Ntoskrnl hook

bealzy · 03-27-2009, 07:00 AM

Hi

I have this horrible Trojan "NTOSKRNL HOOK". I have tried using normal spyware to get rid of it but so far to no avail. The problem started with my internet explorer freezing which then requires a rebott as the whole machine freezes, however mozilla is working ok.

Please see reports below and attached.

Your help would be much appreciated.

Thanks

Paul

DDS (Ver_09-03-16.01) - NTFSx86
Run by Paul Beales at 11

52.39 on 27/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1433 [GMT 0:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul Beales\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ASUS SmartDoctor] c:\program files\asus\smartdoctor\SmartDoctor.exe /start
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\paulbe~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paulbe~1\applic~1\mozilla\firefox\profiles\zflbr7s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-10 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-1-11 38656]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-1-10 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-1-10 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-1-10 168776]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?]
S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?]
S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\video3d32.sys --> c:\windows\system32\drivers\Video3D32.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]

=============== Created Last 30 ================

2009-03-27 10:52 <DIR> a-dshr-- C:\cmdcons
2009-03-27 10:51 161,792 a------- c:\windows\SWREG.exe
2009-03-27 10:51 98,816 a------- c:\windows\sed.exe
2009-03-27 10:51 <DIR> --d----- C:\ComboFix
2009-03-27 10:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 21:51 <DIR> --d----- c:\program files\XoftSpySE
2009-03-26 18:08 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-26 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sports Interactive
2009-03-26 16:49 <DIR> --d----- c:\windows\Logs
2009-03-26 16:47 <DIR> --d-h--- c:\program files\Zero G Registry
2009-03-26 16:47 <DIR> --d----- c:\program files\Sports Interactive
2009-03-26 16:46 <DIR> --d-h--- c:\documents and settings\paul beales\InstallAnywhere
2009-03-26 16:46 <DIR> --d----- c:\docume~1\paulbe~1\applic~1\Sports Interactive
2009-03-26 16:39 <DIR> --d----- c:\program files\PowerISO
2009-03-26 08:44 1,905 a------- c:\windows\diagwrn.xml
2009-03-26 08:44 1,905 a------- c:\windows\diagerr.xml
2009-03-24 10:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-19 16:39 <DIR> --d----- C:\QUARANTINE
2009-03-19 13:07 11 a------- c:\windows\nextsteps.ini
2009-03-19 13:06 348,160 a----r-- c:\windows\system32\msvcr71.dll
2009-03-19 13:04 101,136 a------- c:\windows\hpdj6800.hi1
2009-03-19 13:04 13,667 a------- c:\windows\hpdj6800.bu1
2009-03-19 13:04 23,005 a------- c:\windows\hpf6800m.hi1
2009-03-19 13:04 5,354 a------- c:\windows\hpf6800m.bu1
2009-03-17 17:36 815,104 a------- c:\windows\system32\xvidcore.dll
2009-03-17 17:36 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-03-17 17:36 77,824 a------- c:\windows\system32\xvid.ax
2009-03-17 17:36 <DIR> --d----- c:\program files\Xvid
2009-03-17 17:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-03-17 17:05 <DIR> --d----- c:\program files\ATI Technologies
2009-03-17 16:53 10 a------- c:\windows\WININIT.INI
2009-03-17 16:49 27,136 a------- c:\windows\system32\PCWizard.cpl
2009-03-17 16:49 <DIR> --d----- c:\program files\PC Wizard 2008
2009-03-17 11:07 <DIR> --d----- c:\program files\DVD Decrypter
2009-03-15 10:25 56,268 a------- c:\windows\system32\drivers\scdemu.sys
2009-03-09 18:33 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-03-24 10:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-12 20:09 737,280 a------- c:\windows\iun6002.exe
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-04 07:27 3,488,768 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 05:57 11,702,272 a------- c:\windows\system32\atioglxx.dll
2009-02-04 05:03 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-04 04:56 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:55 324,096 a------- c:\windows\system32\ati2dvag.dll
2009-02-04 04:44 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-02-04 04:44 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-04 04:43 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-04 04:43 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-04 04:43 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-04 04:41 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-04 04:40 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-04 04:30 3,884,768 a------- c:\windows\system32\ati3duag.dll
2009-02-04 04:14 2,645,504 a------- c:\windows\system32\ativvaxx.dll
2009-02-04 04:13 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-02-04 04:13 887,724 a------- c:\windows\system32\ativva6x.dat
2009-02-04 03:58 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-04 03:54 471,040 a------- c:\windows\system32\atikvmag.dll
2009-02-04 03:53 122,880 a------- c:\windows\system32\atiadlxx.dll
2009-02-04 03:52 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-04 03:52 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-02-04 03:46 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-04 03:44 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-04 02:43 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-04 02:42 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-04 02:40 3,244,032 a------- c:\windows\system32\aticaldd.dll
2009-01-12 10:17 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-11 00:44 315,392 a------- c:\windows\HideWin.exe
2009-01-11 00:27 21,640 a------- c:\windows\system32\emptyregdb.dat
2006-06-23 14:48 32,768 a------- c:\windows\inf\UpdateUSB.exe

============= FINISH: 11

57.21 ===============

bealzy · 03-28-2009, 05:57 AM

Help Please!

Ried · 03-28-2009, 07:36 PM

Hello bealzy. You really should have heeded the Disclaimer and waited for guidance before running ComboFix. Also as noted in our sticky topic:

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

Were you able to deploy the tool?

If so, post the C:\ComboFix.txt

If not, please tell me what happened when you tried.

bealzy · 03-30-2009, 02:38 PM

Hi

tahnk you for your response. yes sorry, I panicked and deployed it before reading through the other bits and pieces.

It seems to have worked, the Ntoskrnl-Hook isnt coming when I scan for viruses anymore. I have posted the txt from the combofix below.

