Shell\AutoRun\command - E:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667797f0-47ca-11dd-b01b-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
.
- - - - ORPHANS REMOVED - - - -

BHO-{1a000b78-4ccb-43f9-90d9-ce7e0a3056dc} - (no file)
BHO-{5BEA5865-3E09-47A5-9E9E-FFB4F94CDA52} - (no file)
BHO-{6D6989F9-38CB-424A-97A6-1F13D28A7B6E} - (no file)
BHO-{7C0A898C-08BA-4522-995C-6BEA6D509481} - (no file)
BHO-{b7e8e46c-2cf1-4cd1-a17b-2ac77082faff} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\k3enytmo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 20:51:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\mlJCSLee.dll

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-12-06 20:52:37
ComboFix-quarantined-files.txt 2008-12-07 04:52:18
ComboFix2.txt 2008-11-22 23:27:57

Pre-Run: 157,200,109,568 bytes free
Post-Run: 157,186,867,200 bytes free

211 --- E O F --- 2008-11-12 23:20:05

[sUBs]

That's a bit odd. I'm going to try a different approach. Please use this new cfscript

Code:

COLLECT::
c:\windows\system32\mlJCSLee.dll
c:\windows\system32\tmpC923.tmp
c:\documents and settings\Andrew\Application Data\22.cmd

[thecracker25]

here's my new log also I got a pop-up saying "windows cannot find '32788R22FWJFW\nircmd.com" right before the warranty disclaimer for combo fix. and combo fix made the computer reboot

ComboFix 08-12-06.06 - Andrew 2008-12-06 21:16:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2480 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Application Data\22.cmd
c:\windows\system32\mlJCSLee.dll
c:\windows\system32\tmpC923.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-04 18:04 . 2008-12-06 17:24 <DIR> d-------- c:\documents and settings\Andrew\Application Data\uTorrent
2008-11-25 17:17 . 2008-11-25 17:17 <DIR> d-------- C:\wu-yi tea_files
2008-11-25 17:17 . 2008-11-25 17:17 48,955 --a------ C:\wu-yi tea.htm
2008-11-22 17:41 . 2008-11-22 17:40 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 17:41 . 2008-11-22 17:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-22 17:40 . 2008-11-22 17:40 <DIR> d-------- c:\program files\Java
2008-11-21 20:54 . 2008-12-06 18:37 250 --a------ c:\windows\gmer.ini
2008-11-21 16:19 . 2008-11-21 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-21 15:38 . 2008-11-21 15:38 91 --a------ c:\windows\wininit.ini
2008-11-21 15:23 . 2008-12-06 21:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 15:23 . 2008-12-06 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 19:31 . 2008-11-20 19:31 <DIR> d-------- C:\Temp
2008-11-20 19:16 . 2008-11-20 19:31 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-20 19:16 . 2008-11-20 19:31 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-15 17:57 . 2008-12-06 18:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-12 15:13 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:12 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:04 . 2008-11-09 17:04 <DIR> d-------- c:\windows\Logs
2008-11-09 17:04 . 2008-11-09 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-11-09 17:04 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-09 17:04 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-09 17:04 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-11-09 17:04 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-09 17:04 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-11-09 17:04 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-11-09 17:04 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-11-09 17:03 . 2008-11-09 17:03 <DIR> d-------- c:\windows\system32\xlive
2008-11-09 17:01 . 2008-11-09 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-09 17:00 . 2008-11-11 17:24 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:36 --------- d-----w c:\program files\PeerGuardian2
2008-12-07 01:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 01:28 --------- d-----w c:\program files\NCSoft
2008-12-07 01:26 --------- d-----w c:\program files\Silkroad
2008-12-01 00:27 --------- d-----w c:\program files\Warcraft III
2008-11-22 22:15 --------- d-----w c:\program files\FrostWire
2008-11-12 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 01:04 --------- d-----w c:\program files\Bethesda Softworks
2008-11-09 13:09 --------- d-----w c:\program files\Xfire
2008-11-09 01:37 --------- d-----w c:\program files\DVDFab 5
2008-11-09 01:15 --------- d-----w c:\documents and settings\Andrew\Application Data\Xfire
2008-11-02 17:58 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-28 23:04 --------- d-----w c:\program files\AIM6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:14 --------- d-----w c:\program files\Unlocker
2008-10-18 23:54 --------- d-----w c:\program files\xTyFileCrypter
2008-10-08 00:21 --------- d-----w c:\documents and settings\Andrew\Application Data\Vso
2008-10-07 21:33 6,133,856 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-09-25 04:38 159,868 ----a-w c:\windows\Marsu-Fix Uninstaller.exe
2008-05-31 00:12 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-05-03 00:54 47,360 ----a-w c:\documents and settings\Andrew\Application Data\pcouffin.sys
2008-05-03 00:52 87,608 ----a-w c:\documents and settings\Andrew\Application Data\ezpinst.exe
2008-05-16 23:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.38.22.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-07 05:18:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\\Steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXNHXRj]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-ra------ 2007-11-19 10:01 1970176 c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-06-22 04:45 133576 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 13:36 36864 c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-22 17:40 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:*:Disabled:warcraft III
"6112:UDP"= 6112:UDP:*:Disabled:warcraft UDP
"6881:TCP"= 6881:TCP:*:Disabled:utorrent
"6881:UDP"= 6881:UDP:*:Disabled:utorrrent udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03777a16-47eb-11dd-b01d-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6200862b-4c64-11dd-b02a-001d92346ae8}]
\Shell\AutoRun\command - E:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667797f0-47ca-11dd-b01b-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{1a000b78-4ccb-43f9-90d9-ce7e0a3056dc} - (no file)
BHO-{5BEA5865-3E09-47A5-9E9E-FFB4F94CDA52} - (no file)
BHO-{6D6989F9-38CB-424A-97A6-1F13D28A7B6E} - (no file)
BHO-{7C0A898C-08BA-4522-995C-6BEA6D509481} - (no file)
BHO-{b7e8e46c-2cf1-4cd1-a17b-2ac77082faff} - (no file)
Notify-mlJCSLee - mlJCSLee.dll
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\k3enytmo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 21:18:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-06 21:22:48 - machine was rebooted [Andrew]
ComboFix-quarantined-files.txt 2008-12-07 05:22:46
ComboFix2.txt 2008-12-07 04:52:37
ComboFix3.txt 2008-11-22 23:27:57

