can someone check over this?

[schatten789]

AVG has came up 3 times now with a threat.

Threat name: Trojan horse BackDoor.Delf.BVF
Detected on open.

Process Name: C:\WINDOWS\System32\svchost.exe

I tell it to move to vault but it comes back. If I look at processes in the task manager there are some weird things running. Like there are things called "CCC.exe", "MOM.exe", and there are 5 "svchost.exe" runing.


I have a hyjackthis log so if anybody could tell me if they see anything then that would be great.


The hyjackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:16 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 4619 bytes

 

[cohen]

Hello,

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file from one of the three below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.forospyware.com/sUBs/ComboFix.exe
  http://subs.geekstogo.com/ComboFix.exe
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:

• Post the combo fix log
• Post a Fresh Hijackthis log

Thankyou

 

[schatten789]

Combo fix


ComboFix 08-09-01.01 - Garet 2008-09-01 16:30:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2341 [GMT -5:00]
Running from: C:\Documents and Settings\Garet\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\bin.clearspring.com
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\interclick.com
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\interclick.com\ud.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\static.youku.com
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\static.youku.com\v1.0.0277\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\static.youku.com\v1.0.0279\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\static.youku.com\v1.0.0284\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\#SharedObjects\LGYDMTU5\static.youku.com\v1.0.0314\v\swf\qplayer.swf\qplayer.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Garet\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Documents and Settings\Garet\Cookies\[email protected][2].txt

.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-08-22 08:50 . 2008-08-22 08:45 720,896 --a------ C:\WINDOWS\iun6002ev.exe
2008-08-18 20:38 . 2008-08-18 20:38 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-18 20:38 . 2008-08-18 20:38 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-18 20:38 . 2008-08-18 20:38 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-18 20:38 . 2008-08-18 20:38 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-18 20:36 . 2008-08-18 20:36 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-18 20:27 . 2008-04-13 19:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-12 22:42 . 2008-08-12 22:42 <DIR> d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Xfire
2008-08-12 22:38 . 2008-08-12 23:22 <DIR> d-------- C:\Documents and Settings\Garet\Application Data\Xfire
2008-08-12 19:45 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-12 17:08 . 2008-08-12 17:08 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-04 00:15 . 2008-08-05 20:44 <DIR> d-------- C:\Program Files\Nitto 1320 Legends

