[jjplan]

Hello!

I am new here. What a great job you deal!
My PC had a series of malware infect a few days ago.
I tried to run many anti softwares and tried to remove malwares manually. They are removed once, but after reboot, they come back.

braviax.exe
cru629.dat
beep.sys
figaro.sys
BN*.tmp

And sometimes "PC AntiSpyware 2010" folder is made.

The initial homepage of IE is changed into google.com.

Kaspersky, Trendmicro, Spybot, and some other anti-virus softwares could be installed, but they never ran. SpywareDoctor did run, find malwares, remove them, but could not solve the problem.

Before I tried, I had disabled the system restore option. But now when I re-enable this option (exactly saying, I tick this option, and click OK or adopt), PC suddenly crushes at once with the blue screen, as if a malware prevents me from doing this.

Then I followed fenzodahl512's advice in the other post with the quite similar problem:
http://www.geekstogo...ck-t248654.html

After the first reboot after Malwarebytes' Anti-Malware's work, all the malwares that it found are gone. After the second reboot, only a part of malwares come back, and the original icon of Window Update is still in the system tray. After the third reboot, all the malwares come back and the icon in the system tray becomes red-X icon again...

It is very very kind of you if you can suggest a way to recover my PC.
Thank you

[Advertisements]

hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[Rorschach112]

hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[jjplan]

No1 of 4
=========

Malwarebytes' Anti-Malware 1.40
Database version: 2623
Windows 5.1.2600 Service Pack 2

2009/08/15 11:16:36
mbam-log-2009-08-15 (11-16-35).txt

Scan type: Full Scan (D:\|)
Objects scanned: 140131
Time elapsed: 43 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dllcache\figaro.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
D:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
D:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[jjplan]

Thank you very much, Rorschach112!
I will try your method first. ;-)

[Rorschach112]

okie dokie

[jjplan]

Hi!

When the DOS Window opens and it says "prepare...", PC crashes with blue screen saying:

CRQL_NOT_LESS_OR_EQUAL

stop: 0x000000A (0x00000000, 0x00000002, 0x00000000,x0x804DC244)

This is the same as when I tried to enable the system restore option (as mentioned in my first topic). Does the combofix include a function to change the status of the system restore option?

Thank you for your kind attention.
jjplan

[Rorschach112]

can you try it in safe mode

[jjplan]

Yep!!!!!
It is doing its process.
When it brings a result, I post again.
maybe 10min or more ;-)

jjplan

[jjplan]

Hi, Rorschach112!

Thanks to your advice, but those malwares are still re-written after the combofix's work. It seems successfully removed the malware when rebooted first time, but at the second reboot, they are alive again exactly same as before.

Do you need the logs of
1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. GMER result
?

Sogo

[Rorschach112]

I just need the CF log

[jjplan]

G'morning, Rorschach112!

Last night I found the disabling option of the system restore had been unticked by the CF's first run in the safe mode. Then I tried CF again in the normal mode under the same conditions, though the result was the same again...

Thank you for spending your personal time to help me.

jjplan (Sogo)

============================(ComboFix Log)=============================

ComboFix 09-08-10.06 - Administrator 2009/08/15 22:00.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1023.708 [GMT 9:00]
Running from: d:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
d:\windows\braviax.exe
d:\windows\cru629.dat
d:\windows\system32\braviax.exe
d:\windows\system32\cru629.dat
d:\windows\system32\dllcache\figaro.sys

d:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-14 15:16 . 2009-08-15 13:06 -------- d-----w- d:\windows\temp01
2009-08-14 14:35 . 2009-08-14 14:35 3584 ----a-w- d:\windows\system32\drivers\eaknqt17o62.sys
2009-08-14 14:33 . 2009-08-14 14:33 19691 ----a-w- d:\windows\egupuq.reg
2009-08-14 14:33 . 2009-08-14 14:33 18102 ----a-w- d:\windows\tiwecelivu.reg
2009-08-14 14:33 . 2009-08-14 14:33 17578 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\yzowixyrum.sys
2009-08-14 14:33 . 2009-08-14 14:33 16183 ----a-w- d:\program files\Common Files\lely.dll
2009-08-14 14:33 . 2009-08-14 14:33 14791 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\tuzecakyg.reg
2009-08-14 14:33 . 2009-08-14 14:33 13630 ----a-w- d:\windows\icuwic.dat
2009-08-14 14:33 . 2009-08-14 14:33 12711 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\egaz.sys
2009-08-14 14:33 . 2009-08-14 14:33 12327 ----a-w- d:\program files\Common Files\kufynatin.dat
2009-08-14 14:33 . 2009-08-14 14:33 11908 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\ufivahyda.reg
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-03 04:36 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-14 14:09 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-14 14:08 . 2009-08-03 04:36 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-14 12:45 . 2009-08-14 12:45 -------- d-----w- d:\program files\Safer Networking
2009-08-13 17:22 . 2009-08-13 17:22 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-13 17:12 . 2009-08-13 17:12 -------- d-----w- d:\documents and settings\All Users\Application Data\ESET
2009-08-13 13:50 . 2009-08-14 13:46 -------- d-----w- d:\program files\Spyware Doctor
2009-08-03 10:11 . 2009-08-03 10:11 -------- d-----w- d:\windows\system32\Quarantine
2009-07-22 05:12 . 2009-07-22 05:12 -------- d-----w- d:\program files\MELCO INC
2009-07-21 16:00 . 2009-07-21 16:01 -------- d-----w- d:\program files\Madonote
2009-07-21 01:41 . 2009-07-21 01:41 -------- d-----w- d:\program files\Phantombility
2009-07-20 16:02 . 2009-03-17 08:37 113688 ----a-w- d:\windows\system32\drivers\vdrv9000.sys
2009-07-20 15:29 . 2006-09-20 03:42 11392 ----a-w- d:\windows\system32\drivers\HH9Help.sys
2009-07-20 15:29 . 2007-04-16 05:58 1097728 ----a-w- d:\windows\system32\NMSDVDX.dll
2009-07-20 15:29 . 2004-07-13 02:58 315392 ----a-w- d:\windows\system32\NCTAudioPlayer2.dll
2009-07-17 09:14 . 2009-07-17 09:14 -------- d-----w- d:\program files\UnH Solutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 02:22 . 2006-05-31 17:31 -------- d-----w- d:\program files\Trend Micro
2009-08-14 14:33 . 2009-08-14 14:33 18750 ----a-w- d:\program files\Common Files\hagaq.dl
2009-08-14 13:46 . 2009-02-06 00:39 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-14 13:27 . 2009-02-06 00:39 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 13:27 . 2009-02-04 12:05 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-14 13:25 . 2007-08-05 19:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 15:26 . 2008-08-02 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-08-13 12:41 . 2007-11-02 01:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Trend Micro
2009-08-12 19:34 . 2008-03-31 11:59 -------- d-----w- d:\documents and settings\Administrator\Application Data\Azureus
2009-08-12 15:16 . 2004-08-10 03:44 619200 -c--a-w- d:\windows\system32\drivers\ntfs.sys
2009-08-09 23:30 . 2006-05-31 17:18 -------- d-----w- d:\program files\FlashGet
2009-08-07 02:52 . 2007-01-11 04:37 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
2009-08-07 01:05 . 2008-07-20 05:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\DVD Flick
2009-08-03 04:51 . 2006-10-01 13:44 777 ----a-w- d:\program files\funatree.ini
2009-07-20 15:28 . 2006-05-31 17:17 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\UltraISO
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\Common Files\EZB Systems
2009-07-20 11:59 . 2008-08-03 11:41 -------- d-----w- d:\program files\IsoBuster
2009-07-10 15:08 . 2009-07-10 15:07 -------- d-----w- d:\program files\FlashPlayerEx
2009-06-21 07:23 . 2008-07-12 12:22 -------- d-----w- d:\program files\SmileDownloader
2009-06-20 11:46 . 2008-07-20 05:24 -------- d-----w- d:\program files\DVD Flick
2009-06-20 10:45 . 2009-06-20 10:45 -------- d-----w- d:\documents and settings\Administrator\Application Data\LEAPS
2009-06-20 10:42 . 2006-08-01 18:59 -------- d-----w- d:\program files\Pegasys Inc
2009-06-20 03:09 . 2009-06-20 03:09 -------- d-----w- d:\documents and settings\Administrator\Application Data\Pegasys Inc
2009-06-20 03:07 . 2009-06-20 03:08 13567 ----a-w- d:\windows\system32\drivers\CDRBSDRV.SYS
2008-10-13 16:59 . 2008-10-13 16:59 27 ----a-w- d:\program files\hfkud18.sys
2008-08-02 19:09 . 2008-08-02 19:09 0 ----a-w- d:\program files\Common Files\dht342126
2007-07-01 15:20 . 2007-07-01 15:20 23 ----a-w- d:\program files\hfkud16.sys
2005-10-01 22:42 . 2007-03-02 06:07 180224 ----a-w- d:\program files\FunaTree25.exe
2006-12-28 09:33 . 2006-12-28 09:33 10856 -csha-w- d:\windows\system32\KGyGaAvL.sys
2007-08-18 12:46 . 2007-08-18 12:46 1104154 --sh--w- d:\windows\system32\rckrpbss.tmp
.