Pre-Run: 157,171,507,200 bytes free
Post-Run: 157,157,982,208 bytes free

206 --- E O F --- 2008-11-12 23:20:05

[sUBs]

This is a good run. Must have been NOD32 attacking CF's files that caused the earlier issues.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[thecracker25]

Here's my Kaspersky report.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 03:56:00
Records in database: 1441542
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 95788
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:13:52


File name / Threat name / Threats count
C:\Qoobox\Quarantine\[4]-Submit_2008-12-06@21.16.zip Infected: Trojan-Downloader.Win32.Agent.atga 1

The selected area was scanned.

[sUBs]

C:\QooBox\ is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[thecracker25]

I have a new problem, my windows auto update is off, which I can't turn back on for some reason. My mom apparently went to the same site that originally infected my computer....

[sUBs]

Which site is this?

Please post a fresh ComboFix log.

[thecracker25]

here's my fresh combofix log. My autoupdate is working again, but I got a fake anti-virus 2009 popup. the infection happened at hxxp://www.phimaz.com, its a site to watch movies in vietnamese

ComboFix 08-12-06.06 - Andrew 2008-12-07 17:19:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2621 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Application Data\GetModule
c:\documents and settings\Mom\Application Data\GetModule\dicik.gz
c:\program files\GetModule
c:\program files\GetModule\GetModule31.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\~.exe
c:\windows\system32\bbumbcpp.dll
c:\windows\system32\bcrnfneq.dll
c:\windows\system32\iophir.dll
c:\windows\system32\ppcbmubb.ini
c:\windows\system32\uutvwyay.ini
c:\windows\system32\uutvwyay.ini2
c:\windows\system32\wpv931228550018.cpx
c:\windows\system32\yaywvtuu.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 06:26 . 2008-12-07 06:26 34,816 --a------ c:\windows\system32\geBTNeDU.dll
2008-12-04 18:04 . 2008-12-06 17:24 <DIR> d-------- c:\documents and settings\Andrew\Application Data\uTorrent
2008-11-25 17:17 . 2008-11-25 17:17 <DIR> d-------- C:\wu-yi tea_files
2008-11-25 17:17 . 2008-11-25 17:17 48,955 --a------ C:\wu-yi tea.htm
2008-11-22 17:41 . 2008-11-22 17:40 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 17:41 . 2008-11-22 17:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-22 17:40 . 2008-11-22 17:40 <DIR> d-------- c:\program files\Java
2008-11-21 20:54 . 2008-12-06 18:37 250 --a------ c:\windows\gmer.ini
2008-11-21 16:19 . 2008-11-21 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-21 15:38 . 2008-11-21 15:38 91 --a------ c:\windows\wininit.ini
2008-11-21 15:23 . 2008-12-06 21:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 15:23 . 2008-12-06 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 19:31 . 2008-11-20 19:31 <DIR> d-------- C:\Temp
2008-11-20 19:16 . 2008-11-20 19:31 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-20 19:16 . 2008-11-20 19:31 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-15 17:57 . 2008-12-06 18:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-12 15:13 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:12 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:04 . 2008-11-09 17:04 <DIR> d-------- c:\windows\Logs
2008-11-09 17:04 . 2008-11-09 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-11-09 17:04 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-09 17:04 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-09 17:04 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-11-09 17:04 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-09 17:04 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-11-09 17:04 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-11-09 17:04 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-11-09 17:03 . 2008-11-09 17:03 <DIR> d-------- c:\windows\system32\xlive
2008-11-09 17:01 . 2008-11-09 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-09 17:00 . 2008-11-11 17:24 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:36 --------- d-----w c:\program files\PeerGuardian2
2008-12-07 01:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 01:28 --------- d-----w c:\program files\NCSoft
2008-12-07 01:26 --------- d-----w c:\program files\Silkroad
2008-12-01 00:27 --------- d-----w c:\program files\Warcraft III
2008-11-22 22:15 --------- d-----w c:\program files\FrostWire
2008-11-12 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 01:04 --------- d-----w c:\program files\Bethesda Softworks
2008-11-09 13:09 --------- d-----w c:\program files\Xfire
2008-11-09 01:37 --------- d-----w c:\program files\DVDFab 5
2008-11-09 01:15 --------- d-----w c:\documents and settings\Andrew\Application Data\Xfire
2008-11-02 17:58 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-28 23:04 --------- d-----w c:\program files\AIM6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:14 --------- d-----w c:\program files\Unlocker
2008-10-18 23:54 --------- d-----w c:\program files\xTyFileCrypter
2008-10-08 00:21 --------- d-----w c:\documents and settings\Andrew\Application Data\Vso
2008-09-25 04:38 159,868 ----a-w c:\windows\Marsu-Fix Uninstaller.exe
2008-05-31 00:12 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-05-03 00:54 47,360 ----a-w c:\documents and settings\Andrew\Application Data\pcouffin.sys
2008-05-03 00:52 87,608 ----a-w c:\documents and settings\Andrew\Application Data\ezpinst.exe
2008-05-16 23:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34AF788F-11D9-4D5E-82C8-A4B8AE372D6D}]
2008-12-07 17:27 302592 --a------ c:\windows\system32\vtUopOed.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-07 06:26 34816 --a------ c:\windows\system32\geBTNeDU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\\Steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"943af4dc"="c:\windows\system32\akygsvsy.dll" [2008-12-07 72704]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-07 c:\windows\RTHDCPL.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\geBTNeDU.dll" [2008-12-07 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBTNeDU]
2008-12-07 06:26 34816 c:\windows\system32\geBTNeDU.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=iophir.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\vtUopOed

