29 replies to this topic

[SIR CHEECH]

Hi,

I really appreciate any help or guidance you might be able to give me in regards to my infected computer. I cannot get MWB to run or update, nor will Hijack This or ComboFix run.

The initial clue that my computer was infected was that, google links were not opening properly in new windows in addition to strange music playing in the background. I did find a process running called a.exe, when i stopped that process the music stopped. I then I did a windows search for a.exe and found nothing, so I tried a search with hidden files and found it in the system folder somewhere, I trashed a.exe so the music has stopped but the google linking problem persists. Upon reflection this may not have been the best course of action (i'll let you be the judge) but it seemed like a good idea at the time since the anti-virus and spyware programs I had at the time weren't doing the trick. I was using AVG Free and Spybot. Both have been removed to the best of my ability (uninstalled), i don't see their processes anymore in the task manager.

I have installed Avira AntiVir Personal and was able to update that and do a scan. Several rootkits were found, however, the google linking problem persists and I am still unable to run MWB, Hijack This or ComboFix. Windows Defender also won't update and crashes on launch. So from what I have read on other peoples posts, it seems like I am still infected, and I could really use some expert advice!

I have run DDS and Gmer and have logs from both of those which I will paste and/or attach below. I have also run RootRepeal to see if there were any CLB Rootkits (which there weren't). Many thanks in advance!!


-Matt





DDS.txt


DDS (Ver_09-07-30.01) - NTFSx86
Run by Matt at 8:48:26.50 on Tue 08/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1367 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TiVo\Desktop\TranscodingService.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [WD_SRT] "c:\program files\western digital technologies\wd win98 se usb disk driver, v1.00.09\WD_SRT.EXE"
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\perstray.lnk - c:\program files\persono\perstray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\1vyq02on.default\
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2005-2-10 72192]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-10 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-10 55656]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2008-8-10 21276]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2003-10-22 344800]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]

=============== Created Last 30 ================

2009-08-11 08:46 <DIR> --d----- c:\program files\Trend Micro
2009-08-11 08:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-11 08:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-11 08:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 10:43 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 10:43 <DIR> --d----- c:\program files\Avira
2009-08-10 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-10 10:15 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes
2009-08-10 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-10 10:06 <DIR> --d----- c:\docume~1\matt\applic~1\Search Settings
2009-08-10 09:58 <DIR> --d----- c:\program files\Search Settings
2009-08-10 09:58 <DIR> --d----- c:\program files\Free Audio Pack
2009-08-09 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-07 10:39 <DIR> --d----- c:\documents and settings\matt\PrivacIE
2009-08-04 13:00 599,552 -c------ c:\windows\system32\dllcache\crypt32.dll
2009-08-04 13:00 177,664 -c------ c:\windows\system32\dllcache\wintrust.dll
2009-08-04 12:53 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-04 12:52 14,048 -------- c:\windows\system32\spmsg2.dll
2009-08-02 20:44 <DIR> --d----- c:\windows\system32\AGEIA
2009-08-02 20:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-02 20:30 <DIR> --d----- c:\program files\Codemasters
2009-08-02 18:40 <DIR> --d----- c:\docume~1\matt\applic~1\ArtificialStudios
2009-08-01 10:21 <DIR> --d----- c:\program files\iPod
2009-08-01 10:21 <DIR> --d----- c:\program files\iTunes
2009-08-01 10:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-23 19:57 41,872 a------- c:\windows\system32\xfcodec.dll
2009-07-12 20:13 <DIR> --d----- c:\program files\VideoLAN
2009-07-12 18:04 <DIR> --d----- c:\program files\VideoReDoTVSuite
2009-07-12 18:04 <DIR> --d----- c:\docume~1\matt\applic~1\VideoReDo-TVSuite
2009-07-12 16:11 <DIR> --d----- c:\program files\common files\TivoDecode

==================== Find3M ====================

2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll
2008-08-29 15:01 422,344 a------- c:\program files\setuplog.txt

============= FINISH: 8:48:48.59 ===============

Attached Files

•  DDSAttach.zip   3.53K   20 downloads
•  GmerLog.zip   2.29K   22 downloads

[SIR CHEECH]

I have waited more than 48hrs without a reply to my issue. It seems like the helpers here are very busy, I would still very much appreciate any help you can give.

many thanks!!