combofix

ComboFix 09-03-26.03 - Paul Beales 2009-03-27 10:52:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1444 [GMT 0:00]
Running from: c:\documents and settings\Paul Beales\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-0-57-100005015-100010281-100018616-3611.com
c:\windows\system32\drivers\gaopdxgiddipdwtymnmbasrappyreqcfakjexe.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxwkcjttjdyjdlesbitbdukyrvoyrdlvdp.dll
e:\recycler\S-1-0-57-100005015-100010281-100018616-3611.com
E:\resycled
e:\resycled\boot.com
f:\recycler\S-1-0-57-100005015-100010281-100018616-3611.com
F:\resycled
f:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-27 10:07 . 2009-03-27 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 08:33 . 2009-03-27 08:33 <DIR> d-------- c:\program files\NVT Malware Remover Tool
2009-03-26 21:51 . 2009-03-26 22:50 <DIR> d-------- c:\program files\XoftSpySE
2009-03-26 18:08 . 2009-03-26 18:08 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-26 16:54 . 2009-03-26 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-03-26 16:49 . 2009-03-26 16:49 <DIR> d-------- c:\windows\Logs
2009-03-26 16:47 . 2009-03-26 16:49 <DIR> d--h----- c:\program files\Zero G Registry
2009-03-26 16:47 . 2009-03-26 16:47 <DIR> d-------- c:\program files\Sports Interactive
2009-03-26 16:46 . 2009-03-26 16:46 <DIR> d--h----- c:\documents and settings\Paul Beales\InstallAnywhere
2009-03-26 16:46 . 2009-03-26 16:54 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Sports Interactive
2009-03-26 16:39 . 2009-03-26 17:52 <DIR> d-------- c:\program files\PowerISO
2009-03-26 08:44 . 2009-03-26 08:46 1,905 --a------ c:\windows\diagwrn.xml
2009-03-26 08:44 . 2009-03-26 08:46 1,905 --a------ c:\windows\diagerr.xml
2009-03-24 10:28 . 2009-03-24 10:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 16:39 . 2009-03-26 22:50 <DIR> d-------- C:\QUARANTINE
2009-03-19 13:07 . 2009-03-19 13:07 11 --a------ c:\windows\nextsteps.ini
2009-03-19 13:06 . 2004-05-10 15:54 348,160 -ra------ c:\windows\system32\msvcr71.dll
2009-03-19 13:04 . 2009-01-10 17:34 101,136 --a------ c:\windows\hpdj6800.hi1
2009-03-19 13:04 . 2009-01-10 17:36 23,005 --a------ c:\windows\hpf6800m.hi1
2009-03-19 13:04 . 2009-01-10 17:34 13,667 --a------ c:\windows\hpdj6800.bu1
2009-03-19 13:04 . 2009-01-10 17:36 5,354 --a------ c:\windows\hpf6800m.bu1
2009-03-17 17:36 . 2009-03-17 17:36 <DIR> d-------- c:\program files\Xvid
2009-03-17 17:36 . 2008-12-04 21:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2009-03-17 17:36 . 2008-12-04 21:46 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-03-17 17:36 . 2008-12-13 20:01 77,824 --a------ c:\windows\system32\xvid.ax
2009-03-17 17:09 . 2009-03-17 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-17 17:05 . 2009-03-17 17:06 <DIR> d-------- c:\program files\ATI Technologies
2009-03-17 17:05 . 2009-02-03 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-17 16:53 . 2009-03-17 16:53 10 --a------ c:\windows\WININIT.INI
2009-03-17 16:49 . 2009-03-17 16:49 <DIR> d-------- c:\program files\PC Wizard 2008
2009-03-17 16:49 . 2007-09-15 15:11 27,136 --a------ c:\windows\system32\PCWizard.cpl
2009-03-17 11:07 . 2009-03-17 11:07 <DIR> d-------- c:\program files\DVD Decrypter
2009-03-16 17:14 . 2009-03-16 17:14 <DIR> d-------- c:\program files\BitTorrent
2009-03-16 17:14 . 2009-03-26 22:55 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\BitTorrent
2009-03-15 10:25 . 2009-03-15 10:25 56,268 --a------ c:\windows\system32\drivers\scdemu.sys
2009-03-09 18:33 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 14:13 --------- d-----w c:\program files\DYMO Label
2009-03-24 10:28 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-17 16:59 --------- d-----w c:\program files\ASUS
2009-03-17 16:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-17 16:55 --------- d-----w c:\program files\GameFace Messenger
2009-03-10 08:13 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 20:09 737,280 ----a-w c:\windows\iun6002.exe
2009-02-12 18:10 --------- d-----w c:\program files\EA SPORTS
2009-02-12 11:20 --------- d-----w c:\documents and settings\Paul Beales\Application Data\VTExtra
2009-02-10 12:31 --------- d-----w c:\documents and settings\Paul Beales\Application Data\Ahead
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-04 22:20 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-04 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 05:57 11,702,272 ----a-w c:\windows\system32\atioglxx.dll
2009-02-04 05:03 290,816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-04 04:56 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:55 324,096 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-04 04:44 196,608 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-04 04:44 155,648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-04 04:43 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-04 04:43 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-04 04:43 155,648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-04 04:41 602,112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-04 04:40 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-04 04:30 3,884,768 ----a-w c:\windows\system32\ati3duag.dll
2009-02-04 04:14 2,645,504 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-04 03:58 49,664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-04 03:54 471,040 ----a-w c:\windows\system32\atikvmag.dll
2009-02-04 03:53 122,880 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-04 03:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-04 03:46 626,688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-04 03:44 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-04 02:43 45,056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-04 02:42 45,056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-04 02:40 3,244,032 ----a-w c:\windows\system32\aticaldd.dll
2009-01-31 20:33 --------- d-----w c:\program files\Microsoft
2009-01-31 20:32 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-31 20:32 --------- d-----w c:\program files\Windows Live
2009-01-31 20:30 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-31 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-01-29 15:39 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-28 10:07 --------- d-----w c:\program files\RileysGAMES
2009-01-11 00:44 315,392 ----a-w c:\windows\HideWin.exe
2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Paul Beales\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-01-11 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Paul Beales\\Desktop\\FileZilla.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-01-11 38656]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?]
S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?]
S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 08:43]

2009-03-26 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 08:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Paul Beales\Application Data\Mozilla\Firefox\Profiles\zflbr7s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 10:54:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxgiddipdwtymnmbasrappyreqcfakjexe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-03-27 10:55:01
ComboFix-quarantined-files.txt 2009-03-27 10:54:59

Pre-Run: 434,026,192,896 bytes free
Post-Run: 434,522,787,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

224 --- E O F --- 2009-03-19 08:41:25

Ried · 03-30-2009, 02:49 PM

Hi bealzy,

We still have more to do. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

You must disable McAfee and ensure it is not set to re-start itself upon reboot. It is interfering with what ComboFix needs to do to properly remove the rootkit.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\spoolsv.exe"=-

Driver::
gaopdxserv.sys

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

bealzy · 03-31-2009, 03:18 AM

Hi

I have run the combo fix again and posted the log below. I tried my best to turn off the virus scanner, I think I was successful?

I had a problem with the Kaspersky... as it was trying to update the database it came up with the following message and stopped.

Quote:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Invalid file signature]

Please advise what to do next, I have posted the combofix log below.