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-ra------ 2007-11-19 10:01 1970176 c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-06-22 04:45 133576 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 13:36 36864 c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-22 17:40 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:*:Disabled:warcraft III
"6112:UDP"= 6112:UDP:*:Disabled:warcraft UDP
"6881:TCP"= 6881:TCP:*:Disabled:utorrent
"6881:UDP"= 6881:UDP:*:Disabled:utorrrent udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03777a16-47eb-11dd-b01d-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6200862b-4c64-11dd-b02a-001d92346ae8}]
\Shell\AutoRun\command - E:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667797f0-47ca-11dd-b01b-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{52FBCB8A-2333-4A30-817A-D7B7E3570411} - c:\windows\system32\yaywvtuu.dll
BHO-{f07c7ea4-c734-483d-8225-7e82626847a6} - c:\windows\system32\iophir.dll
Notify-cbXNHXRj - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\k3enytmo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 17:26:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\vtUopOed.dll 302592 bytes executable
c:\windows\system32\deOpoUtv.ini 368 bytes
c:\windows\system32\deOpoUtv.ini2 368 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\geBTNeDU.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-07 17:29:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 01:29:40
ComboFix2.txt 2008-12-07 05:22:49

Pre-Run: 158,025,424,896 bytes free
Post-Run: 158,045,134,848 bytes free

226 --- E O F --- 2008-11-12 23:20:05

[thecracker25]

I'm getting a lot of pop-ups now. :[

[sUBs]

Quote:

the infection happened at hxxp://www.phimaz.com, its a site to watch movies in vietnamese

Well you know what they say about no free lunches. Such sites only appear free but they get their revenue from loading malicious software on you. You should consider a change of browsing habits. We can't clean you all the time.


Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

Collect::
c:\windows\system32\geBTNeDU.dll
c:\windows\system32\vtUopOed.dll
c:\windows\system32\akygsvsy.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34AF788F-11D9-4D5E-82C8-A4B8AE372D6D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"943af4dc"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[thecracker25]

I have locked my mom out of the computer to prevent further infections. Here's my combofix log and kaspersky report, whats next? :]
also something is odd about my windows security center, it says my AV program was off after combofix did a reboot and I manually had to turn it on. I turned it on but my windows security center still says its not on even though it is.

ComboFix 08-12-06.06 - Andrew 2008-12-07 20:08:34.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2560 [GMT -8:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\akygsvsy.dll
c:\windows\system32\cmiljifx.dll
c:\windows\system32\deOpoUtv.ini
c:\windows\system32\deOpoUtv.ini2
c:\windows\system32\geBTNeDU.dll
c:\windows\system32\nloxua.dll
c:\windows\system32\vtUopOed.dll
c:\windows\system32\ysvsgyka.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-04 18:04 . 2008-12-06 17:24 <DIR> d-------- c:\documents and settings\Andrew\Application Data\uTorrent
2008-11-25 17:17 . 2008-11-25 17:17 <DIR> d-------- C:\wu-yi tea_files
2008-11-25 17:17 . 2008-11-25 17:17 48,955 --a------ C:\wu-yi tea.htm
2008-11-22 17:41 . 2008-11-22 17:40 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-22 17:41 . 2008-11-22 17:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-22 17:40 . 2008-11-22 17:40 <DIR> d-------- c:\program files\Java
2008-11-21 20:54 . 2008-12-06 18:37 250 --a------ c:\windows\gmer.ini
2008-11-21 16:19 . 2008-11-21 16:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-21 15:38 . 2008-11-21 15:38 91 --a------ c:\windows\wininit.ini
2008-11-21 15:23 . 2008-12-06 21:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-21 15:23 . 2008-12-06 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 19:31 . 2008-11-20 19:31 <DIR> d-------- C:\Temp