[SpySentinel]

Hi SIR CHEECH,

Sorry for the delay, we have been very busy this last month in the Malware Forum.



You have a new variant of a nasty infection. This new variant blocks security programs from running.


Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[SIR CHEECH]

SpySentinel, Hello!

Thanks so much for the reply, it is much appreciated. I followed your instructions to the letter. Unfortunately, combofix doesn't seem to be running. The green progress bar shows, completes and then the programs seems to shut down, no windows appear of any kind.

Are there any alternative measures we could take? I'd rather not reinstall if at all possible.

Thanks again for your assistance!

[SpySentinel]

@SIR CHEECH

No worries, we will try to fix the issue without a reformat

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:


@everyone else

Everyone else, please do not post to someones HJT thread. Please read Groups authorized to help with HJT logs

[SIR CHEECH]

Thanks for the continues support SpySentinel, please see Win32kDiag.exe log below.
Hope this helps!




Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 18:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()



Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-04 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 18:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)





Finished!

[SpySentinel]

you're welcome.



We Need to remove Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  
  • Zip Mirrors (Recommended)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
• Extract RootRepeal.exe from the archive.
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

[SIR CHEECH]

awesome, ran the scan and report is pasted below ,')





ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/18 21:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF746B000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0x9F976000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_viaraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_viaraid.sys
Address: 0x9E276000 Size: 73728 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9B883000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0x9E569000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xAC8D1000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\recycler\s-1-5-21-1606980848-1965331169-682003330-1004\info2
Status: Size mismatch (API: 2420, Raw: 1620)

Path: C:\RECYCLER\S-1-5-21-1606980848-1965331169-682003330-1004\Dc3.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\scecli.dll
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xf75bcaf8

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xa5d84466

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xf75b0b00

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa5d8445c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xa5d8446b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xa5d84475

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xf75b1388

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bcbf0

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xa5d8447a

#: 119 Function Name: NtOpenKey
Status: Hooked by "a347bus.sys" at address 0xf75bca74

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa5d84448

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa5d8444d

#: 160 Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xf75b13a8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bcb46

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xa5d84484

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xa5d8447f

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xf75bc390

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xa5d84470

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa5d84457

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a8219f0 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a3edbd0 Size: 11

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a4b5398 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CLOSE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_READ]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_WRITE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_EA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_POWER]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Imagedrv, IRP_MJ_PNP]
Process: System Address: 0x8a0df7c8 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a26d3b8 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x8a1f4cd0 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a284e18 Size: 11

Object: Hidden Code [Driver: NpfsЅఆ䵃Ψ泰䓰䓰, IRP_MJ_READ]
Process: System Address: 0x8a25d150 Size: 11

Object: Hidden Code [Driver: Msfsȅఈ灐畳ꀈ, IRP_MJ_READ]
Process: System Address: 0x8a26fea8 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a270c18 Size: 11

Object: Hidden Code [Driver: Cdfsȅᰅ㍨訧佘佘〈託, IRP_MJ_READ]
Process: System Address: 0x8a4ac5e8 Size: 11

==EOF==

[SpySentinel]

Step #1

1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

Quote

@echo off
copy C:\WINDOWS\system32\dllcache\scecli.dll c:\scecli.dll
Exit

3. Save the file as "fixes.bat". Make sure to save it with the quotation marks.

4. Double click fixes.bat.




Step #2

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Please download The Avenger2 by SwanDog46.
  
• Unzip avenger.exe to your desktop.
  
• Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
  

  Files to move:
  c:\scecli.dll | C:\WINDOWS\system32\scecli.dll

• Now start The Avenger2 by double clicking avenger.exe on your desktop.
  
• Read the prompt that appears, and press OK.
  
• Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  
• Press the "Execute" button.
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #3

Now try running ComboFix and Malwarebytes, then post the logs here.

[SIR CHEECH]

Ok, i followed your instructions; step 1 and step 2 seemed to work fine. I then tried to run combofix per your previous instructions in this post, the green progress bar finished and then no further activity. I also re-installed Malwarebytes and updated it, unfortunately, it wouldn't run its scan for more than a couple seconds before closing.

Posted below is the avenger log, i hope it helps.
i appreciate your assistance



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\scecli.dll" not found!
File move operation "c:\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[SpySentinel]

Step #1

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Please download The Avenger2 by SwanDog46.
  
• Unzip avenger.exe to your desktop.
  
• Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
  

  Files to move:
  C:\WINDOWS\ServicePackFiles\i386\scecli.dll | C:\WINDOWS\system32\scecli.dll

• Now start The Avenger2 by double clicking avenger.exe on your desktop.
  
• Read the prompt that appears, and press OK.
  
• Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  
• Press the "Execute" button.
  
• You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
  Note: It is possible that Avenger will reboot your system TWICE.
  
• Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Step #2

Now try running ComboFix and Malwarebytes, then post the logs here.

[SIR CHEECH]

Great work SpySentinel! The avenger script ran and rebooted the machine twice. After which i got a log (see below).

I attempted to run ComboFix per your previous instructions in this thread. This time the green progress bar ran and I got a message window that stated "You cannot rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters", it had an OK box and thats as far as i could get with combofix.

I reinstalled Malwarebytes and updated it. IT RAN!!! I did a Quick Scan, results posted below. I still have the dialog window open just in case, so let me know if its ok to Remove the threats

btw YOU ARE AWESOME!!


AVENGER LOG

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Error: Script file not found!
Could not open script file! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Abort!






MBAM LOG

Malwarebytes' Anti-Malware 1.40
Database version: 2657
Windows 5.1.2600 Service Pack 3

8/19/2009 10:51:32 AM
mbam-log.txt

Scan type: Quick Scan
Objects scanned: 99939
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.

[SpySentinel]

Thanks SIR CHEECH, glad to hear it worked. This is a new nasty infection.


Please run Malwarebytes again, this time when it shows the items it found, please choose to remove them.

Then run ComboFix again and post both logs.

[SIR CHEECH]

I ran MBAM again and removed the threats (log posted below).

Combofix is still giving me the same error "You cannot rename ComboFix as Combo-Fix Please use another name, preferbaly made up of alphanumeric characters"



MBAM Log

Malwarebytes' Anti-Malware 1.40
Database version: 2657
Windows 5.1.2600 Service Pack 3

8/19/2009 11:10:43 AM
mbam-log-2009-08-19 (11-10-43).txt

Scan type: Quick Scan
Objects scanned: 99939
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

[SpySentinel]

Go ahead an rename ComboFix to 101969MB and then try running it again.

[SIR CHEECH]

101969MB got the same results, even though i downloaded the file and saved it with that name. On a lark, I deleted that and tried running the program with its standard name ComboFix.exe for some reason it worked. Log posted below.




ComboFix Log

ComboFix 09-08-18.04 - Matt 08/19/2009 12:01.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1524 [GMT -6:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Settings
c:\program files\Search Settings\kb128\SearchSettings.dll
c:\program files\Search Settings\kb128\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\Installer\180c480.msi
c:\windows\system32\skinboxer43.dll
H:\Autorun.inf

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_uacFlt
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_uacFlt