------- Sigcheck -------

[-] 2009-08-15 12:59 29184 C4000A48F953D36167A7DF84F98A2634 d:\windows\system32\dllcache\beep.sys

[-] 2009-08-12 15:16 619200 5D407322AA69AC6E7B17C81B48DEB327 d:\windows\system32\dllcache\ntfs.sys
[-] 2009-08-12 15:16 619200 5D407322AA69AC6E7B17C81B48DEB327 d:\windows\system32\drivers\ntfs.sys

d:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-08-15_12.01.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 13:00 . 2009-08-15 13:00 93696 d:\windows\temp01\tscfgwmi.dll
+ 2009-08-15 12:59 . 2009-08-15 12:59 23552 d:\windows\temp01\sort.exe
+ 2009-08-15 13:00 . 2009-08-15 13:00 49152 d:\windows\temp01\SF.exe
+ 2009-08-15 12:59 . 2009-08-15 12:59 98816 d:\windows\temp01\sed.exe
+ 2009-08-15 12:59 . 2009-08-15 12:59 19968 d:\windows\temp01\route.exe
+ 2009-08-15 12:14 . 2009-08-15 12:14 43520 d:\windows\temp01\racpldlg.dll
+ 2009-08-15 13:01 . 2009-08-15 13:01 31232 d:\windows\temp01\NIRCMD.exe
+ 2009-08-15 12:46 . 2009-08-15 12:46 22528 d:\windows\temp01\mfcsubs.dll
+ 2009-08-15 13:06 . 2009-08-15 13:06 55808 d:\windows\temp01\ipconfig.exe
+ 2009-08-15 12:59 . 2009-08-15 12:59 80384 d:\windows\temp01\grep.exe
+ 2009-08-15 13:03 . 2009-08-15 13:03 27136 d:\windows\temp01\findstr.exe
+ 2009-08-15 13:00 . 2009-08-15 13:00 31744 d:\windows\temp01\catchme.sys
+ 2009-08-15 13:00 . 2009-08-15 13:00 53248 d:\windows\temp01\catchme.dll
+ 2009-08-15 13:00 . 2009-08-15 13:00 6464 d:\windows\temp01\PROCEXP90.SYS
+ 2009-08-15 12:16 . 2009-08-15 12:16 248832 d:\windows\temp01\msieftp.dll
+ 2009-08-15 13:06 . 2009-08-15 13:06 111104 d:\windows\temp01\dhcpcsvc.dll
+ 2009-08-15 12:46 . 2009-08-15 12:46 229888 d:\windows\temp01\catsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"="d:\program files\Speaking Clock Deluxe\SpClDlx.exe" [2009-01-28 2325504]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="d:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 897086]
"BluetoothAuthenticationAgent"="bthprops.cpl" - d:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-10 15360]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
MSI Live Monitor.lnk - d:\program files\MSI\Live Update 3\LMonitor.exe [2006-6-2 477696]
IconUtil.lnk - d:\program files\MELCO INC\Icon Util\IconUtil.exe [2005-12-18 114688]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
BoosterTray.lnk - d:\program files\RingThree\bin\BoosterTray.exe [2007-11-8 339968]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendfirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Azureus\\Azureus.exe"=