2008-11-20 19:16 . 2008-11-20 19:31 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-20 19:16 . 2008-11-20 19:31 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\windows\system32\AGEIA
2008-11-15 17:57 . 2008-12-06 18:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-15 17:57 . 2008-11-15 17:57 <DIR> d-------- c:\program files\AGEIA Technologies
2008-11-12 15:13 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 15:12 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-09 17:04 . 2008-11-09 17:04 <DIR> d-------- c:\windows\Logs
2008-11-09 17:04 . 2008-11-09 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-11-09 17:04 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-11-09 17:04 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-11-09 17:04 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2008-11-09 17:04 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-11-09 17:04 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2008-11-09 17:04 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2008-11-09 17:04 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2008-11-09 17:03 . 2008-11-09 17:03 <DIR> d-------- c:\windows\system32\xlive
2008-11-09 17:01 . 2008-11-09 17:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-11-09 17:00 . 2008-11-11 17:24 <DIR> d-------- c:\program files\DAEMON Tools Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 02:36 --------- d-----w c:\program files\PeerGuardian2
2008-12-07 01:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 01:28 --------- d-----w c:\program files\NCSoft
2008-12-07 01:26 --------- d-----w c:\program files\Silkroad
2008-12-01 00:27 --------- d-----w c:\program files\Warcraft III
2008-11-22 22:15 --------- d-----w c:\program files\FrostWire
2008-11-12 23:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 01:04 --------- d-----w c:\program files\Bethesda Softworks
2008-11-09 13:09 --------- d-----w c:\program files\Xfire
2008-11-09 01:37 --------- d-----w c:\program files\DVDFab 5
2008-11-09 01:15 --------- d-----w c:\documents and settings\Andrew\Application Data\Xfire
2008-11-02 17:58 --------- d-----w c:\documents and settings\LocalService\Application Data\Xfire
2008-10-28 23:04 --------- d-----w c:\program files\AIM6
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 00:14 --------- d-----w c:\program files\Unlocker
2008-10-18 23:54 --------- d-----w c:\program files\xTyFileCrypter
2008-10-08 00:21 --------- d-----w c:\documents and settings\Andrew\Application Data\Vso
2008-09-25 04:38 159,868 ----a-w c:\windows\Marsu-Fix Uninstaller.exe
2008-05-31 00:12 22,328 ----a-w c:\documents and settings\Andrew\Application Data\PnkBstrK.sys
2008-05-03 00:54 47,360 ----a-w c:\documents and settings\Andrew\Application Data\pcouffin.sys
2008-05-03 00:52 87,608 ----a-w c:\documents and settings\Andrew\Application Data\ezpinst.exe
2008-05-16 23:17 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_17.29.24.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 04:10:53 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Valve\Steam\\Steam.exe" [2008-10-07 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DualCoreCenter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DualCoreCenter.lnk
backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-ra------ 2007-11-19 10:01 1970176 c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-21 09:09 50472 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-06-22 04:45 133576 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2007-03-20 13:36 36864 c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-22 17:40 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\NCsoft\\Exteel\\System\\Exteel.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\boostboi\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:*:Disabled:warcraft III
"6112:UDP"= 6112:UDP:*:Disabled:warcraft UDP
"6881:TCP"= 6881:TCP:*:Disabled:utorrent
"6881:UDP"= 6881:UDP:*:Disabled:utorrrent udp