ComboFix 09-03-30.02 - Paul Beales 2009-03-31 9:32:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1534 [GMT 1:00]
Running from: c:\documents and settings\Paul Beales\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Beales\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-27 14:17 . 2009-03-27 14:17 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Uniblue
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\program files\PCPitstop
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop
2009-03-27 11:07 . 2009-03-28 12:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 22:51 . 2009-03-27 12:06 <DIR> d-------- c:\program files\XoftSpySE
2009-03-26 19:08 . 2009-03-26 19:08 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-26 17:54 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-03-26 17:49 . 2009-03-26 17:49 <DIR> d-------- c:\windows\Logs
2009-03-26 17:47 . 2009-03-26 17:49 <DIR> d--h----- c:\program files\Zero G Registry
2009-03-26 17:47 . 2009-03-26 17:47 <DIR> d-------- c:\program files\Sports Interactive
2009-03-26 17:46 . 2009-03-26 17:46 <DIR> d--h----- c:\documents and settings\Paul Beales\InstallAnywhere
2009-03-26 17:46 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Sports Interactive
2009-03-26 17:39 . 2009-03-26 18:52 <DIR> d-------- c:\program files\PowerISO
2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagwrn.xml
2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagerr.xml
2009-03-24 11:28 . 2009-03-24 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 17:39 . 2009-03-26 23:50 <DIR> d-------- C:\QUARANTINE
2009-03-19 14:07 . 2009-03-19 14:07 11 --a------ c:\windows\nextsteps.ini
2009-03-19 14:06 . 2004-05-10 16:54 348,160 -ra------ c:\windows\system32\msvcr71.dll
2009-03-19 14:04 . 2009-01-10 18:34 101,136 --a------ c:\windows\hpdj6800.hi1
2009-03-19 14:04 . 2009-01-10 18:36 23,005 --a------ c:\windows\hpf6800m.hi1
2009-03-19 14:04 . 2009-01-10 18:34 13,667 --a------ c:\windows\hpdj6800.bu1
2009-03-19 14:04 . 2009-01-10 18:36 5,354 --a------ c:\windows\hpf6800m.bu1
2009-03-17 18:36 . 2009-03-17 18:36 <DIR> d-------- c:\program files\Xvid
2009-03-17 18:36 . 2008-12-04 22:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2009-03-17 18:36 . 2008-12-04 22:46 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-03-17 18:36 . 2008-12-13 21:01 77,824 --a------ c:\windows\system32\xvid.ax
2009-03-17 18:09 . 2009-03-17 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-17 18:05 . 2009-03-17 18:06 <DIR> d-------- c:\program files\ATI Technologies
2009-03-17 18:05 . 2009-02-03 22:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-17 17:53 . 2009-03-17 17:53 10 --a------ c:\windows\WININIT.INI
2009-03-17 17:49 . 2009-03-17 17:49 <DIR> d-------- c:\program files\PC Wizard 2008
2009-03-17 17:49 . 2007-09-15 16:11 27,136 --a------ c:\windows\system32\PCWizard.cpl
2009-03-17 12:07 . 2009-03-17 12:07 <DIR> d-------- c:\program files\DVD Decrypter
2009-03-15 11:25 . 2009-03-15 11:25 56,268 --a------ c:\windows\system32\drivers\scdemu.sys
2009-03-09 19:33 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-12 21:09 . 2009-03-17 17:55 <DIR> d-------- c:\program files\GameFace Messenger
2009-02-12 21:09 . 2009-02-12 21:09 737,280 --a------ c:\windows\iun6002.exe
2009-02-12 19:11 . 2009-02-12 19:11 486 --a------ c:\windows\eReg.dat
2009-02-12 19:10 . 2009-02-12 19:10 <DIR> d-------- c:\program files\EA SPORTS
2009-02-12 12:18 . 2009-02-12 12:20 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\VTExtra
2009-02-11 15:10 . 2009-02-11 15:10 0 --a------ c:\windows\ativpsrm.bin
2009-02-11 14:54 . 2009-03-17 18:04 <DIR> d-------- C:\ATI
2009-02-04 23:20 . 2009-02-04 23:20 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-04 06:57 . 2009-02-04 06:57 11,702,272 --a------ c:\windows\system32\atioglxx.dll
2009-02-04 06:03 . 2009-02-04 06:03 290,816 --a------ c:\windows\system32\atiok3x2.dll
2009-02-04 05:56 . 2009-02-04 05:56 442,368 --a------ c:\windows\system32\ATIDEMGX.dll
2009-02-04 05:44 . 2009-02-04 05:44 196,608 --a------ c:\windows\system32\atipdlxx.dll
2009-02-04 05:44 . 2009-02-04 05:44 155,648 --a------ c:\windows\system32\Oemdspif.dll
2009-02-04 05:43 . 2009-02-04 05:43 155,648 --a------ c:\windows\system32\ati2evxx.dll
2009-02-04 05:43 . 2009-02-04 05:43 43,520 --a------ c:\windows\system32\ati2edxx.dll
2009-02-04 05:43 . 2009-02-04 05:43 26,112 --a------ c:\windows\system32\Ati2mdxx.exe
2009-02-04 05:41 . 2009-02-04 05:41 602,112 --a------ c:\windows\system32\ati2evxx.exe
2009-02-04 05:40 . 2009-02-04 05:40 53,248 --a------ c:\windows\system32\ATIDDC.DLL
2009-02-04 05:13 . 2009-02-04 05:13 3,107,788 --a------ c:\windows\system32\ativva5x.dat
2009-02-04 05:13 . 2009-02-04 05:13 887,724 --a------ c:\windows\system32\ativva6x.dat
2009-02-04 05:13 . 2009-02-04 05:13 121,808 --a------ c:\windows\system32\ativvaxx.cap
2009-02-04 04:58 . 2009-02-04 04:58 49,664 --a------ c:\windows\system32\amdpcom32.dll
2009-02-04 04:54 . 2009-02-04 04:54 471,040 --a------ c:\windows\system32\atikvmag.dll
2009-02-04 04:53 . 2009-02-04 04:53 122,880 --a------ c:\windows\system32\atiadlxx.dll
2009-02-04 04:52 . 2009-02-04 04:52 53,248 --a------ c:\windows\system32\drivers\ati2erec.dll
2009-02-04 04:52 . 2009-02-04 04:52 17,408 --a------ c:\windows\system32\atitvo32.dll
2009-02-04 04:44 . 2009-02-04 04:44 307,200 --a------ c:\windows\system32\atiiiexx.dll
2009-02-04 03:43 . 2009-02-04 03:43 45,056 --a------ c:\windows\system32\aticalrt.dll
2009-02-04 03:42 . 2009-02-04 03:42 45,056 --a------ c:\windows\system32\aticalcl.dll
2009-02-04 03:40 . 2009-02-04 03:40 3,244,032 --a------ c:\windows\system32\aticaldd.dll
2009-02-01 13:16 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-01 13:16 . 2008-10-16 15:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-01 13:16 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 08:10 --------- d-----w c:\program files\DYMO Label
2009-03-17 16:59 --------- d-----w c:\program files\ASUS
2009-03-17 16:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 08:13 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-10 12:31 --------- d-----w c:\documents and settings\Paul Beales\Application Data\Ahead
2009-02-04 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-01-31 20:33 --------- d-----w c:\program files\Microsoft
2009-01-31 20:32 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-31 20:32 --------- d-----w c:\program files\Windows Live
2009-01-31 20:30 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-31 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-01-29 15:39 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-28 10:07 --------- d-----w c:\program files\RileysGAMES
2009-01-11 00:44 315,392 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_10.54.26.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 13:02:42 276,720 ----a-w c:\windows\Downloaded Program Files\pcpitstopAntiVirus.dll
- 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 08:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-02-08 18:10:15 92,694 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-30 20:22:33 93,014 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-08 18:10:15 500,708 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-30 20:22:33 501,346 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-31 08:36:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Paul Beales\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-01-11 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Paul Beales\\Desktop\\FileZilla.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-01-11 38656]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?]
S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?]
S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Paul Beales\Application Data\Mozilla\Firefox\Profiles\zflbr7s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 09:39:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-31 9:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 08:41:25
ComboFix2.txt 2009-03-27 10:55:02

Pre-Run: 434,209,828,864 bytes free
Post-Run: 434,158,620,672 bytes free

246 --- E O F --- 2009-03-19 08:41:25

Ried · 03-31-2009, 07:15 PM

Hi bealzy,

Let's try this scanner and see if it will run for you. Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log in your next reply.

bealzy · 04-01-2009, 02:27 AM

Hi Reid

I managed to get the scanner to work late yesterday. I have attached the results from the kaspersky scanner. The combo fix results are below included in this post. There are obviously still things wrong, the PC has been running much better since combo fix and I can now use internet explorer whereas before it would crash the whole system once I opened IE. It is behaving a little strangely though, a bit slow and the little logo you get in IE when you open a new tab in ebay for example displays the wrong picture for the wrong webpage. Just little things like that. Thank you for all your help so far!