R0 fasttrak;fasttrak;d:\windows\system32\drivers\Fasttrak.sys [2006/06/01 1:07 70528]
R0 phmburnr;phmburnr;d:\windows\system32\drivers\phmburnr.sys [2008/02/28 7:19 45208]
R1 TxDevCmd;TxDevCmd;d:\windows\system32\drivers\TxDevCmd.sys [2009/02/16 14:28 15896]
R2 eaknqt17o62;eaknqt17o62;d:\windows\system32\drivers\eaknqt17o62.sys [2009/08/14 23:35 3584]
R2 PVM Service;PVM Service;d:\program files\RingThree\bin\PvmService.exe [2007/11/08 10:02 294912]
R2 tmfilter;Tmfilter;d:\windows\system32\drivers\tmxpflt.sys [2005/09/26 14:23 183808]
R2 tmntsrv;Trend Micro Real-time Service;d:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005/09/28 22:19 340037]
R2 tmpfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005/09/12 21:57 630845]
R2 tmpreflt;Tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2005/09/26 14:23 25088]
R2 tmproxy;Trend Micro Proxy Service;d:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005/09/12 21:59 286788]
R3 GVSC200;GVSC200;d:\windows\system32\drivers\GVSC200.sys [2007/08/24 13:41 7680]
R3 PXTV432P;PXTV432P service;d:\windows\system32\drivers\PXTV432P.sys [2005/05/23 18:08 966552]
S0 tffsmon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 tfsysmon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 3xHybrid;3xHybrid service;d:\windows\system32\drivers\3xHybrid.sys [2006/09/26 3:15 613632]
S3 Cap713x;Philips Cap713x Video Capture;d:\windows\system32\drivers\Cap713x.sys [2006/07/01 3:43 685824]
S3 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
S3 tfnetmon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S3 UtilNT;UtilNT;\??\d:\windows\system32\drivers\UtilNT.sys --> d:\windows\system32\drivers\UtilNT.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
d:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 03:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download with FlashGet - d:\progra~1\FlashGet\jc_link.htm
IE: Download all with FlashGet - d:\progra~1\FlashGet\jc_all.htm
IE: Playback with FlashPlayerEx - d:\progra~1\FLASHP~1\LINK.HTM
IE: Web search with JWord(&J)
IE: Save Flash - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
IE: Save with SmileDownloader(&Y) - d:\program files\SmileDownloader\IEMenu\IEMenuExt.htm
IE: Save flash movie in this page - d:\progra~1\FLASHP~1\XTR.HTM
IE: Open flash movie - d:\progra~1\FLASHP~1\STR.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 22:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

d:\qoobox\Quarantine\D\WINDOWS\system32\braviax.exe.virUS [2164] 0x86B98DA0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RichVideo]
"ImagePath"="-\"d:\program files\CyberLink\Shared Files\RichVideo.exe\"\00\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\02\00\02H\02H\02H\02H"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\@*sSO0・]
"Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\｢0ｯ0ｻ0ｵ0・\ｷ0ｹ0ﾆ0・ *ﾄ0・・]
"Order"=hex:08,00,00,00,02,00,00,00,dc,05,00,00,01,00,00,00,09,00,00,00,b4,00,
00,00,00,00,00,00,a6,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,94,00,32,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
.
Completion time: 2009-08-15 22:09
ComboFix-quarantined-files.txt 2009-08-15 13:08
ComboFix2.txt 2009-08-15 12:08

Pre-Run: 7,897,600,000 bytes free
Post-Run: 7,866,089,472 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
240

Edited by jjplan, 15 August 2009 - 05:47 PM.

[Rorschach112]

hi

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ck-t249173.html

Collect::
d:\windows\system32\drivers\eaknqt17o62.sys
d:\windows\egupuq.reg
d:\windows\tiwecelivu.reg
d:\documents and settings\LocalService\Local Settings\Application Data\yzowixyrum.sys
d:\program files\Common Files\lely.dll
d:\documents and settings\LocalService\Local Settings\Application Data\tuzecakyg.reg
d:\windows\icuwic.dat
d:\documents and settings\LocalService\Local Settings\Application Data\egaz.sys
d:\program files\Common Files\kufynatin.dat
d:\documents and settings\LocalService\Local Settings\Application Data\ufivahyda.reg
d:\program files\Common Files\hagaq.dl
d:\windows\system32\drivers\ntfs.sys
d:\program files\hfkud18.sys
d:\program files\Common Files\dht342126
d:\program files\hfkud16.sys
d:\program files\FunaTree25.exe
d:\windows\system32\KGyGaAvL.sys
d:\windows\system32\rckrpbss.tmp

Folder::
d:\windows\temp01

FCopy::
d:\windows\system32\dllcache\beep.sys | d:\windows\system32\drivers\beep.sys

Suspect::

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

[jjplan]

Hello! Rorschach112!

I appreciate for your second suggestion with the CFScript specialized to my PC. As a conclusion, the malwares seem to be cleaned by ComboFix with your script. I did as followings:

1 Ran ComboFix with your script.
2 During its process, I found two times of special warning saying "Some system files have been replaced with the unaccessible version's file" "I order to restore the proper version of the file, load the original CD of SP2".
3 Clicked No.
4 CF rebooted PC
5 Windows could not start because lack of "System32\Drivers\NTFS.sys"
6 Connected this HDD with the other PC via USB and copied the missing file, because I thought it was from the same CD of SP2.
7 Reconnected to the infected PC and ran Windows.
8 The latter par of the CF's process started, and showed its log when finished.
9 Rebooted several times, and didn't find any activities and existence of the malwares.

I think the NTFS.sys was infected and it repeated creating malwares at every reboot. What a clever but evel idea of the malware producers and infectors!! !!

I add its log to make sure. If you seem there still are any problems, please advise me.