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-03-13 472320]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03777a16-47eb-11dd-b01d-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6200862b-4c64-11dd-b02a-001d92346ae8}]
\Shell\AutoRun\command - E:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667797f0-47ca-11dd-b01b-001d92346ae8}]
\Shell\AutoRun\command - F:\autoplay.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{3dd86e09-be69-4a7a-b724-e8263b169bb5} - c:\windows\system32\nloxua.dll
Notify-geBTNeDU - geBTNeDU.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\k3enytmo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 20:11:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-07 20:14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 04:14:05
ComboFix2.txt 2008-12-08 01:29:43
ComboFix3.txt 2008-12-07 05:22:49

Pre-Run: 158,010,028,032 bytes free
Post-Run: 157,994,708,992 bytes free

194 --- E O F --- 2008-11-12 23:20:05


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 01:30:05
Records in database: 1443164
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 95738
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:12:28


File name / Threat name / Threats count
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@20.08.zip Infected: Trojan-Downloader.Win32.Agent.atga 1

The selected area was scanned.

[sUBs]

Have you submitted the files to Bleepings?

Quote:

I have locked my mom out of the computer to prevent further infections.

LOL ... don't do that. Educate her instead. Prevention is better than cure.

Quote:

something is odd about my windows security center, it says my AV program was off after combofix did a reboot and I manually had to turn it on. I turned it on but my windows security center still says its not on even though it is.

Check if AMON is on. AMON is the real time scanner

Your machine is clean now. Remember to uninstall ComboFix
Surf safe

[thecracker25]

the amon is already on...nod32 itself would be alerting me that the amon was off as well if it really was. thanks for cleaning my system! but the windows security center still says its off

[sUBs]

Best email ESET. They should know better about their product

[thecracker25]

its working normally now the windows security center is not alerting me anymore but i have to turn on nod32 manually now for some reason you set this read resolved. thanks!!!!!