ComboFix 09-03-30.02 - Paul Beales 2009-03-31 9:32:25.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1534 [GMT 1:00]
Running from: c:\documents and settings\Paul Beales\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Beales\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-27 14:17 . 2009-03-27 14:17 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Uniblue
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\program files\PCPitstop
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop
2009-03-27 11:07 . 2009-03-28 12:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 22:51 . 2009-03-27 12:06 <DIR> d-------- c:\program files\XoftSpySE
2009-03-26 19:08 . 2009-03-26 19:08 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-26 17:54 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-03-26 17:49 . 2009-03-26 17:49 <DIR> d-------- c:\windows\Logs
2009-03-26 17:47 . 2009-03-26 17:49 <DIR> d--h----- c:\program files\Zero G Registry
2009-03-26 17:47 . 2009-03-26 17:47 <DIR> d-------- c:\program files\Sports Interactive
2009-03-26 17:46 . 2009-03-26 17:46 <DIR> d--h----- c:\documents and settings\Paul Beales\InstallAnywhere
2009-03-26 17:46 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Sports Interactive
2009-03-26 17:39 . 2009-03-26 18:52 <DIR> d-------- c:\program files\PowerISO
2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagwrn.xml
2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagerr.xml
2009-03-24 11:28 . 2009-03-24 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 17:39 . 2009-03-26 23:50 <DIR> d-------- C:\QUARANTINE
2009-03-19 14:07 . 2009-03-19 14:07 11 --a------ c:\windows\nextsteps.ini
2009-03-19 14:06 . 2004-05-10 16:54 348,160 -ra------ c:\windows\system32\msvcr71.dll
2009-03-19 14:04 . 2009-01-10 18:34 101,136 --a------ c:\windows\hpdj6800.hi1
2009-03-19 14:04 . 2009-01-10 18:36 23,005 --a------ c:\windows\hpf6800m.hi1
2009-03-19 14:04 . 2009-01-10 18:34 13,667 --a------ c:\windows\hpdj6800.bu1
2009-03-19 14:04 . 2009-01-10 18:36 5,354 --a------ c:\windows\hpf6800m.bu1
2009-03-17 18:36 . 2009-03-17 18:36 <DIR> d-------- c:\program files\Xvid
2009-03-17 18:36 . 2008-12-04 22:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2009-03-17 18:36 . 2008-12-04 22:46 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-03-17 18:36 . 2008-12-13 21:01 77,824 --a------ c:\windows\system32\xvid.ax
2009-03-17 18:09 . 2009-03-17 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-17 18:05 . 2009-03-17 18:06 <DIR> d-------- c:\program files\ATI Technologies
2009-03-17 18:05 . 2009-02-03 22:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-17 17:53 . 2009-03-17 17:53 10 --a------ c:\windows\WININIT.INI
2009-03-17 17:49 . 2009-03-17 17:49 <DIR> d-------- c:\program files\PC Wizard 2008
2009-03-17 17:49 . 2007-09-15 16:11 27,136 --a------ c:\windows\system32\PCWizard.cpl
2009-03-17 12:07 . 2009-03-17 12:07 <DIR> d-------- c:\program files\DVD Decrypter
2009-03-15 11:25 . 2009-03-15 11:25 56,268 --a------ c:\windows\system32\drivers\scdemu.sys
2009-03-09 19:33 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-12 21:09 . 2009-03-17 17:55 <DIR> d-------- c:\program files\GameFace Messenger
2009-02-12 21:09 . 2009-02-12 21:09 737,280 --a------ c:\windows\iun6002.exe
2009-02-12 19:11 . 2009-02-12 19:11 486 --a------ c:\windows\eReg.dat
2009-02-12 19:10 . 2009-02-12 19:10 <DIR> d-------- c:\program files\EA SPORTS
2009-02-12 12:18 . 2009-02-12 12:20 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\VTExtra
2009-02-11 15:10 . 2009-02-11 15:10 0 --a------ c:\windows\ativpsrm.bin
2009-02-11 14:54 . 2009-03-17 18:04 <DIR> d-------- C:\ATI
2009-02-04 23:20 . 2009-02-04 23:20 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-04 06:57 . 2009-02-04 06:57 11,702,272 --a------ c:\windows\system32\atioglxx.dll
2009-02-04 06:03 . 2009-02-04 06:03 290,816 --a------ c:\windows\system32\atiok3x2.dll
2009-02-04 05:56 . 2009-02-04 05:56 442,368 --a------ c:\windows\system32\ATIDEMGX.dll
2009-02-04 05:44 . 2009-02-04 05:44 196,608 --a------ c:\windows\system32\atipdlxx.dll
2009-02-04 05:44 . 2009-02-04 05:44 155,648 --a------ c:\windows\system32\Oemdspif.dll
2009-02-04 05:43 . 2009-02-04 05:43 155,648 --a------ c:\windows\system32\ati2evxx.dll
2009-02-04 05:43 . 2009-02-04 05:43 43,520 --a------ c:\windows\system32\ati2edxx.dll
2009-02-04 05:43 . 2009-02-04 05:43 26,112 --a------ c:\windows\system32\Ati2mdxx.exe
2009-02-04 05:41 . 2009-02-04 05:41 602,112 --a------ c:\windows\system32\ati2evxx.exe
2009-02-04 05:40 . 2009-02-04 05:40 53,248 --a------ c:\windows\system32\ATIDDC.DLL
2009-02-04 05:13 . 2009-02-04 05:13 3,107,788 --a------ c:\windows\system32\ativva5x.dat
2009-02-04 05:13 . 2009-02-04 05:13 887,724 --a------ c:\windows\system32\ativva6x.dat
2009-02-04 05:13 . 2009-02-04 05:13 121,808 --a------ c:\windows\system32\ativvaxx.cap
2009-02-04 04:58 . 2009-02-04 04:58 49,664 --a------ c:\windows\system32\amdpcom32.dll
2009-02-04 04:54 . 2009-02-04 04:54 471,040 --a------ c:\windows\system32\atikvmag.dll
2009-02-04 04:53 . 2009-02-04 04:53 122,880 --a------ c:\windows\system32\atiadlxx.dll
2009-02-04 04:52 . 2009-02-04 04:52 53,248 --a------ c:\windows\system32\drivers\ati2erec.dll
2009-02-04 04:52 . 2009-02-04 04:52 17,408 --a------ c:\windows\system32\atitvo32.dll
2009-02-04 04:44 . 2009-02-04 04:44 307,200 --a------ c:\windows\system32\atiiiexx.dll
2009-02-04 03:43 . 2009-02-04 03:43 45,056 --a------ c:\windows\system32\aticalrt.dll
2009-02-04 03:42 . 2009-02-04 03:42 45,056 --a------ c:\windows\system32\aticalcl.dll
2009-02-04 03:40 . 2009-02-04 03:40 3,244,032 --a------ c:\windows\system32\aticaldd.dll
2009-02-01 13:16 . 2008-10-16 15:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-01 13:16 . 2008-10-16 15:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-01 13:16 . 2008-10-16 15:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 08:10 --------- d-----w c:\program files\DYMO Label
2009-03-17 16:59 --------- d-----w c:\program files\ASUS
2009-03-17 16:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 08:13 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-10 12:31 --------- d-----w c:\documents and settings\Paul Beales\Application Data\Ahead
2009-02-04 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-01-31 20:33 --------- d-----w c:\program files\Microsoft
2009-01-31 20:32 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-31 20:32 --------- d-----w c:\program files\Windows Live
2009-01-31 20:30 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-31 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2009-01-29 15:39 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-28 10:07 --------- d-----w c:\program files\RileysGAMES
2009-01-11 00:44 315,392 ----a-w c:\windows\HideWin.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_10.54.26.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 13:02:42 276,720 ----a-w c:\windows\Downloaded Program Files\pcpitstopAntiVirus.dll
- 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 08:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-02-08 18:10:15 92,694 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-30 20:22:33 93,014 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-08 18:10:15 500,708 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-30 20:22:33 501,346 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-31 08:36:38 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Paul Beales\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-01-11 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Paul Beales\\Desktop\\FileZilla.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-01-11 38656]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?]
S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?]
S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Paul Beales\Application Data\Mozilla\Firefox\Profiles\zflbr7s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 09:39:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-31 9:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 08:41:25
ComboFix2.txt 2009-03-27 10:55:02

Pre-Run: 434,209,828,864 bytes free
Post-Run: 434,158,620,672 bytes free

246 --- E O F --- 2009-03-19 08:41:25

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 31, 2009 16:22:41
Records in database: 1989750
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 289894
Threat name: 9
Infected objects: 17
Suspicious objects: 51
Duration of the scan: 02:32:30

File name / Threat name / Threats count
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{0D982CF6-AB40-49DF-9C10-785DFCF2DEEE}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 11
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan.Win32.Buzus.abqk 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express OM\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 14
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express OM\Deleted Items.dbx Infected: Trojan.Win32.Buzus.abqk 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express OM\Deleted Items.dbx Infected: Trojan-Spy.Win32.Zbot.qfw 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express OM\Deleted Items.dbx Infected: Trojan.Win32.Buzus.arqx 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express OM\Deleted Items.dbx Infected: Trojan.Win32.Agent.bxge 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express OM\Deleted Items.dbx Infected: Trojan.Win32.Agent.byfy 1
C:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{5C8700C3-DE46-48E9-A7D3-BA3A3CE6BED9}\Microsoft\Outlook Express PB\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Paul Beales\My Documents\Downloads\Prisonbreak\Prison.Break.S04E06.HDTV.XviD-LOL.avi Infected: Trojan-Downloader.WMA.GetCodec.m 1
C:\Qoobox\Quarantine\E\resycled\boot.com.vir Infected: Packed.Win32.Tdss.c 1
C:\Qoobox\Quarantine\F\resycled\boot.com.vir Infected: Packed.Win32.Tdss.c 1
E:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{66FBCD19-F668-47F8-87C7-D666EA36D8A4}\Microsoft\Outlook Express OM\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 11
E:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{66FBCD19-F668-47F8-87C7-D666EA36D8A4}\Microsoft\Outlook Express OM\Deleted Items.dbx Infected: Trojan.Win32.Buzus.abqk 1
E:\Documents and Settings\Paul Beales\Local Settings\Application Data\Identities\{A33B21C8-23BC-4654-88F1-31DFE0DE8F6F}\Microsoft\Outlook Express New\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
E:\Documents and Settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe Infected: Rootkit.Win32.TDSS.ngg 1
E:\Documents and Settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe Infected: Packed.Win32.Tdss.c 1
E:\RECYCLER\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 11
E:\RECYCLER\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak Infected: Trojan.Win32.Buzus.abqk 1
E:\RECYCLER\S-1-5-21-1645522239-436374069-725345543-1003\Dc81.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
F:\My Documents\Downloads\Prison.Break.S04E06.HDTV.XviD-LOL.avi Infected: Trojan-Downloader.WMA.GetCodec.m 1
F:\Program Files\Mozilla Firefox\components\iamfamous.dll Infected: Packed.Win32.Tdss.c 1
F:\WINDOWS\Temp\tmp3.tmp Infected: Packed.Win32.Tdss.c 1
F:\WINDOWS\Temp\tmp5A.tmp Infected: Packed.Win32.Tdss.c 1

The selected area was scanned.