Again, thank you very very very much for your kind support and spending your precious time for me.

jjplan

=========================(Log from CF with the script)========================

ComboFix 09-08-10.06 - Administrator 2009/08/16 22:25.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1023.719 [GMT 9:00]
Running from: d:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: d:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

file zipped: d:\documents and settings\LocalService\Local Settings\Application Data\egaz.sys
file zipped: d:\documents and settings\LocalService\Local Settings\Application Data\tuzecakyg.reg
file zipped: d:\documents and settings\LocalService\Local Settings\Application Data\ufivahyda.reg
file zipped: d:\documents and settings\LocalService\Local Settings\Application Data\yzowixyrum.sys
file zipped: d:\program files\Common Files\dht342126
file zipped: d:\program files\Common Files\hagaq.dl
file zipped: d:\program files\Common Files\kufynatin.dat
file zipped: d:\program files\Common Files\lely.dll
file zipped: d:\program files\FunaTree25.exe
file zipped: d:\program files\hfkud16.sys
file zipped: d:\program files\hfkud18.sys
file zipped: d:\windows\egupuq.reg
file zipped: d:\windows\icuwic.dat
file zipped: d:\windows\system32\drivers\eaknqt17o62.sys
file zipped: d:\windows\system32\drivers\ntfs.sys
file zipped: d:\windows\system32\KGyGaAvL.sys
file zipped: d:\windows\system32\rckrpbss.tmp
file zipped: d:\windows\tiwecelivu.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\LocalService\Local Settings\Application Data\egaz.sys
d:\documents and settings\LocalService\Local Settings\Application Data\tuzecakyg.reg
d:\documents and settings\LocalService\Local Settings\Application Data\ufivahyda.reg
d:\documents and settings\LocalService\Local Settings\Application Data\yzowixyrum.sys
d:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
d:\program files\Common Files\dht342126
d:\program files\Common Files\hagaq.dl
d:\program files\Common Files\kufynatin.dat
d:\program files\Common Files\lely.dll
d:\program files\FunaTree25.exe
d:\program files\hfkud16.sys
d:\program files\hfkud18.sys
d:\windows\braviax.exe
d:\windows\cru629.dat
d:\windows\egupuq.reg
d:\windows\icuwic.dat
d:\windows\system32\braviax.exe
d:\windows\system32\cru629.dat
d:\windows\system32\drivers\eaknqt17o62.sys
d:\windows\system32\drivers\ntfs.sys
d:\windows\system32\KGyGaAvL.sys
d:\windows\system32\rckrpbss.tmp
d:\windows\temp01
d:\windows\temp01\7-zip.dll
d:\windows\temp01\aclui.dll
d:\windows\temp01\activeds.dll
d:\windows\temp01\actxprxy.dll
d:\windows\temp01\adsldpc.dll
d:\windows\temp01\advpack.dll
d:\windows\temp01\aec.sys
d:\windows\temp01\agentctl.dll
d:\windows\temp01\alg.exe
d:\windows\temp01\American English (male).dll
d:\windows\temp01\apphelp.dll
d:\windows\temp01\apphelp.dll?
d:\windows\temp01\apphelp.dll?蓜?????
d:\windows\temp01\apphelp.dll3
d:\windows\temp01\arj.fmt
d:\windows\temp01\asliahmy.sys
d:\windows\temp01\asycfilt.dll
d:\windows\temp01\atl.dll
d:\windows\temp01\Attrib.cfexe
d:\windows\temp01\attrib.exe
d:\windows\temp01\authz.dll
d:\windows\temp01\avifil32.dll
d:\windows\temp01\b2e.dll
d:\windows\temp01\batmeter.dll
d:\windows\temp01\BN2.tmp
d:\windows\temp01\BN3.tmp
d:\windows\temp01\BN4.tmp
d:\windows\temp01\BN5.tmp
d:\windows\temp01\BoosterTray.exe
d:\windows\temp01\braviax.exe
d:\windows\temp01\BROWSELC.DLL
d:\windows\temp01\browser.dll
d:\windows\temp01\bthprops.cpl
d:\windows\temp01\cabinet.dll
d:\windows\temp01\catchme.dll
d:\windows\temp01\catchme.sys
d:\windows\temp01\catsrv.dll
d:\windows\temp01\certcli.dll
d:\windows\temp01\cfgmgr32.dll
d:\windows\temp01\chcp.com
d:\windows\temp01\clb.dll
d:\windows\temp01\clusapi.dll
d:\windows\temp01\cnbjmon.dll
d:\windows\temp01\colbact.dll
d:\windows\temp01\Combo-Fix.exe
d:\windows\temp01\comdlg32.dll
d:\windows\temp01\comdlg32.dll?
d:\windows\temp01\conime.exe
d:\windows\temp01\credui.dll
d:\windows\temp01\crtdll.dll
d:\windows\temp01\cryptdll.dll
d:\windows\temp01\cryptnet.dll
d:\windows\temp01\cryptsvc.dll
d:\windows\temp01\cscdll.dll
d:\windows\temp01\cscript.exe
d:\windows\temp01\cscui.dll
d:\windows\temp01\ctfmon.exe
d:\windows\temp01\davclnt.dll
d:\windows\temp01\dciman32.dll
d:\windows\temp01\ddraw.dll
d:\windows\temp01\ddrawex.dll
d:\windows\temp01\desk.cpl
d:\windows\temp01\devenum.dll
d:\windows\temp01\devmgr.dll
d:\windows\temp01\dhcpcsvc.dll
d:\windows\temp01\dmserver.dll
d:\windows\temp01\DMusic.sys
d:\windows\temp01\dnsapi.dll
d:\windows\temp01\dpcdll.dll
d:\windows\temp01\drmclien.dll
d:\windows\temp01\drmkaud.sys
d:\windows\temp01\drprov.dll
d:\windows\temp01\DrvCheck.dll
d:\windows\temp01\drwtsn32.exe
d:\windows\temp01\dsquery.dll
d:\windows\temp01\dssenh.dll
d:\windows\temp01\dsuiext.dll
d:\windows\temp01\dumphive.cfexe
d:\windows\temp01\dumprep.exe
d:\windows\temp01\duser.dll
d:\windows\temp01\dwintl.dll
d:\windows\temp01\dwwin.exe
d:\windows\temp01\dxtrans.dll
d:\windows\temp01\ElbyCDIO.sys