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-30 15:53 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-27 01:39 --------- d-----w C:\Documents and Settings\Garet\Application Data\uTorrent
2008-08-22 14:02 --------- d-----w C:\Program Files\San Andreas Mod Installer
2008-08-22 13:26 --------- d-----w C:\Program Files\Rockstar Games
2008-08-13 03:40 --------- d-s---w C:\Program Files\Xfire
2008-07-28 05:46 --------- d-----w C:\Documents and Settings\Garet\Application Data\LimeWire
2008-07-28 04:48 --------- d-----w C:\Program Files\LimeWire
2008-07-25 19:05 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Test Drive Unlimited
2008-07-22 17:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 17:30 --------- d-----w C:\Documents and Settings\Blake.GARETT\Application Data\InstallShield
2008-07-22 17:01 --------- d-----w C:\Documents and Settings\Blake.GARETT\Application Data\DAEMON Tools
2008-07-22 16:59 --------- d-----w C:\Program Files\Red Storm Entertainment
2008-07-18 03:55 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-07-18 03:55 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-07-18 03:55 --------- d-----w C:\Program Files\Creative
2008-07-18 03:55 --------- d-----w C:\Documents and Settings\Garet\Application Data\Creative
2008-07-18 03:50 --------- d-----w C:\Program Files\Spyware Doctor
2008-07-17 23:23 --------- d-----w C:\Program Files\Steam
2008-07-16 08:04 --------- d-----w C:\Program Files\The GodFather
2008-07-15 23:13 --------- d-----w C:\Program Files\WMA To MP3 Encoder
2008-07-15 23:10 --------- d-----w C:\Program Files\Free WMA to MP3 Converter
2008-07-15 18:02 --------- d-----w C:\Program Files\TagRename
2008-07-15 07:41 --------- d-----w C:\Program Files\Mp3tag
2008-07-15 07:41 --------- d-----w C:\Documents and Settings\Garet\Application Data\Mp3tag
2008-07-15 01:52 --------- d-----w C:\Documents and Settings\Garet\Application Data\Apple Computer
2008-07-13 17:08 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\NOS
2008-07-13 05:41 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-13 05:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-11 22:50 --------- d-----w C:\Documents and Settings\Garet\Application Data\Nucleus Kernel BKF
2008-07-10 18:37 --------- d-----w C:\Program Files\Kernel for BKF Evaluation Version
2008-07-08 07:16 151,552 ----a-w C:\WINDOWS\system32\nvRegDev.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 15:37 189,464 ----a-w C:\WINDOWS\system32\drivers\haP17v2k.sys
2008-07-07 15:37 15,896 ----a-w C:\WINDOWS\system32\drivers\pfmodnt.sys
2008-07-07 15:36 797,720 ----a-w C:\WINDOWS\system32\drivers\ha10kx2k.sys
2008-07-07 15:36 162,840 ----a-w C:\WINDOWS\system32\drivers\haP16v2k.sys
2008-07-07 15:35 92,696 ----a-w C:\WINDOWS\system32\drivers\emupia2k.sys
2008-07-07 15:34 157,208 ----a-w C:\WINDOWS\system32\drivers\ctsfm2k.sys
2008-07-07 15:33 14,360 ----a-w C:\WINDOWS\system32\drivers\ctprxy2k.sys
2008-07-07 15:33 127,512 ----a-w C:\WINDOWS\system32\drivers\ctoss2k.sys
2008-07-07 15:32 18,840 ----a-w C:\WINDOWS\system32\drivers\CTGAME.SYS
2008-07-07 15:32 1,395,992 ----a-w C:\WINDOWS\system32\drivers\CTMMFILT.SYS
2008-07-07 15:31 532,376 ----a-w C:\WINDOWS\system32\drivers\ctaud2k.sys
2008-07-07 15:31 347,080 ----a-w C:\WINDOWS\system32\drivers\ctdvda2k.sys
2008-07-07 15:29 511,000 ----a-w C:\WINDOWS\system32\drivers\ctac32k.sys
2008-07-07 15:29 1,366,424 ----a-w C:\WINDOWS\system32\drivers\CT0531FL.SYS
2008-07-06 06:08 --------- d-----w C:\Documents and Settings\Blake.GARETT\Application Data\vlc
2008-07-03 05:08 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 05:08 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-02 22:10 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-02 22:10 --------- d-----w C:\Documents and Settings\Garet\Application Data\DAEMON Tools
2008-06-27 22:27 86,016 ----a-w C:\WINDOWS\system32\ctcoinst.dll
2008-06-27 22:27 43,520 ----a-w C:\WINDOWS\system32\CTBurst.dll
2008-06-27 22:27 181,248 ----a-w C:\WINDOWS\system32\ctdvinst.dll
2008-06-27 22:27 11,776 ----a-w C:\WINDOWS\system32\inres.dll
2008-06-27 22:27 11,776 ----a-w C:\WINDOWS\INRES.DLL
2008-06-27 22:26 10,752 ----a-w C:\WINDOWS\system32\a3d.dll
2008-06-27 22:25 38,400 ----a-w C:\WINDOWS\system32\readreg.exe
2008-06-27 22:25 37,888 ----a-w C:\WINDOWS\system32\psconv.exe
2008-06-27 22:25 11,776 ----a-w C:\WINDOWS\system32\ac3api.dll
2008-06-27 22:08 196,096 ----a-w C:\WINDOWS\system32\ctemupia.dll
2008-06-27 22:05 49,152 ----a-w C:\WINDOWS\system32\ctdproxy.dll
2008-06-27 22:05 46,592 ----a-w C:\WINDOWS\system32\ctasio.dll
2008-06-27 22:05 176,128 ----a-w C:\WINDOWS\system32\ct_oal.dll
2008-06-27 22:04 69,632 ----a-w C:\WINDOWS\system32\ctosuser.dll
2008-06-27 22:04 6,144 ----a-w C:\WINDOWS\system32\sfman32.dll
2008-06-27 22:04 125,952 ----a-w C:\WINDOWS\system32\sfms32.dll
2008-06-27 22:03 64,512 ----a-w C:\WINDOWS\system32\piaproxy.dll
2008-06-27 22:03 13,312 ----a-w C:\WINDOWS\system32\regplib.exe
2008-06-27 21:59 5,120 ----a-w C:\WINDOWS\system32\enlocstr.exe
2008-06-27 21:59 33,792 ----a-w C:\WINDOWS\system32\devreg.dll
2008-06-27 21:59 28,672 ----a-w C:\WINDOWS\system32\MIDIDEF.EXE
2008-06-27 21:59 10,240 ----a-w C:\WINDOWS\system32\killapps.exe
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-06 16:59 592,413 ----a-w C:\WINDOWS\system32\APOIM32.exe
2007-11-18 06:00 24,192 ----a-w C:\Documents and Settings\G\usbsermptxp.sys
2007-11-18 06:00 22,768 ----a-w C:\Documents and Settings\G\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 15:21 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"SetDefaultMIDI"="MIDIDef.exe" [2008-06-27 16:59 28672 C:\WINDOWS\system32\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 11:19 24576]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 10:53 1235736]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"P17Helper"="P17.dll" [2005-05-03 21:38 64512 C:\WINDOWS\system32\P17.dll]
"CTHelper"="CTHELPER.EXE" [2008-06-27 17:24 19456 C:\WINDOWS\system32\CtHelper.exe]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Garet\\Desktop\\[PC] Test Drive Unlimited [PROPER] [RIP] [dopeman]\\TDU\\TestDriveUnlimited.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Garet\\Desktop\\New Folder\\EveryThing\\W17 lfs\\LFS.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 10:53]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 10:53]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 10:53]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 00:08]
R3 COMMONFX.SYS;COMMONFX.SYS;C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 19:21]
R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 19:21]
R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 19:21]
S2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 17:31]
S3 COMMONFX;COMMONFX;C:\WINDOWS\system32\drivers\COMMONFX.SYS [2008-06-27 19:21]
S3 CTAUDFX;CTAUDFX;C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2008-06-27 19:21]
S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 19:21]
S3 CTERFXFX;CTERFXFX;C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2008-06-27 19:21]
S3 CTSBLFX;CTSBLFX;C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2008-06-27 19:21]

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Garet\Application Data\Mozilla\Firefox\Profiles\1gqlva81.default\
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 16:34:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-01 16:36:58
ComboFix-quarantined-files.txt 2008-09-01 21:36:56
ComboFix2.txt 2007-11-29 22:44:26

Pre-Run: 140,036,268,032 bytes free
Post-Run: 141,162,582,016 bytes free

199 --- E O F --- 2008-08-25 03:00:47





HyjackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:53 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 4283 bytes

 

[cohen]

Got rid of a few things, pls do the following:

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.