Ried · 04-01-2009, 05:30 PM

Hi bealzy,

empty your Outlook Express Deleted Items folder. To do so:

Open Outlook Express
Right click on Deleted Items
Select 'Empty Deleted Items folder'.
Click 'Yes' at the next popup box to succesfully empty the Deleted Items folder.

You may want to consider using these settings for your Outlook Express, which will automatically empty the deleted items folder upon exit:

Go to Tools > Options
Under the Maintenance Tab, checkmark the following boxes:

* Empty messages from 'Deleted item' folder on exit
* Purge deleted messages when leaving IMAP folders

============================

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/360515-ntoskrnl-hook.html#post2055689

Collect::
F:\Program Files\Mozilla Firefox\components\iamfamous.dll

File::
C:\Documents and Settings\Paul Beales\My Documents\Downloads\Prisonbreak\Prison.Break.S04E06.HDTV.XviD-LOL.avi
E:\Documents and Settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe
F:\My Documents\Downloads\Prison.Break.S04E06.HDTV.XviD-LOL.avi
F:\WINDOWS\Temp\tmp3.tmp
F:\WINDOWS\Temp\tmp5A.tmp
E:\RECYCLER\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak
E:\RECYCLER\S-1-5-21-1645522239-436374069-725345543-1003\Dc81.bak

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Please return with the C:\ComboFix.txt

bealzy · 04-02-2009, 04:51 AM

Hi Reid

Have completed this as asked.

]ComboFix 09-04-01.01 - Paul Beales 2009-04-02 11:52:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1336 [GMT 1:00]
Running from: c:\documents and settings\Paul Beales\Desktop\Virus\ComboFix.exe
Command switches used :: c:\documents and settings\Paul Beales\Desktop\Virus\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Paul Beales\My Documents\Downloads\Prisonbreak\Prison.Break.S04E06.HDTV.XviD-LOL.avi
e:\documents and settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe
e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak
e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc81.bak
f:\my documents\Downloads\Prison.Break.S04E06.HDTV.XviD-LOL.avi
f:\windows\Temp\tmp3.tmp
f:\windows\Temp\tmp5A.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Paul Beales\My Documents\Downloads\Prisonbreak\Prison.Break.S04E06.HDTV.XviD-LOL.avi
e:\documents and settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe
e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak
e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc81.bak
f:\my documents\Downloads\Prison.Break.S04E06.HDTV.XviD-LOL.avi
f:\program files\Mozilla Firefox\components\iamfamous.dll
f:\windows\Temp\tmp3.tmp
f:\windows\Temp\tmp5A.tmp

.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-01 11:54 . 2009-04-01 11:54 <DIR> d-------- c:\program files\MSECache
2009-03-27 14:17 . 2009-03-27 14:17 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Uniblue
2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\program files\PCPitstop
2009-03-27 14:02 . 2009-04-01 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop
2009-03-27 11:07 . 2009-03-28 12:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 22:51 . 2009-03-27 12:06 <DIR> d-------- c:\program files\XoftSpySE
2009-03-26 19:08 . 2009-03-26 19:08 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-26 17:54 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sports Interactive
2009-03-26 17:49 . 2009-03-26 17:49 <DIR> d-------- c:\windows\Logs
2009-03-26 17:47 . 2009-03-26 17:49 <DIR> d--h----- c:\program files\Zero G Registry
2009-03-26 17:47 . 2009-03-26 17:47 <DIR> d-------- c:\program files\Sports Interactive
2009-03-26 17:46 . 2009-03-26 17:46 <DIR> d--h----- c:\documents and settings\Paul Beales\InstallAnywhere
2009-03-26 17:46 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Sports Interactive
2009-03-26 17:39 . 2009-03-26 18:52 <DIR> d-------- c:\program files\PowerISO
2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagwrn.xml
2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagerr.xml
2009-03-24 11:28 . 2009-03-24 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-19 17:39 . 2009-03-26 23:50 <DIR> d-------- C:\QUARANTINE
2009-03-19 14:07 . 2009-03-19 14:07 11 --a------ c:\windows\nextsteps.ini
2009-03-19 14:06 . 2004-05-10 16:54 348,160 -ra------ c:\windows\system32\msvcr71.dll
2009-03-19 14:04 . 2009-01-10 18:34 101,136 --a------ c:\windows\hpdj6800.hi1
2009-03-19 14:04 . 2009-01-10 18:36 23,005 --a------ c:\windows\hpf6800m.hi1
2009-03-19 14:04 . 2009-01-10 18:34 13,667 --a------ c:\windows\hpdj6800.bu1
2009-03-19 14:04 . 2009-01-10 18:36 5,354 --a------ c:\windows\hpf6800m.bu1
2009-03-17 18:36 . 2009-03-17 18:36 <DIR> d-------- c:\program files\Xvid
2009-03-17 18:36 . 2008-12-04 22:42 815,104 --a------ c:\windows\system32\xvidcore.dll
2009-03-17 18:36 . 2008-12-04 22:46 180,224 --a------ c:\windows\system32\xvidvfw.dll
2009-03-17 18:36 . 2008-12-13 21:01 77,824 --a------ c:\windows\system32\xvid.ax
2009-03-17 18:09 . 2009-03-17 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2009-03-17 18:05 . 2009-03-17 18:06 <DIR> d-------- c:\program files\ATI Technologies
2009-03-17 18:05 . 2009-02-03 22:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2009-03-17 17:53 . 2009-03-17 17:53 10 --a------ c:\windows\WININIT.INI
2009-03-17 17:49 . 2009-03-17 17:49 <DIR> d-------- c:\program files\PC Wizard 2008
2009-03-17 17:49 . 2007-09-15 16:11 27,136 --a------ c:\windows\system32\PCWizard.cpl
2009-03-17 12:07 . 2009-03-17 12:07 <DIR> d-------- c:\program files\DVD Decrypter
2009-03-15 11:25 . 2009-03-15 11:25 56,268 --a------ c:\windows\system32\drivers\scdemu.sys
2009-03-09 19:33 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 08:10 --------- d-----w c:\program files\DYMO Label
2009-03-24 10:28 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-17 16:59 --------- d-----w c:\program files\ASUS
2009-03-17 16:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-17 16:55 --------- d-----w c:\program files\GameFace Messenger
2009-03-10 08:13 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 20:09 737,280 ----a-w c:\windows\iun6002.exe
2009-02-12 18:10 --------- d-----w c:\program files\EA SPORTS
2009-02-12 11:20 --------- d-----w c:\documents and settings\Paul Beales\Application Data\VTExtra
2009-02-10 12:31 --------- d-----w c:\documents and settings\Paul Beales\Application Data\Ahead
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-04 22:20 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-02-04 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-02-04 05:57 11,702,272 ----a-w c:\windows\system32\atioglxx.dll
2009-02-04 05:03 290,816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-04 04:56 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:55 324,096 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-04 04:44 196,608 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-04 04:44 155,648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-04 04:43 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-04 04:43 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-04 04:43 155,648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-04 04:41 602,112 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-04 04:40 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-04 04:30 3,884,768 ----a-w c:\windows\system32\ati3duag.dll
2009-02-04 04:14 2,645,504 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-04 03:58 49,664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-04 03:54 471,040 ----a-w c:\windows\system32\atikvmag.dll
2009-02-04 03:53 122,880 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-02-04 03:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-04 03:46 626,688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-04 03:44 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-04 02:43 45,056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-04 02:42 45,056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-04 02:40 3,244,032 ----a-w c:\windows\system32\aticaldd.dll
2009-01-11 00:44 315,392 ----a-w c:\windows\HideWin.exe
2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-27_10.54.26.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-27 13:02:42 276,720 ----a-w c:\windows\Downloaded Program Files\pcpitstopAntiVirus.dll
- 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2006-10-26 19:12:56 396,592 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MOC.EXE
+ 2007-05-08 10:10:18 16,874,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MSO.DLL
+ 2007-03-21 17:56:50 8,425,856 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OARTCONV.DLL
+ 2006-10-27 14:18:34 1,658,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OGL.DLL
+ 2007-05-10 08:04:28 846,248 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OICE.EXE
+ 2007-05-10 09:11:42 1,767,256 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PPCNV.DLL
+ 2007-03-21 18:00:06 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBCOM.EXE
+ 2007-03-21 17:58:40 4,145,520 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CNV.DLL
+ 2007-03-21 17:58:46 24,416 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12EXE.EXE
+ 2007-05-10 09:25:40 14,677,368 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE
+ 2007-08-24 04:00:34 1,767,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PPCNV.DLL
+ 2007-08-24 04:00:48 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PXBCOM.EXE
+ 2007-10-02 19:00:06 14,708,760 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE
+ 2009-04-01 21:48:00 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-04-01 20:15:35 36,864 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\orangemonkey\394b61cc\3ef2fb7\App_Web_cn.master.38f61541.c592idl_.dll
- 2000-08-31 08:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-03-19 09:14:31 250,288 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-04-02 09:34:16 269,392 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-04-01 08:50:15 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-02-08 18:10:15 92,694 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-30 20:22:33 93,014 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-08 18:10:15 500,708 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-30 20:22:33 501,346 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-02 09:34:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7dc.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Paul Beales\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-01-11 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Paul Beales\\Desktop\\FileZilla.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-01-11 38656]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?]
S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?]
S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?]
S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
FF - ProfilePath - c:\documents and settings\Paul Beales\Application Data\Mozilla\Firefox\Profiles\zflbr7s7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 11:54:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-02 11:55:40
ComboFix-quarantined-files.txt 2009-04-02 10:55:38
ComboFix2.txt 2009-03-31 08:41:28
ComboFix3.txt 2009-03-27 10:55:02