d:\windows\temp01\ersvc.dll
d:\windows\temp01\erunt-setup.exe
d:\windows\temp01\es.dll
d:\windows\temp01\esscli.dll
d:\windows\temp01\Fastfat.SYS
d:\windows\temp01\faultrep.dll
d:\windows\temp01\filterpipelineprintproc.dll
d:\windows\temp01\FINDSTR.cfexe
d:\windows\temp01\findstr.exe
d:\windows\temp01\FLASHSYS.sys
d:\windows\temp01\framedyn.dll
d:\windows\temp01\gdi32.dll
d:\windows\temp01\gdi32.dll?????
d:\windows\temp01\gdi32.dll????畳?
d:\windows\temp01\GENKEY32.DLL
d:\windows\temp01\GoogleToolbar.dll
d:\windows\temp01\GoogleToolbarNotifier.exe
d:\windows\temp01\GoogleUpdater.exe
d:\windows\temp01\GoogleUpdaterService.exe
d:\windows\temp01\grep.cfexe
d:\windows\temp01\grep.exe
d:\windows\temp01\grpconv.exe
d:\windows\temp01\gsar.cfexe
d:\windows\temp01\gtn.dll
d:\windows\temp01\gz.fmt
d:\windows\temp01\h323.tsp
d:\windows\temp01\handle.cfexe
d:\windows\temp01\hhctrlui.dll
d:\windows\temp01\hhsetup.dll
d:\windows\temp01\hid.dll
d:\windows\temp01\hidec.exe
d:\windows\temp01\hidphone.tsp
d:\windows\temp01\hotplug.dll
d:\windows\temp01\icaapi.dll
d:\windows\temp01\IconUtil.exe
d:\windows\temp01\iepeers.dll
d:\windows\temp01\IEXPLORE.EXE
d:\windows\temp01\imagehlp.dll
d:\windows\temp01\imagehlp.dll?
d:\windows\temp01\imagehlp.dll絢C???????
d:\windows\temp01\imagehlp.dll絢C???晦???
d:\windows\temp01\imagehlp.dll絢C???畳ElbyCDIO
d:\windows\temp01\imagehlp.dll絢C??卆浩$
d:\windows\temp01\imgutil.dll
d:\windows\temp01\imjp81.ime
d:\windows\temp01\imjpcd.dic
d:\windows\temp01\imm32.dll
d:\windows\temp01\INETCPLC.DLL
d:\windows\temp01\inetpp.dll
d:\windows\temp01\ipconf.tsp
d:\windows\temp01\ipconfig.exe
d:\windows\temp01\iphlpapi.dll
d:\windows\temp01\ipnathlp.dll
d:\windows\temp01\ipsecsvc.dll
d:\windows\temp01\isoshell.dll
d:\windows\temp01\kbd101.dll
d:\windows\temp01\kbd106.dll
d:\windows\temp01\kbdjpn.dll
d:\windows\temp01\kbdnec.dll
d:\windows\temp01\kbdth0.dll
d:\windows\temp01\kbdus.dll
d:\windows\temp01\kbdvntc.dll
d:\windows\temp01\kerberos.dll
d:\windows\temp01\kmddsp.tsp
d:\windows\temp01\kmixer.sys
d:\windows\temp01\libexpat.dll
d:\windows\temp01\linkinfo.dll
d:\windows\temp01\LOADHTTP.DLL
d:\windows\temp01\localspl.dll
d:\windows\temp01\lpk.dll
d:\windows\temp01\lsm.exe
d:\windows\temp01\mbam.dll
d:\windows\temp01\mbamext.dll
d:\windows\temp01\mbamswissarmy.sys
d:\windows\temp01\mfcsubs.dll
d:\windows\temp01\midimap.dll
d:\windows\temp01\mmcshext.dll
d:\windows\temp01\mpr.dll
d:\windows\temp01\mpr.dlln
d:\windows\temp01\mpr.dllum
d:\windows\temp01\mpr.dll絆0
d:\windows\temp01\mprapi.dll
d:\windows\temp01\msacm32.dll
d:\windows\temp01\msacm32.drv
d:\windows\temp01\msadco.dll
d:\windows\temp01\msadp32.acm
d:\windows\temp01\msasn1.dll
d:\windows\temp01\msasn1.dll????
d:\windows\temp01\msasn1.dll???????
d:\windows\temp01\msasn1.dll?????€
d:\windows\temp01\msasn1.dll???晦???
d:\windows\temp01\msasn1.dll??卆浩?
d:\windows\temp01\mscms.dll
d:\windows\temp01\mscoree.dll
d:\windows\temp01\mscorie.dll
d:\windows\temp01\MSCTF.dll
d:\windows\temp01\MSCTFIME.IME
d:\windows\temp01\msdart.dll
d:\windows\temp01\msdmo.dll
d:\windows\temp01\msieftp.dll
d:\windows\temp01\MSII2C.dll
d:\windows\temp01\msimg32.dll
d:\windows\temp01\MSIMTF.dll
d:\windows\temp01\msisip.dll
d:\windows\temp01\msls31.dll
d:\windows\temp01\MSOHEV.DLL
d:\windows\temp01\mspatcha.dll
d:\windows\temp01\mstask.dll
d:\windows\temp01\mstlsapi.dll
d:\windows\temp01\msutb.dll
d:\windows\temp01\msv1_0.dll
d:\windows\temp01\msvcirt.dll
d:\windows\temp01\msvcr71.dll
d:\windows\temp01\msvfw32.dll
d:\windows\temp01\mswsock.dll
d:\windows\temp01\mtee.cfexe
d:\windows\temp01\mtxclu.dll
d:\windows\temp01\mydocs.dll
d:\windows\temp01\n.pif
d:\windows\temp01\ncobjapi.dll
d:\windows\temp01\ncprov.dll
d:\windows\temp01\ndptsp.tsp
d:\windows\temp01\netapi32.dll
d:\windows\temp01\netapi32.dll?
d:\windows\temp01\netid.dll
d:\windows\temp01\netman.dll
d:\windows\temp01\netmsg.dll
d:\windows\temp01\netrap.dll
d:\windows\temp01\netui0.dll
d:\windows\temp01\netui1.dll
d:\windows\temp01\NirCmd.cfexe
d:\windows\temp01\NIRCMD.exe
d:\windows\temp01\NircmdB.exe
d:\windows\temp01\NirCmdC.cfexe
d:\windows\temp01\NMSCFG.SYS
d:\windows\temp01\notepad.exe
d:\windows\temp01\NTACCESS.SYS
d:\windows\temp01\ntdsapi.dll
d:\windows\temp01\ntevt.dll
d:\windows\temp01\ntlanman.dll
d:\windows\temp01\ntlsapi.dll
d:\windows\temp01\ntmarta.dll
d:\windows\temp01\ntshrui.dll
d:\windows\temp01\nvgpio.dll
d:\windows\temp01\odbc32.dll
d:\windows\temp01\odbcint.dll
d:\windows\temp01\oleacc.dll
d:\windows\temp01\oledlg.dll
d:\windows\temp01\olepro32.dll
d:\windows\temp01\PcCmdCom.exe
d:\windows\temp01\pccntsec.dll
d:\windows\temp01\PccScan.dll
d:\windows\temp01\PcCtlPS.dll
d:\windows\temp01\PcCtlSpy.dll
d:\windows\temp01\PcDce.dll
d:\windows\temp01\PcDceLog.dll
d:\windows\temp01\pchsvc.dll
d:\windows\temp01\pdfshell.JPN
d:\windows\temp01\PEWNT2.dll
d:\windows\temp01\ping.exe
d:\windows\temp01\pjlmon.dll
d:\windows\temp01\plugin.ocx
d:\windows\temp01\pngfilt.dll
d:\windows\temp01\powrprof.dll