((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 16:41 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 16:41 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 16:36 . 2009-08-19 16:36 -------- d-s---w- C:\Combo-Fix
2009-08-17 23:03 . 2009-08-17 23:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-12 19:33 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:46 . 2009-08-11 14:46 -------- d-----w- c:\program files\Trend Micro
2009-08-10 16:43 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 16:43 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-10 16:43 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-10 16:43 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\program files\Avira
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:06 . 2009-08-10 16:06 -------- d-----w- c:\documents and settings\Matt\Application Data\Search Settings
2009-08-07 18:17 . 2009-08-07 18:17 -------- d-----w- c:\program files\Windows Defender
2009-08-07 16:39 . 2009-08-07 16:39 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE
2009-08-07 16:02 . 2009-08-07 16:02 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\WMTools Downloaded Files
2009-08-04 19:00 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2009-08-04 19:00 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2009-08-04 18:57 . 2009-08-04 18:57 -------- d-----w- c:\program files\MSBuild
2009-08-04 18:53 . 2009-08-08 21:44 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\program files\Reference Assemblies
2009-08-04 18:52 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\windows\system32\AGEIA
2009-08-03 02:44 . 2009-08-03 02:45 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\program files\Codemasters
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\My Games
2009-08-03 00:40 . 2009-08-03 00:40 -------- d-----w- c:\documents and settings\Matt\Application Data\ArtificialStudios
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iPod
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iTunes
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-01 16:16 . 2009-08-01 16:16 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-01 15:59 . 2009-08-01 15:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 17:44 . 2007-08-02 01:21 -------- d-----w- c:\documents and settings\Matt\Application Data\U3
2009-08-19 05:10 . 2008-08-29 02:37 -------- d-----w- c:\program files\Steam
2009-08-16 16:41 . 2009-07-13 00:04 -------- d-----w- c:\documents and settings\Matt\Application Data\VideoReDo-TVSuite
2009-08-16 16:38 . 2009-07-13 00:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 06:12 . 2008-08-11 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 16:01 . 2007-08-02 01:22 30944 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 15:58 . 2009-08-10 15:58 -------- d-----w- c:\program files\Free Audio Pack
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:42 . 2008-08-11 15:59 -------- d-----w- c:\documents and settings\Matt\Application Data\Xfire
2009-08-01 17:52 . 2008-08-11 04:00 -------- d-----w- c:\documents and settings\Matt\Application Data\Apple Computer
2009-08-01 16:20 . 2008-08-11 03:59 -------- d-----w- c:\program files\Bonjour
2009-07-30 17:31 . 2008-08-11 15:59 -------- d-----w- c:\program files\Xfire
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 04:44 . 2008-08-11 03:59 -------- d-----w- c:\program files\QuickTime
2009-07-13 04:43 . 2009-07-13 04:43 -------- d-----w- c:\program files\Apple Software Update
2009-07-13 02:13 . 2009-07-13 02:13 -------- d-----w- c:\program files\VideoLAN
2009-07-13 00:04 . 2009-07-13 00:04 -------- d-----w- c:\program files\VideoReDoTVSuite
2009-07-12 22:11 . 2009-07-12 22:11 -------- d-----w- c:\program files\Common Files\TivoDecode
2009-07-12 04:36 . 2009-07-12 04:36 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\TiVo
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2009-06-26 21:09 . 2009-06-11 21:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-06-22 16:34 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\Matt\Application Data\Winamp
2009-06-22 16:24 . 2009-06-22 16:22 -------- d-----w- c:\program files\Winamp
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 15:19 . 2008-08-11 02:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-08-29 21:01 . 2008-08-29 21:01 422344 ----a-w- c:\program files\setuplog.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD_SRT"="c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-02-20 364544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Perstray.lnk - c:\program files\PerSono\perstray.exe [2008-8-10 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Codemasters\\Turning Point - Fall of Liberty\\Binaries\\LTCG-TPGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25708:TCP"= 25708:TCP:bitlord
"6112:TCP"= 6112:TCP:Wc3 1
"25777:UDP"= 25777:UDP:xfire 2

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2/10/2005 5:10 AM 72192]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:43 AM 108289]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 9:16 PM 133104]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\1vyq02on.default\
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 12:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaflkafljneokgehao"=hex:6a,61,70,67,67,62,6b,69,70,6e,63,68,6c,61,6c,68,68,6a,
67,66,00,00
"hallaokbaoiaomcl"=hex:69,61,70,67,67,62,61,6b,61,65,62,6a,6d,62,66,67,62,68,
00,92
"hajmkmcadhglonnd"=hex:6b,61,6f,6c,69,64,67,70,6a,66,67,62,6f,6c,70,67,61,6d,
6a,64,6f,6e,00,00
"hajmkmcaigjmpfpd"=hex:6e,62,6f,69,6c,6f,65,6a,6c,6a,6a,6d,70,62,70,6a,6d,6e,
63,6d,70,62,61,70,62,62,67,70,65,6f,61,67,68,65,6b,6d,6b,6f,69,65,68,6b,6a,\

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e5,55,b0,4c,76,26,db,e6,b6,eb,69,4a,cf,1a,8d,f2,a2,14,1d,b1,79,f6,4b,
e6,4f,8c,38,4e,76,83,f4,72,58,3e,e6,7f,57,1f,09,47,9b,65,f7,ca,5d,4b,7c,79,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:af,87,86,9f,fc,64,8e,49,79,eb,b9,af,e9,33,d1,8c,76,47,d7,3f,a9,
61,a6,ab,9c,58,96,37,f4,3e,84,9a,66,2d,b4,8e,01,2e,f5,d8,e1,c9,ae,e0,24,c8,\
"rkeysecu"=hex:a6,36,bf,64,e9,71,41,85,d1,17,78,a9,4e,26,fa,5c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-19 12:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 18:10

Pre-Run: 31,765,762,048 bytes free
Post-Run: 33,552,453,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

306 --- E O F --- 2009-08-19 16:20

[SpySentinel]

Glad to see it worked.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

RegNull:
[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[SIR CHEECH]

This really is a nasty bugger, thanks for sticking with me. Log posted below.