Pre-Run: 435,738,017,792 bytes free
Post-Run: 435,427,303,424 bytes free

248 --- E O F --- 2009-04-01 21:48:00

Ried · 04-02-2009, 05:37 PM

Hi bealzy,

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

Think Prevention

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

03-28-2009, 05:57 AM	#2 (permalink)
bealzy Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp	Re: Ntoskrnl hook Help Please!

03-30-2009, 02:38 PM	#4 (permalink)
bealzy Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp	Re: Ntoskrnl hook Hi tahnk you for your response. yes sorry, I panicked and deployed it before reading through the other bits and pieces. It seems to have worked, the Ntoskrnl-Hook isnt coming when I scan for viruses anymore. I have posted the txt from the combofix below. combofix ComboFix 09-03-26.03 - Paul Beales 2009-03-27 10:52:32.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1444 [GMT 0:00] Running from: c:\documents and settings\Paul Beales\Desktop\ComboFix.exe AV: McAfee VirusScan Enterprise On-access scanning disabled (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-0-57-100005015-100010281-100018616-3611.com c:\windows\system32\drivers\gaopdxgiddipdwtymnmbasrappyreqcfakjexe.sys c:\windows\system32\gaopdxcounter c:\windows\system32\gaopdxwkcjttjdyjdlesbitbdukyrvoyrdlvdp.dll e:\recycler\S-1-0-57-100005015-100010281-100018616-3611.com E:\resycled e:\resycled\boot.com f:\recycler\S-1-0-57-100005015-100010281-100018616-3611.com F:\resycled f:\resycled\boot.com . ((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 ))))))))))))))))))))))))))))))) . 2009-03-27 10:07 . 2009-03-27 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-27 08:33 . 2009-03-27 08:33 <DIR> d-------- c:\program files\NVT Malware Remover Tool 2009-03-26 21:51 . 2009-03-26 22:50 <DIR> d-------- c:\program files\XoftSpySE 2009-03-26 18:08 . 2009-03-26 18:08 <DIR> d-------- c:\windows\system32\LogFiles 2009-03-26 16:54 . 2009-03-26 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sports Interactive 2009-03-26 16:49 . 2009-03-26 16:49 <DIR> d-------- c:\windows\Logs 2009-03-26 16:47 . 2009-03-26 16:49 <DIR> d--h----- c:\program files\Zero G Registry 2009-03-26 16:47 . 2009-03-26 16:47 <DIR> d-------- c:\program files\Sports Interactive 2009-03-26 16:46 . 2009-03-26 16:46 <DIR> d--h----- c:\documents and settings\Paul Beales\InstallAnywhere 2009-03-26 16:46 . 2009-03-26 16:54 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Sports Interactive 2009-03-26 16:39 . 2009-03-26 17:52 <DIR> d-------- c:\program files\PowerISO 2009-03-26 08:44 . 2009-03-26 08:46 1,905 --a------ c:\windows\diagwrn.xml 2009-03-26 08:44 . 2009-03-26 08:46 1,905 --a------ c:\windows\diagerr.xml 2009-03-24 10:28 . 2009-03-24 10:28 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-19 16:39 . 2009-03-26 22:50 <DIR> d-------- C:\QUARANTINE 2009-03-19 13:07 . 2009-03-19 13:07 11 --a------ c:\windows\nextsteps.ini 2009-03-19 13:06 . 2004-05-10 15:54 348,160 -ra------ c:\windows\system32\msvcr71.dll 2009-03-19 13:04 . 2009-01-10 17:34 101,136 --a------ c:\windows\hpdj6800.hi1 2009-03-19 13:04 . 2009-01-10 17:36 23,005 --a------ c:\windows\hpf6800m.hi1 2009-03-19 13:04 . 2009-01-10 17:34 13,667 --a------ c:\windows\hpdj6800.bu1 2009-03-19 13:04 . 2009-01-10 17:36 5,354 --a------ c:\windows\hpf6800m.bu1 2009-03-17 17:36 . 2009-03-17 17:36 <DIR> d-------- c:\program files\Xvid 2009-03-17 17:36 . 2008-12-04 21:42 815,104 --a------ c:\windows\system32\xvidcore.dll 2009-03-17 17:36 . 2008-12-04 21:46 180,224 --a------ c:\windows\system32\xvidvfw.dll 2009-03-17 17:36 . 2008-12-13 20:01 77,824 --a------ c:\windows\system32\xvid.ax 2009-03-17 17:09 . 2009-03-17 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI 2009-03-17 17:05 . 2009-03-17 17:06 <DIR> d-------- c:\program files\ATI Technologies 2009-03-17 17:05 . 2009-02-03 21:05 593,920 --------- c:\windows\system32\ati2sgag.exe 2009-03-17 16:53 . 2009-03-17 16:53 10 --a------ c:\windows\WININIT.INI 2009-03-17 16:49 . 2009-03-17 16:49 <DIR> d-------- c:\program files\PC Wizard 2008 2009-03-17 16:49 . 2007-09-15 15:11 27,136 --a------ c:\windows\system32\PCWizard.cpl 2009-03-17 11:07 . 2009-03-17 11:07 <DIR> d-------- c:\program files\DVD Decrypter 2009-03-16 17:14 . 2009-03-16 17:14 <DIR> d-------- c:\program files\BitTorrent 2009-03-16 17:14 . 2009-03-26 22:55 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\BitTorrent 2009-03-15 10:25 . 2009-03-15 10:25 56,268 --a------ c:\windows\system32\drivers\scdemu.sys 2009-03-09 18:33 . 2009-01-09 19:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-26 14:13 --------- d-----w c:\program files\DYMO Label 2009-03-24 10:28 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-03-17 16:59 --------- d-----w c:\program files\ASUS 2009-03-17 16:55 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-17 16:55 --------- d-----w c:\program files\GameFace Messenger 2009-03-10 08:13 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-12 20:09 737,280 ----a-w c:\windows\iun6002.exe 2009-02-12 18:10 --------- d-----w c:\program files\EA SPORTS 2009-02-12 11:20 --------- d-----w c:\documents and settings\Paul Beales\Application Data\VTExtra 2009-02-10 12:31 --------- d-----w c:\documents and settings\Paul Beales\Application Data\Ahead 2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys 2009-02-04 22:20 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2 2009-02-04 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys 2009-02-04 05:57 11,702,272 ----a-w c:\windows\system32\atioglxx.dll 2009-02-04 05:03 290,816 ----a-w c:\windows\system32\atiok3x2.dll 2009-02-04 04:56 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll 2009-02-04 04:55 324,096 ----a-w c:\windows\system32\ati2dvag.dll 2009-02-04 04:44 196,608 ----a-w c:\windows\system32\atipdlxx.dll 2009-02-04 04:44 155,648 ----a-w c:\windows\system32\Oemdspif.dll 2009-02-04 04:43 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2009-02-04 04:43 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2009-02-04 04:43 155,648 ----a-w c:\windows\system32\ati2evxx.dll 2009-02-04 04:41 602,112 ----a-w c:\windows\system32\ati2evxx.exe 2009-02-04 04:40 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2009-02-04 04:30 3,884,768 ----a-w c:\windows\system32\ati3duag.dll 2009-02-04 04:14 2,645,504 ----a-w c:\windows\system32\ativvaxx.dll 2009-02-04 03:58 49,664 ----a-w c:\windows\system32\amdpcom32.dll 2009-02-04 03:54 471,040 ----a-w c:\windows\system32\atikvmag.dll 2009-02-04 03:53 122,880 ----a-w c:\windows\system32\atiadlxx.dll 2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll 2009-02-04 03:52 17,408 ----a-w c:\windows\system32\atitvo32.dll 2009-02-04 03:46 626,688 ----a-w c:\windows\system32\ati2cqag.dll 2009-02-04 03:44 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2009-02-04 02:43 45,056 ----a-w c:\windows\system32\aticalrt.dll 2009-02-04 02:42 45,056 ----a-w c:\windows\system32\aticalcl.dll 2009-02-04 02:40 3,244,032 ----a-w c:\windows\system32\aticaldd.dll 2009-01-31 20:33 --------- d-----w c:\program files\Microsoft 2009-01-31 20:32 --------- d-----w c:\program files\Windows Live SkyDrive 2009-01-31 20:32 --------- d-----w c:\program files\Windows Live 2009-01-31 20:30 --------- d-----w c:\program files\Common Files\Windows Live 2009-01-31 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe 2009-01-29 15:39 --------- d-----w c:\program files\Mozilla Sunbird 2009-01-28 10:07 --------- d-----w c:\program files\RileysGAMES 2009-01-11 00:44 315,392 ----a-w c:\windows\HideWin.exe 2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136] "ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-26 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224] "RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Paul Beales\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-01-11 25214] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "enablefirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\WINDOWS\\system32\\msiexec.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Documents and Settings\\Paul Beales\\Desktop\\FileZilla.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"= R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-01-11 38656] S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?] S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?] S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?] S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?] S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-11 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2009-03-27 c:\windows\Tasks\XoftSpySE 2.job - c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 08:43] 2009-03-26 c:\windows\Tasks\XoftSpySE.job - c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 08:43] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msn.com mStart Page = hxxp://www.msn.com uInternet Settings,ProxyOverride = .local IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Paul Beales\Application Data\Mozilla\Firefox\Profiles\zflbr7s7.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-27 10:54:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys] "imagepath"="\systemroot\system32\drivers\gaopdxgiddipdwtymnmbasrappyreqcfakjexe.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(848) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-03-27 10:55:01 ComboFix-quarantined-files.txt 2009-03-27 10:54:59 Pre-Run: 434,026,192,896 bytes free Post-Run: 434,522,787,840 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 224 --- E O F --- 2009-03-19 08:41:25