d:\windows\temp01\PROCEXP90.SYS
d:\windows\temp01\provthrd.dll
d:\windows\temp01\psapi.dll
d:\windows\temp01\psbase.dll
d:\windows\temp01\pstorec.dll
d:\windows\temp01\pstorsvc.dll
d:\windows\temp01\PV.cfexe
d:\windows\temp01\pv.exe
d:\windows\temp01\PvmService.exe
d:\windows\temp01\PWRISOSH.DLL
d:\windows\temp01\racpldlg.dll
d:\windows\temp01\RarExt.dll
d:\windows\temp01\rasadhlp.dll
d:\windows\temp01\rasapi32.dll
d:\windows\temp01\rasman.dll
d:\windows\temp01\rasmans.dll
d:\windows\temp01\rasppp.dll
d:\windows\temp01\rastapi.dll
d:\windows\temp01\reg.exe
d:\windows\temp01\regapi.dll
d:\windows\temp01\remotepg.dll
d:\windows\temp01\repdrvfs.dll
d:\windows\temp01\res411.dll
d:\windows\temp01\resutils.dll
d:\windows\temp01\riched32.dll
d:\windows\temp01\route.exe
d:\windows\temp01\rsaenh.dll
d:\windows\temp01\rtutils.dll
d:\windows\temp01\rundll32.exe
d:\windows\temp01\runonce.exe
d:\windows\temp01\samlib.dll
d:\windows\temp01\schannel.dll
d:\windows\temp01\sclgntfy.dll
d:\windows\temp01\scrobj.dll
d:\windows\temp01\scrrun.dll
d:\windows\temp01\seclogon.dll
d:\windows\temp01\secur32.dll
d:\windows\temp01\security.dll
d:\windows\temp01\sed.cfexe
d:\windows\temp01\sed.exe
d:\windows\temp01\sendmail.dll
d:\windows\temp01\sens.dll
d:\windows\temp01\sensapi.dll
d:\windows\temp01\SF.exe
d:\windows\temp01\sfc.dll
d:\windows\temp01\sfc_os.dll
d:\windows\temp01\shfolder.dll
d:\windows\temp01\shgina.dll
d:\windows\temp01\shimeng.dll
d:\windows\temp01\shmedia.dll
d:\windows\temp01\sort.exe
d:\windows\temp01\spcl01.dll
d:\windows\temp01\splitter.sys
d:\windows\temp01\spoolss.dll
d:\windows\temp01\SPTIP.dll
d:\windows\temp01\sr.sys
d:\windows\temp01\srclient.dll
d:\windows\temp01\srrstr.dll
d:\windows\temp01\srsvc.dll
d:\windows\temp01\srv.sys
d:\windows\temp01\srvsvc.dll
d:\windows\temp01\ssdpapi.dll
d:\windows\temp01\ssubtmr6.dll
d:\windows\temp01\sti.dll
d:\windows\temp01\stobject.dll
d:\windows\temp01\svchost.exe
d:\windows\temp01\swmidi.sys
d:\windows\temp01\swxcacls.cfexe
d:\windows\temp01\sysaudio.sys
d:\windows\temp01\sysdm.cpl
d:\windows\temp01\tail.cfexe
d:\windows\temp01\tapi32.dll
d:\windows\temp01\tapisrv.dll
d:\windows\temp01\tar.fmt
d:\windows\temp01\taskmgr.exe
d:\windows\temp01\tcpmon.dll
d:\windows\temp01\termsrv.dll
d:\windows\temp01\timer.dll
d:\windows\temp01\tmCfwApi.dll
d:\windows\temp01\tmdbg.dll
d:\windows\temp01\tmdp.dll
d:\windows\temp01\Tmdshell.dll
d:\windows\temp01\tmHash.dll
d:\windows\temp01\Tmntsrv.exe
d:\windows\temp01\TMOACfg.dll
d:\windows\temp01\TMOAgent.exe
d:\windows\temp01\TmpeVS.dll
d:\windows\temp01\TmPfwApi.dll
d:\windows\temp01\TmPfwHlp.dll
d:\windows\temp01\TmPfwLog.dll
d:\windows\temp01\TmPfwRul.dll
d:\windows\temp01\TmphPop3.dll
d:\windows\temp01\TmphSMTP.dll
d:\windows\temp01\TmProxy.dll
d:\windows\temp01\tmproxy.exe
d:\windows\temp01\TmpxHelp.dll
d:\windows\temp01\TmsmMail.dll
d:\windows\temp01\tmtdi.dll
d:\windows\temp01\trkwks.dll
d:\windows\temp01\tscfgwmi.dll
d:\windows\temp01\ulib.dll
d:\windows\temp01\unimdm.tsp
d:\windows\temp01\uniplat.dll
d:\windows\temp01\upnp.dll
d:\windows\temp01\usbmon.dll
d:\windows\temp01\USBSTOR.SYS
d:\windows\temp01\userinit.exe
d:\windows\temp01\utildll.dll
d:\windows\temp01\uxtheme.dll
d:\windows\temp01\VB6JP.DLL
d:\windows\temp01\VBios.dll
d:\windows\temp01\vdmdbg.dll
d:\windows\temp01\version.dll
d:\windows\temp01\version.dll昴絢C??卆浩?
d:\windows\temp01\w32time.dll
d:\windows\temp01\wbemcomn.dll
d:\windows\temp01\wbemcons.dll
d:\windows\temp01\wbemdisp.dll
d:\windows\temp01\wbemess.dll
d:\windows\temp01\wbemprox.dll
d:\windows\temp01\wbemsvc.dll
d:\windows\temp01\wdmaud.drv
d:\windows\temp01\wdmaud.sys
d:\windows\temp01\webcheck.dll
d:\windows\temp01\wiaservc.dll
d:\windows\temp01\win32spl.dll
d:\windows\temp01\winipsec.dll
d:\windows\temp01\winmm.dll
d:\windows\temp01\winrnr.dll
d:\windows\temp01\winspool.drv
d:\windows\temp01\winsta.dll
d:\windows\temp01\wintrust.dll
d:\windows\temp01\wintrust.dll?
d:\windows\temp01\wintrust.dll?蝪?????????h
d:\windows\temp01\wintrust.dllte??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
d:\windows\temp01\wldap32.dll
d:\windows\temp01\wldap32.dll?
d:\windows\temp01\wldap32.dll
d:\windows\temp01\wmasf.dll
d:\windows\temp01\wmi.dll
d:\windows\temp01\wmidx.dll
d:\windows\temp01\wmiprvse.exe
d:\windows\temp01\wmisvc.dll
d:\windows\temp01\wmiutils.dll
d:\windows\temp01\wmpdxm.dll
d:\windows\temp01\ws2_32.dll
d:\windows\temp01\ws2help.dll
d:\windows\temp01\wscntfy.exe
d:\windows\temp01\wscript.exe
d:\windows\temp01\wscsvc.dll
d:\windows\temp01\wshbth.dll
d:\windows\temp01\wshext.dll
d:\windows\temp01\wship6.dll
d:\windows\temp01\wshom.ocx
d:\windows\temp01\wshtcpip.dll
d:\windows\temp01\wsock32.dll
d:\windows\temp01\wtsapi32.dll
d:\windows\temp01\wuauclt.exe
d:\windows\temp01\wuaucpl.cpl
d:\windows\temp01\wuauserv.dll
d:\windows\temp01\wups.dll
d:\windows\temp01\wzcsapi.dll
d:\windows\temp01\zipfldr.dll
d:\windows\temp01\zlib.dll
d:\windows\tiwecelivu.reg

