Hello Jimmy!
Here's my new ComboFix log:
ComboFix 08-11-12.01 - Andy xxxxx 2008-11-13 15:37:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.717 [GMT -6:00]
Running from: c:\documents and settings\Andy xxxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andy xxxx\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.
2008-11-13 00:40 . 2008-11-13 00:40 <DIR> d-------- C:\fsaua.data
2008-11-13 00:18 . 2008-11-13 00:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 00:18 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 00:18 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 18:50 . 2008-11-12 18:50 <DIR> d-------- c:\program files\Alwil Software
2008-11-12 18:50 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-11-12 17:24 . 2008-11-12 17:24 <DIR> d-------- c:\documents and settings\Andy xxxx\Application Data\Malwarebytes
2008-11-12 17:24 . 2008-11-12 17:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 17:22 . 2008-11-12 17:22 <DIR> d-------- c:\program files\ERUNT
2008-11-12 00:45 . 2008-11-12 16:48 1,008 --a------ c:\windows\wininit.ini
2008-11-12 00:19 . 2008-05-01 08:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-10-14 17:04 . 2008-10-14 17:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 23:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-12 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 01:30 --------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2008-11-11 22:58 --------- d-----w c:\program files\World of Warcraft
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:38 659,456 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-06-04 03:08 36 ----a-w c:\documents and settings\Andy xxxx\klextlock.dat
2003-08-20 12:05 41 ----a-w c:\program files\Setup.Ini
2001-09-25 21:05 1,707,856 ----a-w c:\program files\InstMsiA.Exe
2001-09-12 00:04 1,821,008 ----a-w c:\program files\InstMsiW.Exe
.
((((((((((((((((((((((((((((( snapshot@2008-11-12_22.27.40.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 21:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 21:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 22:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 21:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\ERDNT.EXE
+ 2008-11-13 17:38:27 5,373,952 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\Users\
00000001\NTUSER.DAT
+ 2008-11-13 17:38:27 12,288 ----a-w c:\windows\ERDNT\AutoBackup\13-11-2008\Users\
00000002\UsrClass.dat
- 2008-11-13 02:15:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-13 05:44:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-13 02:15:40 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-13 05:44:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-19 77824]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"CTHelper"="CTHELPER.EXE" [2003-06-08 c:\windows\system32\CTHELPER.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\Andy xxx\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\system32\ctmp3.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.5.1.4449-to-1.6.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.0.4500-to-1.6.1-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.6.1.4544-to-1.7.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-10-31 77312]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER
*Newly Created Service* - FSBL
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-11-13 15:38:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-11-13 15:40:07
ComboFix-quarantined-files.txt 2008-11-13 21:39:56
ComboFix2.txt 2008-11-13 06:05:26
ComboFix3.txt 2008-11-13 05:51:26
ComboFix4.txt 2008-11-13 04:28:03
Pre-Run: 121,375,637,504 bytes free
Post-Run: 121,465,573,376 bytes free
120 --- E O F --- 2008-11-12 22:27:01
And below is my new Hijackthislog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:32 PM, on 13/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Andy xxxxx\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.ytmnd.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
http://download.divx...owserPlugin.cabO16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) -
http://support.f-sec...m/ols/fscax.cabO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
--
End of file - 4302 bytes
Edited by Nortt, 13 November 2008 - 03:45 PM.