03-31-2009, 07:15 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,080 OS: WinXP and Vista	Re: Ntoskrnl hook Hi bealzy, Let's try this scanner and see if it will run for you. Perform an online scan with Panda ActiveScan * Turn off the real time scanner of any existing antivirus program while performing the online scan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-02-2009, 04:51 AM	#10 (permalink)
bealzy Registered User Join Date: Mar 2009 Posts: 7 OS: windows xp	Re: Ntoskrnl hook Hi Reid Have completed this as asked. ]ComboFix 09-04-01.01 - Paul Beales 2009-04-02 11:52:23.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1336 [GMT 1:00] Running from: c:\documents and settings\Paul Beales\Desktop\Virus\ComboFix.exe Command switches used :: c:\documents and settings\Paul Beales\Desktop\Virus\CFScript.txt AV: McAfee VirusScan Enterprise On-access scanning disabled (Updated) * Created a new restore point FILE :: c:\documents and settings\Paul Beales\My Documents\Downloads\Prisonbreak\Prison.Break.S04E06.HDTV.XviD-LOL.avi e:\documents and settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc81.bak f:\my documents\Downloads\Prison.Break.S04E06.HDTV.XviD-LOL.avi f:\windows\Temp\tmp3.tmp f:\windows\Temp\tmp5A.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Paul Beales\My Documents\Downloads\Prisonbreak\Prison.Break.S04E06.HDTV.XviD-LOL.avi e:\documents and settings\Paul Beales\Local Settings\Temporary Internet Files\Content.IE5\SFJ111K9\XviD.Codec.Update.v2_3181[1].exe e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc12.bak e:\recycler\S-1-5-21-1645522239-436374069-725345543-1003\Dc81.bak f:\my documents\Downloads\Prison.Break.S04E06.HDTV.XviD-LOL.avi f:\program files\Mozilla Firefox\components\iamfamous.dll f:\windows\Temp\tmp3.tmp f:\windows\Temp\tmp5A.tmp . ((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 ))))))))))))))))))))))))))))))) . 2009-04-01 11:54 . 2009-04-01 11:54 <DIR> d-------- c:\program files\MSECache 2009-03-27 14:17 . 2009-03-27 14:17 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Uniblue 2009-03-27 14:02 . 2009-03-27 14:02 <DIR> d-------- c:\program files\PCPitstop 2009-03-27 14:02 . 2009-04-01 21:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\PCPitstop 2009-03-27 11:07 . 2009-03-28 12:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-26 22:51 . 2009-03-27 12:06 <DIR> d-------- c:\program files\XoftSpySE 2009-03-26 19:08 . 2009-03-26 19:08 <DIR> d-------- c:\windows\system32\LogFiles 2009-03-26 17:54 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sports Interactive 2009-03-26 17:49 . 2009-03-26 17:49 <DIR> d-------- c:\windows\Logs 2009-03-26 17:47 . 2009-03-26 17:49 <DIR> d--h----- c:\program files\Zero G Registry 2009-03-26 17:47 . 2009-03-26 17:47 <DIR> d-------- c:\program files\Sports Interactive 2009-03-26 17:46 . 2009-03-26 17:46 <DIR> d--h----- c:\documents and settings\Paul Beales\InstallAnywhere 2009-03-26 17:46 . 2009-03-26 17:54 <DIR> d-------- c:\documents and settings\Paul Beales\Application Data\Sports Interactive 2009-03-26 17:39 . 2009-03-26 18:52 <DIR> d-------- c:\program files\PowerISO 2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagwrn.xml 2009-03-26 09:44 . 2009-03-26 09:46 1,905 --a------ c:\windows\diagerr.xml 2009-03-24 11:28 . 2009-03-24 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-19 17:39 . 2009-03-26 23:50 <DIR> d-------- C:\QUARANTINE 2009-03-19 14:07 . 2009-03-19 14:07 11 --a------ c:\windows\nextsteps.ini 2009-03-19 14:06 . 2004-05-10 16:54 348,160 -ra------ c:\windows\system32\msvcr71.dll 2009-03-19 14:04 . 2009-01-10 18:34 101,136 --a------ c:\windows\hpdj6800.hi1 2009-03-19 14:04 . 2009-01-10 18:36 23,005 --a------ c:\windows\hpf6800m.hi1 2009-03-19 14:04 . 2009-01-10 18:34 13,667 --a------ c:\windows\hpdj6800.bu1 2009-03-19 14:04 . 2009-01-10 18:36 5,354 --a------ c:\windows\hpf6800m.bu1 2009-03-17 18:36 . 2009-03-17 18:36 <DIR> d-------- c:\program files\Xvid 2009-03-17 18:36 . 2008-12-04 22:42 815,104 --a------ c:\windows\system32\xvidcore.dll 2009-03-17 18:36 . 2008-12-04 22:46 180,224 --a------ c:\windows\system32\xvidvfw.dll 2009-03-17 18:36 . 2008-12-13 21:01 77,824 --a------ c:\windows\system32\xvid.ax 2009-03-17 18:09 . 2009-03-17 18:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI 2009-03-17 18:05 . 2009-03-17 18:06 <DIR> d-------- c:\program files\ATI Technologies 2009-03-17 18:05 . 2009-02-03 22:05 593,920 --------- c:\windows\system32\ati2sgag.exe 2009-03-17 17:53 . 2009-03-17 17:53 10 --a------ c:\windows\WININIT.INI 2009-03-17 17:49 . 2009-03-17 17:49 <DIR> d-------- c:\program files\PC Wizard 2008 2009-03-17 17:49 . 2007-09-15 16:11 27,136 --a------ c:\windows\system32\PCWizard.cpl 2009-03-17 12:07 . 2009-03-17 12:07 <DIR> d-------- c:\program files\DVD Decrypter 2009-03-15 11:25 . 2009-03-15 11:25 56,268 --a------ c:\windows\system32\drivers\scdemu.sys 2009-03-09 19:33 . 2009-01-09 20:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 08:10 --------- d-----w c:\program files\DYMO Label 2009-03-24 10:28 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-03-17 16:59 --------- d-----w c:\program files\ASUS 2009-03-17 16:55 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-17 16:55 --------- d-----w c:\program files\GameFace Messenger 2009-03-10 08:13 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-12 20:09 737,280 ----a-w c:\windows\iun6002.exe 2009-02-12 18:10 --------- d-----w c:\program files\EA SPORTS 2009-02-12 11:20 --------- d-----w c:\documents and settings\Paul Beales\Application Data\VTExtra 2009-02-10 12:31 --------- d-----w c:\documents and settings\Paul Beales\Application Data\Ahead 2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys 2009-02-04 22:20 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2 2009-02-04 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-02-04 07:27 3,488,768 ----a-w c:\windows\system32\drivers\ati2mtag.sys 2009-02-04 05:57 11,702,272 ----a-w c:\windows\system32\atioglxx.dll 2009-02-04 05:03 290,816 ----a-w c:\windows\system32\atiok3x2.dll 2009-02-04 04:56 442,368 ----a-w c:\windows\system32\ATIDEMGX.dll 2009-02-04 04:55 324,096 ----a-w c:\windows\system32\ati2dvag.dll 2009-02-04 04:44 196,608 ----a-w c:\windows\system32\atipdlxx.dll 2009-02-04 04:44 155,648 ----a-w c:\windows\system32\Oemdspif.dll 