d:\windows\system32\drivers\beep.sys . . . is infected!!

.
--------------- FCopy ---------------

d:\windows\system32\dllcache\beep.sys --> d:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_eaknqt17o62
-------\Service_eaknqt17o62


((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-16 15:02 . 2004-08-05 12:00 574592 ----a-w- d:\windows\system32\drivers\ntfs.sys
2009-08-15 02:21 . 2009-08-16 13:20 29184 -c----w- d:\windows\system32\dllcache\beep.sys
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-03 04:36 38160 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 14:08 . 2009-08-14 14:08 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-14 14:08 . 2009-08-14 14:09 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2009-08-14 14:08 . 2009-08-03 04:36 19096 ----a-w- d:\windows\system32\drivers\mbam.sys
2009-08-14 12:45 . 2009-08-14 12:45 -------- d-----w- d:\program files\Safer Networking
2009-08-13 17:22 . 2009-08-13 17:22 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-13 17:12 . 2009-08-13 17:12 -------- d-----w- d:\documents and settings\All Users\Application Data\ESET
2009-08-13 13:50 . 2009-08-14 13:46 -------- d-----w- d:\program files\Spyware Doctor
2009-08-03 10:11 . 2009-08-03 10:11 -------- d-----w- d:\windows\system32\Quarantine
2009-07-22 05:12 . 2009-07-22 05:12 -------- d-----w- d:\program files\MELCO INC
2009-07-21 16:00 . 2009-07-21 16:01 -------- d-----w- d:\program files\Madonote
2009-07-21 01:41 . 2009-07-21 01:41 -------- d-----w- d:\program files\Phantombility
2009-07-20 16:02 . 2009-03-17 08:37 113688 ----a-w- d:\windows\system32\drivers\vdrv9000.sys
2009-07-20 15:29 . 2006-09-20 03:42 11392 ----a-w- d:\windows\system32\drivers\HH9Help.sys
2009-07-20 15:29 . 2007-04-16 05:58 1097728 ----a-w- d:\windows\system32\NMSDVDX.dll
2009-07-20 15:29 . 2004-07-13 02:58 315392 ----a-w- d:\windows\system32\NCTAudioPlayer2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 02:22 . 2006-05-31 17:31 -------- d-----w- d:\program files\Trend Micro
2009-08-14 13:46 . 2009-02-06 00:39 -------- d-----w- d:\program files\Common Files\PC Tools
2009-08-14 13:27 . 2009-02-06 00:39 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2009-08-14 13:27 . 2009-02-04 12:05 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2009-08-14 13:25 . 2007-08-05 19:33 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 15:26 . 2008-08-02 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2009-08-13 12:41 . 2007-11-02 01:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Trend Micro
2009-08-12 19:34 . 2008-03-31 11:59 -------- d-----w- d:\documents and settings\Administrator\Application Data\Azureus
2009-08-09 23:30 . 2006-05-31 17:18 -------- d-----w- d:\program files\FlashGet
2009-08-07 02:52 . 2007-01-11 04:37 -------- d-----w- d:\documents and settings\Administrator\Application Data\Vso
2009-08-07 01:05 . 2008-07-20 05:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\DVD Flick
2009-08-03 04:51 . 2006-10-01 13:44 777 ----a-w- d:\program files\funatree.ini
2009-07-20 15:28 . 2006-05-31 17:17 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\UltraISO
2009-07-20 12:11 . 2006-05-31 17:34 -------- d-----w- d:\program files\Common Files\EZB Systems
2009-07-20 11:59 . 2008-08-03 11:41 -------- d-----w- d:\program files\IsoBuster
2009-07-17 09:14 . 2009-07-17 09:14 -------- d-----w- d:\program files\UnH Solutions
2009-07-10 15:08 . 2009-07-10 15:07 -------- d-----w- d:\program files\FlashPlayerEx
2009-06-21 07:23 . 2008-07-12 12:22 -------- d-----w- d:\program files\SmileDownloader
2009-06-20 11:46 . 2008-07-20 05:24 -------- d-----w- d:\program files\DVD Flick
2009-06-20 10:45 . 2009-06-20 10:45 -------- d-----w- d:\documents and settings\Administrator\Application Data\LEAPS
2009-06-20 10:42 . 2006-08-01 18:59 -------- d-----w- d:\program files\Pegasys Inc
2009-06-20 03:09 . 2009-06-20 03:09 -------- d-----w- d:\documents and settings\Administrator\Application Data\Pegasys Inc
2009-06-20 03:07 . 2009-06-20 03:08 13567 ----a-w- d:\windows\system32\drivers\CDRBSDRV.SYS
.