ComboFix 09-08-18.04 - Matt 08/19/2009 14:56.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1606 [GMT -6:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 16:41 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 16:41 . 2009-08-19 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 16:41 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-19 16:36 . 2009-08-19 16:36 -------- d-s---w- C:\Combo-Fix
2009-08-17 23:03 . 2009-08-17 23:06 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-12 19:33 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 14:46 . 2009-08-11 14:46 -------- d-----w- c:\program files\Trend Micro
2009-08-10 16:43 . 2009-07-28 22:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 16:43 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-10 16:43 . 2009-02-13 18:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-10 16:43 . 2009-02-13 18:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\program files\Avira
2009-08-10 16:43 . 2009-08-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\Matt\Application Data\Malwarebytes
2009-08-10 16:15 . 2009-08-10 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:06 . 2009-08-10 16:06 -------- d-----w- c:\documents and settings\Matt\Application Data\Search Settings
2009-08-07 18:17 . 2009-08-07 18:17 -------- d-----w- c:\program files\Windows Defender
2009-08-07 16:39 . 2009-08-07 16:39 -------- d-sh--w- c:\documents and settings\Matt\PrivacIE
2009-08-07 16:02 . 2009-08-07 16:02 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\WMTools Downloaded Files
2009-08-04 19:00 . 2008-11-13 14:18 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2009-08-04 19:00 . 2008-11-13 14:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2009-08-04 18:57 . 2009-08-04 18:57 -------- d-----w- c:\program files\MSBuild
2009-08-04 18:53 . 2009-08-08 21:44 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-04 18:52 . 2009-08-04 18:52 -------- d-----w- c:\program files\Reference Assemblies
2009-08-04 18:52 . 2006-06-29 19:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\windows\system32\AGEIA
2009-08-03 02:44 . 2009-08-03 02:45 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-03 02:44 . 2009-08-03 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\program files\Codemasters
2009-08-03 02:30 . 2009-08-03 02:30 -------- d-----w- c:\documents and settings\Matt\Local Settings\Application Data\My Games
2009-08-03 00:40 . 2009-08-03 00:40 -------- d-----w- c:\documents and settings\Matt\Application Data\ArtificialStudios
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iPod
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\program files\iTunes
2009-08-01 16:21 . 2009-08-01 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-01 16:16 . 2009-08-01 16:16 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-01 15:59 . 2009-08-01 15:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-24 01:57 . 2009-07-24 01:57 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 20:34 . 2008-08-29 02:37 -------- d-----w- c:\program files\Steam
2009-08-19 17:44 . 2007-08-02 01:21 -------- d-----w- c:\documents and settings\Matt\Application Data\U3
2009-08-16 16:41 . 2009-07-13 00:04 -------- d-----w- c:\documents and settings\Matt\Application Data\VideoReDo-TVSuite
2009-08-16 16:38 . 2009-07-13 00:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-11 06:12 . 2008-08-11 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-10 16:01 . 2007-08-02 01:22 30944 ----a-w- c:\documents and settings\Matt\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 15:58 . 2009-08-10 15:58 -------- d-----w- c:\program files\Free Audio Pack
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:42 . 2008-08-11 15:59 -------- d-----w- c:\documents and settings\Matt\Application Data\Xfire
2009-08-01 17:52 . 2008-08-11 04:00 -------- d-----w- c:\documents and settings\Matt\Application Data\Apple Computer
2009-08-01 16:20 . 2008-08-11 03:59 -------- d-----w- c:\program files\Bonjour
2009-07-30 17:31 . 2008-08-11 15:59 -------- d-----w- c:\program files\Xfire
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 04:44 . 2008-08-11 03:59 -------- d-----w- c:\program files\QuickTime
2009-07-13 04:43 . 2009-07-13 04:43 -------- d-----w- c:\program files\Apple Software Update
2009-07-13 02:13 . 2009-07-13 02:13 -------- d-----w- c:\program files\VideoLAN
2009-07-13 00:04 . 2009-07-13 00:04 -------- d-----w- c:\program files\VideoReDoTVSuite
2009-07-12 22:11 . 2009-07-12 22:11 -------- d-----w- c:\program files\Common Files\TivoDecode
2009-07-12 04:36 . 2009-07-12 04:36 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\TiVo
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-06-29 15:14 . 2009-06-29 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\TiVo
2009-06-26 21:09 . 2009-06-11 21:57 -------- d-----w- c:\program files\Common Files\BioWare
2009-06-22 16:34 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\Matt\Application Data\Winamp
2009-06-22 16:24 . 2009-06-22 16:22 -------- d-----w- c:\program files\Winamp
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 15:19 . 2008-08-11 02:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-08-29 21:01 . 2008-08-29 21:01 422344 ----a-w- c:\program files\setuplog.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD_SRT"="c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-02-20 364544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Perstray.lnk - c:\program files\PerSono\perstray.exe [2008-8-10 32768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\gumachi\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fear2\\FEAR2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Codemasters\\Turning Point - Fall of Liberty\\Binaries\\LTCG-TPGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25708:TCP"= 25708:TCP:bitlord
"6112:TCP"= 6112:TCP:Wc3 1
"25777:UDP"= 25777:UDP:xfire 2

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2/10/2005 5:10 AM 72192]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/10/2009 10:43 AM 108289]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [10/22/2003 3:27 PM 344800]
S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2008 9:16 PM 133104]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys --> c:\windows\system32\DRIVERS\motport.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-19 04:48]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2
FF - ProfilePath - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\1vyq02on.default\
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{82C398E5-2FDF-0CE0-24E6-811B0B5EAD93}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaflkafljneokgehao"=hex:6a,61,70,67,67,62,6b,69,70,6e,63,68,6c,61,6c,68,68,6a,
67,66,00,00
"hallaokbaoiaomcl"=hex:69,61,70,67,67,62,61,6b,61,65,62,6a,6d,62,66,67,62,68,
00,92
"hajmkmcadhglonnd"=hex:6b,61,6f,6c,69,64,67,70,6a,66,67,62,6f,6c,70,67,61,6d,
6a,64,6f,6e,00,00
"hajmkmcaigjmpfpd"=hex:6e,62,6f,69,6c,6f,65,6a,6c,6a,6a,6d,70,62,70,6a,6d,6e,
63,6d,70,62,61,70,62,62,67,70,65,6f,61,67,68,65,6b,6d,6b,6f,69,65,68,6b,6a,\

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e5,55,b0,4c,76,26,db,e6,b6,eb,69,4a,cf,1a,8d,f2,a2,14,1d,b1,79,f6,4b,
e6,4f,8c,38,4e,76,83,f4,72,58,3e,e6,7f,57,1f,09,47,9b,65,f7,ca,5d,4b,7c,79,\
"??"=hex:b5,51,b7,44,0f,48,fc,32,4e,b4,82,86,df,98,4b,0d

[HKEY_USERS\S-1-5-21-1606980848-1965331169-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:af,87,86,9f,fc,64,8e,49,79,eb,b9,af,e9,33,d1,8c,76,47,d7,3f,a9,
61,a6,ab,9c,58,96,37,f4,3e,84,9a,66,2d,b4,8e,01,2e,f5,d8,e1,c9,ae,e0,24,c8,\
"rkeysecu"=hex:a6,36,bf,64,e9,71,41,85,d1,17,78,a9,4e,26,fa,5c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-19 15:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 21:05
ComboFix2.txt 2009-08-19 18:10

Pre-Run: 33,569,591,296 bytes free
Post-Run: 33,510,805,504 bytes free

286 --- E O F --- 2009-08-19 16:20

[SpySentinel]

Yes it is very nasty, and new, so we are just getting the hang of how to remove it.



Run ESET Online Scan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Check
  
• Push the Start button.
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, push
  
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Push the button.
  
• Push

You can refer to this animation by neomage if needed.

[SIR CHEECH]

I ran the Eset online scan. Avira had many (10-12) TR/Rootkit.gen hits while the scan was running. I selected all instances to be quarantined. See ESET log below.




C:\System Volume Information\_restore{2B027C32-D295-4680-B4D6-A82A09E204D4}\RP448\A0084903.dll a variant of Win32/Kryptik.YQ trojan cleaned by deleting - quarantined