2009-02-04 04:43 43,520 ----a-w c:\windows\system32\ati2edxx.dll 2009-02-04 04:43 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe 2009-02-04 04:43 155,648 ----a-w c:\windows\system32\ati2evxx.dll 2009-02-04 04:41 602,112 ----a-w c:\windows\system32\ati2evxx.exe 2009-02-04 04:40 53,248 ----a-w c:\windows\system32\ATIDDC.DLL 2009-02-04 04:30 3,884,768 ----a-w c:\windows\system32\ati3duag.dll 2009-02-04 04:14 2,645,504 ----a-w c:\windows\system32\ativvaxx.dll 2009-02-04 03:58 49,664 ----a-w c:\windows\system32\amdpcom32.dll 2009-02-04 03:54 471,040 ----a-w c:\windows\system32\atikvmag.dll 2009-02-04 03:53 122,880 ----a-w c:\windows\system32\atiadlxx.dll 2009-02-04 03:52 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll 2009-02-04 03:52 17,408 ----a-w c:\windows\system32\atitvo32.dll 2009-02-04 03:46 626,688 ----a-w c:\windows\system32\ati2cqag.dll 2009-02-04 03:44 307,200 ----a-w c:\windows\system32\atiiiexx.dll 2009-02-04 02:43 45,056 ----a-w c:\windows\system32\aticalrt.dll 2009-02-04 02:42 45,056 ----a-w c:\windows\system32\aticalcl.dll 2009-02-04 02:40 3,244,032 ----a-w c:\windows\system32\aticaldd.dll 2009-01-11 00:44 315,392 ----a-w c:\windows\HideWin.exe 2006-06-23 14:48 32,768 ----a-w c:\windows\inf\UpdateUSB.exe . ((((((((((((((((((((((((((((( SnapShot@2009-03-27_10.54.26.56 ))))))))))))))))))))))))))))))))))))))))) . + 2009-03-27 13:02:42 276,720 ----a-w c:\windows\Downloaded Program Files\pcpitstopAntiVirus.dll - 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE + 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE + 2006-10-26 19:12:56 396,592 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MOC.EXE + 2007-05-08 10:10:18 16,874,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MSO.DLL + 2007-03-21 17:56:50 8,425,856 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OARTCONV.DLL + 2006-10-27 14:18:34 1,658,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OGL.DLL + 2007-05-10 08:04:28 846,248 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OICE.EXE + 2007-05-10 09:11:42 1,767,256 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PPCNV.DLL + 2007-03-21 18:00:06 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBCOM.EXE + 2007-03-21 17:58:40 4,145,520 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CNV.DLL + 2007-03-21 17:58:46 24,416 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12EXE.EXE + 2007-05-10 09:25:40 14,677,368 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE + 2007-08-24 04:00:34 1,767,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PPCNV.DLL + 2007-08-24 04:00:48 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PXBCOM.EXE + 2007-10-02 19:00:06 14,708,760 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE + 2009-04-01 21:48:00 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe + 2009-04-01 20:15:35 36,864 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\orangemonkey\394b61cc\3ef2fb7\App_Web_cn.master.38f61541.c592idl_.dll - 2000-08-31 08:00:00 29,696 ----a-w c:\windows\NIRCMD.exe + 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe - 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe + 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe - 2009-03-19 09:14:31 250,288 ----a-w c:\windows\system32\FNTCACHE.DAT + 2009-04-02 09:34:16 269,392 ----a-w c:\windows\system32\FNTCACHE.DAT + 2009-02-03 02:15:28 3,771,296 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll + 2009-02-03 02:15:30 240,544 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe + 2009-04-01 08:50:15 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe - 2009-02-08 18:10:15 92,694 ----a-w c:\windows\system32\perfc009.dat + 2009-03-30 20:22:33 93,014 ----a-w c:\windows\system32\perfc009.dat - 2009-02-08 18:10:15 500,708 ----a-w c:\windows\system32\perfh009.dat + 2009-03-30 20:22:33 501,346 ----a-w c:\windows\system32\perfh009.dat + 2009-04-02 09:34:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7dc.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136] "ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-07-18 1114112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-06-26 172032] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224] "RTHDCPL"="RTHDCPL.EXE" [2007-03-21 c:\windows\RTHDCPL.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Paul Beales\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2009-01-11 25214] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.asv2"= asusasv2.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\WINDOWS\\system32\\msiexec.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Documents and Settings\\Paul Beales\\Desktop\\FileZilla.exe"= "c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2009-01-11 38656] S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?] S3 mfefeatk02;McAfee Inc.;\Device\mfefeatk02.sys --> \Device\mfefeatk02.sys [?] S3 mfefeatk03;McAfee Inc.;\Device\mfefeatk03.sys --> \Device\mfefeatk03.sys [?] S3 mfefeatk04;McAfee Inc.;\Device\mfefeatk04.sys --> \Device\mfefeatk04.sys [?] S3 mfefeatk05;McAfee Inc.;\Device\mfefeatk05.sys --> \Device\mfefeatk05.sys [?] S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-11 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-07-10 242712] S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.msn.com mStart Page = hxxp://www.msn.com uInternet Settings,ProxyOverride = .local IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll FF - ProfilePath - c:\documents and settings\Paul Beales\Application Data\Mozilla\Firefox\Profiles\zflbr7s7.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ . *********************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-02 11:54:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(840) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-04-02 11:55:40 ComboFix-quarantined-files.txt 2009-04-02 10:55:38 ComboFix2.txt 2009-03-31 08:41:28 ComboFix3.txt 2009-03-27 10:55:02 Pre-Run: 435,738,017,792 bytes free Post-Run: 435,427,303,424 bytes free 248 --- E O F --- 2009-04-01 21:48:00

04-02-2009, 05:37 PM	#11 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,080 OS: WinXP and Vista	Re: Ntoskrnl hook Hi bealzy, Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: Think Prevention Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."