------- Sigcheck -------

[-] 2009-08-16 13:20 29184 4B55931CBB561351CA370D732763EA2C d:\windows\system32\dllcache\beep.sys

d:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-08-15_12.01.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-16 13:32 . 2009-08-16 13:32 8192 d:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-15 11:57 . 2009-08-15 11:57 8192 d:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-16 13:32 . 2009-08-16 13:32 8192 d:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-16 13:32 . 2009-08-16 13:32 151552 d:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-16 13:32 . 2009-08-16 13:32 233472 d:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-16 13:32 . 2009-08-16 13:32 233472 d:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-15 11:57 . 2009-08-15 11:57 233472 d:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-16 13:32 . 2009-08-16 13:32 17727488 d:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"="d:\program files\Speaking Clock Deluxe\SpClDlx.exe" [2009-01-28 2325504]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="d:\program files\Trend Micro\Internet Security 2006\pccguide.exe" [2005-09-28 897086]
"BluetoothAuthenticationAgent"="bthprops.cpl" - d:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2004-08-10 15360]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
MSI Live Monitor.lnk - d:\program files\MSI\Live Update 3\LMonitor.exe [2006-6-2 477696]
ｱｲｺﾝ変更ﾕｰﾃｨﾘﾃｨ.lnk - d:\program files\MELCO INC\Icon Util\IconUtil.exe [2005-12-18 114688]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
BoosterTray.lnk - d:\program files\RingThree\bin\BoosterTray.exe [2007-11-8 339968]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendantivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\trendfirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Azureus\\Azureus.exe"=

R0 fasttrak;fasttrak;d:\windows\system32\drivers\Fasttrak.sys [2006/06/01 1:07 70528]
R0 phmburnr;phmburnr;d:\windows\system32\drivers\phmburnr.sys [2008/02/28 7:19 45208]
R1 TxDevCmd;TxDevCmd;d:\windows\system32\drivers\TxDevCmd.sys [2009/02/16 14:28 15896]
R2 PVM Service;PVM Service;d:\program files\RingThree\bin\PvmService.exe [2007/11/08 10:02 294912]
R2 tmfilter;Tmfilter;d:\windows\system32\drivers\tmxpflt.sys [2005/09/26 14:23 183808]
R2 tmntsrv;Trend Micro Real-time Service;d:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005/09/28 22:19 340037]
R2 tmpfw;Trend Micro Personal Firewall;d:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005/09/12 21:57 630845]
R2 tmpreflt;Tmpreflt;d:\windows\system32\drivers\tmpreflt.sys [2005/09/26 14:23 25088]
R2 tmproxy;Trend Micro Proxy Service;d:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005/09/12 21:59 286788]
R3 GVSC200;GVSC200;d:\windows\system32\drivers\GVSC200.sys [2007/08/24 13:41 7680]
R3 PXTV432P;PXTV432P service;d:\windows\system32\drivers\PXTV432P.sys [2005/05/23 18:08 966552]
S0 tffsmon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys --> d:\windows\system32\drivers\TfFsMon.sys [?]
S0 tfsysmon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys --> d:\windows\system32\drivers\TfSysMon.sys [?]
S3 3xHybrid;3xHybrid service;d:\windows\system32\drivers\3xHybrid.sys [2006/09/26 3:15 613632]
S3 Cap713x;Philips Cap713x Video Capture;d:\windows\system32\drivers\Cap713x.sys [2006/07/01 3:43 685824]
S3 pctplsg;pctplsg;\??\d:\windows\system32\drivers\pctplsg.sys --> d:\windows\system32\drivers\pctplsg.sys [?]
S3 tfnetmon;TfNetMon;\??\d:\windows\system32\drivers\TfNetMon.sys --> d:\windows\system32\drivers\TfNetMon.sys [?]
S3 UtilNT;UtilNT;\??\d:\windows\system32\drivers\UtilNT.sys --> d:\windows\system32\drivers\UtilNT.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WEBNTACCESS
*Deregistered* - WEBNTACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
d:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-08-16 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 03:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Download by FlashGet - d:\progra~1\FlashGet\jc_link.htm
IE: Download all by FlashGet - d:\progra~1\FlashGet\jc_all.htm
IE: Playback with FlashPlayerEx - d:\progra~1\FLASHP~1\LINK.HTM
IE: Web search with JWord(&J)
IE: Save Flash - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
IE: Save YouTube Video - d:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/217
IE: Save with SmileDownloader(&Y) - d:\program files\SmileDownloader\IEMenu\IEMenuExt.htm
IE: Open flash movies in this page - d:\progra~1\FLASHP~1\XTR.HTM
IE: Open flash movies - d:\progra~1\FLASHP~1\STR.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 00:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RichVideo]
"ImagePath"="-\"d:\program files\CyberLink\Shared Files\RichVideo.exe\"\00\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\03\00\02\00\02H\02H\02H\02H"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\@*sSO0・]
"Order"=hex:08,00,00,00,02,00,00,00,7e,01,00,00,01,00,00,00,03,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5a,00,36,\

[HKEY_USERS\S-1-5-21-1454471165-412668190-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\｢0ｯ0ｻ0ｵ0・\ｷ0ｹ0ﾆ0・ *ﾄ0・・]
"Order"=hex:08,00,00,00,02,00,00,00,dc,05,00,00,01,00,00,00,09,00,00,00,b4,00,
00,00,00,00,00,00,a6,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,94,00,32,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(3348)
d:\windows\system32\imjp81.ime
d:\windows\system32\imjp81k.dll
d:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
d:\windows\system32\msctf.dll
.
------------------------ Other Running Processes ------------------------
.
d:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
d:\windows\system32\conime.exe
d:\windows\system32\rundll32.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-16 0:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 15:13
ComboFix2.txt 2009-08-15 13:09
ComboFix3.txt 2009-08-15 12:08

Pre-Run: 7,871,795,200 bytes free
Post-Run: 7,780,982,784 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
685

[Rorschach112]

hi

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  
  
  • d:\windows\system32\drivers\ntfs.sys
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[jjplan]

Hello, Rorschach112.

Thank you much more for your taking care of my case.
Now I post 3 more logs that you said you needed.

================(VirSCAN log)==================
VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 13:31:50 (JST)
Scanner results: 79% Scanner(30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/r...5aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU