Keep getting infected!!!!

johnb35 · Jul 15, 2008

Will somebody please take a look at combofix log and hijackthis log. I've had to run combofix everyday for the past few days to get cleaned up but everytime i shut computer down and turn it back on the next day, i'm reinfected again. Not sure whats going on..... here are the logs...

ComboFix 08-07-14.2 - John 2008-07-15 12:06:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2335 [GMT -5:00]
Running from: C:\Download\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cpgihiee.ini
C:\WINDOWS\system32\eeihigpc.dll
C:\WINDOWS\system32\JlVGNqss.ini
C:\WINDOWS\system32\JlVGNqss.ini2
C:\WINDOWS\system32\khfDtULD.dll
C:\WINDOWS\system32\mjkuyj.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ssqNGVlJ.dll
C:\WINDOWS\system32\tktjhxpw.dll
C:\WINDOWS\system32\wutfixrk.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.

2008-07-15 11:48 . 2008-07-15 11:48 110,419 --a------ C:\WINDOWS\BMdf08443b.xml
2008-07-15 11:42 . 2008-07-15 11:42 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-15 11:42 . 2008-07-15 11:42 <DIR> d-------- C:\Temp\stmpv4
2008-07-14 17:49 . 2008-07-14 17:49 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-07-14 17:49 . 2008-07-14 17:49 <DIR> d-------- C:\WINDOWS\system32\ENU
2008-07-14 17:49 . 2008-07-14 17:49 <DIR> d-------- C:\Intel
2008-07-14 17:49 . 2008-07-14 17:49 <DIR> d-------- C:\Documents and Settings\John\Application Data\InstallShield
2008-07-14 17:49 . 2008-05-23 15:26 1,034,776 --a------ C:\WINDOWS\system32\imsmudlg.exe
2008-07-14 17:49 . 2006-11-10 09:25 319,456 --a------ C:\WINDOWS\system32\difxapi.dll
2008-07-13 18:12 . 2008-07-13 18:28 <DIR> d-------- C:\Program Files\MagicISO
2008-07-06 18:50 . 2008-07-06 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-06 11:55 . 2008-07-06 11:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-06 11:55 . 2008-07-06 11:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 11:55 . 2008-07-06 11:55 <DIR> d-------- C:\Documents and Settings\John\Application Data\SUPERAntiSpyware.com
2008-07-06 11:55 . 2008-07-06 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-05 07:32 . 2008-07-05 07:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-07-05 07:32 . 2008-07-05 07:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Acronis
2008-07-05 07:32 . 2008-07-09 19:15 <DIR> d-------- C:\Documents and Settings\John\Application Data\Roxio
2008-07-05 07:31 . 2008-07-05 07:32 <DIR> d-------- C:\Program Files\InterActual
2008-07-04 20:42 . 2008-07-04 20:42 <DIR> d-------- C:\Program Files\Slingo Quest
2008-07-04 20:42 . 2008-07-04 20:42 <DIR> d-------- C:\Documents and Settings\John\Application Data\funkitron
2008-07-04 20:42 . 2008-07-04 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-07-04 20:39 . 2008-07-05 07:31 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-07-04 20:39 . 2008-07-04 20:39 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-07-04 20:39 . 2008-07-04 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-04 20:39 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-07-04 20:39 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2008-07-04 20:39 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-07-04 20:39 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-07-04 20:39 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-07-04 20:39 . 2008-07-04 20:39 165 --a------ C:\WINDOWS\wininit.ini
2008-07-04 20:38 . 2008-07-04 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-07-04 20:36 . 2008-07-04 20:39 <DIR> d-------- C:\Program Files\Roxio
2008-07-04 20:36 . 2008-07-04 20:39 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-07-04 20:36 . 2008-07-04 20:37 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-07-04 20:36 . 2008-07-04 20:37 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-04 20:36 . 2008-07-04 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-04 20:33 . 2008-07-04 20:33 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-07-04 20:22 . 2008-07-04 20:22 <DIR> d-------- C:\Documents and Settings\John\Application Data\Ashampoo
2008-07-04 20:21 . 2008-07-04 20:21 <DIR> d-------- C:\Program Files\Ashampoo
2008-07-04 20:21 . 2008-07-04 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2008-07-04 20:08 . 2008-07-04 20:08 <DIR> d-------- C:\Program Files\PowerISO
2008-07-04 20:00 . 2008-07-04 20:00 <DIR> d-------- C:\Program Files\PowerQuest
2008-07-04 19:52 . 2008-07-04 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-07-04 19:52 . 2008-07-04 19:52 441,760 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-07-04 19:52 . 2008-07-04 19:52 44,384 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-07-04 19:51 . 2008-07-04 19:51 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-07-04 19:51 . 2008-07-04 19:51 <DIR> d-------- C:\Program Files\Acronis
2008-07-04 19:51 . 2008-07-04 19:51 368,544 --a------ C:\WINDOWS\system32\drivers\tdrpman.sys
2008-07-04 19:51 . 2008-07-04 19:51 129,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-07-04 19:48 . 2008-07-04 19:48 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-04 19:48 . 2008-07-15 11:51 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-04 19:30 . 2008-07-04 19:33 <DIR> d-------- C:\Program Files\NeoSmart Technologies
2008-07-03 14:51 . 2008-07-03 14:51 319 --a------ C:\WINDOWS\game.ini
2008-07-03 14:38 . 2008-07-03 14:38 <DIR> d-------- C:\Program Files\Activision
2008-07-03 14:37 . 2008-07-03 14:37 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-01 19:24 . 2008-07-01 19:24 <DIR> d-------- C:\WINDOWS\ShellNew
2008-07-01 19:24 . 2008-07-01 19:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-07-01 19:24 . 2008-07-01 19:24 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-28 07:47 . 2008-06-28 07:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-28 07:47 . 2008-06-28 07:47 <DIR> d-------- C:\Documents and Settings\John\Application Data\Malwarebytes
2008-06-28 07:47 . 2008-06-28 07:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-28 07:47 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-28 07:47 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-28 07:46 . 2008-06-28 07:46 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-27 13:31 . 2008-06-27 13:31 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-24 09:30 . 2008-06-24 09:35 <DIR> d-------- C:\New Folder
2008-06-24 09:13 . 2008-06-24 09:48 <DIR> d-------- C:\Program Files\nLite
2008-06-24 09:13 . 2008-06-24 09:27 <DIR> d-------- C:\new xp with sata
2008-06-24 09:07 . 2008-06-24 09:07 <DIR> d-------- C:\cabs
2008-06-24 08:24 . 2008-07-15 11:43 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-24 08:24 . 2008-06-24 08:24 <DIR> d-------- C:\Program Files\AVG
2008-06-24 08:24 . 2008-07-03 11:29 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-24 08:24 . 2008-07-03 11:29 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-24 08:24 . 2008-07-03 11:29 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-23 20:58 . 2008-06-23 20:58 <DIR> d-------- C:\Program Files\Hasbro Interactive
2008-06-23 18:44 . 2008-06-24 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-23 18:28 . 2008-06-23 18:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 17:13 . 2008-06-24 09:19 <DIR> d-------- C:\Documents and Settings\John\Application Data\Ahead
2008-06-22 17:12 . 2008-06-22 17:12 <DIR> d-------- C:\Program Files\Nero
2008-06-22 17:12 . 2008-06-22 17:13 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-22 17:03 . 2008-07-14 17:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-06-22 16:59 . 2008-06-22 16:59 <DIR> d-------- C:\Documents and Settings\John\Application Data\Nero
2008-06-22 16:58 . 2008-06-22 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-22 10:24 . 2008-06-22 10:24 <DIR> d-------- C:\Program Files\AC3Filter
2008-06-21 13:54 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-06-21 13:54 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-06-19 16:07 . 2008-06-19 16:07 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX
2008-06-19 14:46 . 2008-07-04 20:36 <DIR> d-------- C:\Program Files\DivX
2008-06-18 16:47 . 2008-06-18 16:47 <DIR> d-------- C:\Program Files\BearShare
2008-06-18 16:47 . 2008-07-13 19:33 <DIR> d-------- C:\My Downloads
2008-06-18 16:26 . 2008-06-18 16:26 <DIR> d-------- C:\Program Files\uTorrent
2008-06-18 16:26 . 2008-07-13 19:31 <DIR> d-------- C:\Documents and Settings\John\Application Data\uTorrent
2008-06-15 13:05 . 2008-07-15 12:06 <DIR> d--hs---- C:\Boot
2008-06-15 13:05 . 2006-11-02 04:53 438,840 -rahs---- C:\bootmgr
2008-06-15 13:05 . 2008-06-15 13:05 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-06-15 12:04 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-15 11:42 . 2008-06-15 11:42 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-06-15 11:38 . 2007-03-17 06:41 171,136 -rahs---- C:\grldr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-14 22:49 --------- d-----w C:\Program Files\Intel
2008-07-05 01:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-14 16:48 --------- d-----w C:\Documents and Settings\John\Application Data\CyberLink
2008-06-14 16:47 --------- d-----w C:\Program Files\CyberLink
2008-06-14 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-14 15:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-14 15:27 --------- d-----w C:\Program Files\Yahoo!
2008-06-14 15:27 --------- d-----w C:\Program Files\Google
2008-06-14 15:25 --------- d-----w C:\Program Files\Java
2008-06-14 15:25 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 15:21 --------- d-----w C:\Documents and Settings\John\Application Data\Yahoo!
2008-06-14 15:12 --------- d-----w C:\Program Files\Windows Live
2008-06-14 15:11 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-14 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-14 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-14 14:33 --------- d-----w C:\Program Files\Lexmark 3300 Series
2008-06-14 14:32 --------- d-----w C:\Program Files\Lexmark_3300 Series
2008-06-14 14:29 --------- d-----w C:\Program Files\Turtle Beach Catalina
2008-06-14 14:24 --------- d-----w C:\Program Files\Analog Devices
2008-06-14 14:23 --------- d-----w C:\Program Files\Attansic
2008-06-14 14:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-12 15:56 397,312 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-05-12 15:54 305,152 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-05-12 15:53 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-05-12 15:49 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-05-12 15:45 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-05-12 15:45 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-05-12 15:45 180,224 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-05-12 15:45 139,264 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-05-12 15:44 139,264 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-05-12 15:43 540,672 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-05-12 15:43 10,153,984 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-05-12 15:41 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-05-12 15:32 3,203,168 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-05-12 15:22 1,999,616 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-05-12 15:09 47,104 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-05-12 15:05 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-05-12 15:05 327,680 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-05-12 15:03 19,968 ----a-w C:\WINDOWS\system32\atiadlxx.dll
2008-05-12 15:03 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-05-12 15:02 241,664 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-05-12 14:57 548,864 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2008-07-13_19.40.23.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-05-11 11:30:52 247,808 ----a-w C:\WINDOWS\system32\drivers\iaStor.sys
+ 2008-05-07 22:40:02 317,976 ----a-w C:\WINDOWS\system32\drivers\iaStor.sys
+ 2008-05-07 22:40:02 317,976 -c--a-w C:\WINDOWS\system32\DRVSTORE\iaStor_CC139235786C899A867B7B8BE7EF68C421622C6F\iaStor.sys
+ 2008-05-23 20:25:24 65,536 ----a-w C:\WINDOWS\system32\Lang\Storage\ENU\StorageENU.dll
+ 2006-05-11 11:30:52 247,808 ----a-w C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\iaStor.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxccmon.exe"="C:\Program Files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 06:21 192512]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 11:29 1232152]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-30 20:06 2595616]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-30 20:11 909208]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-30 20:07 140568]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 17:41 178712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
iReboot 1.1.0.lnk - C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe [2008-04-27 06:49:16 205312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2006-08-14 01:07 102400 C:\Program Files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnvyHFCPL]
--a------ 2004-02-23 16:25 1757696 C:\Program Files\Turtle Beach Catalina\EnMixCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2006-06-05 09:06 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-07-31 09:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-08-10 12:10 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2006-04-10 09:19 729088 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-05-01 05:07 843776 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-07-04 19:51]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 11:29]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 11:29]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 11:29]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 11:29]
R2 iReboot;iReboot Background Service;C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe [2008-04-27 06:49]
R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 20:51]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-27 23:28]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys [2004-02-26 15:40]

.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BMdf08443b - C:\WINDOWS\system32\wutfixrk.dll
HKLM-Run-dc3b77a7 - C:\WINDOWS\system32\eeihigpc.dll
MSConfigStartUp-Windows Logon Applicationedc - C:\Documents and Settings\John\winlogon.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 12:08:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-15 12:09:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 17:09:15
ComboFix2.txt 2008-07-14 22:25:48
ComboFix3.txt 2008-07-14 00:40:34

Pre-Run: 5,044,236,288 bytes free
Post-Run: 5,063,979,008 bytes free

297

now hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:10 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: iReboot 1.1.0.lnk = C:\Program Files\NeoSmart Technologies\iReboot\iReboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1213455549375
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iReboot Background Service (iReboot) - Unknown owner - C:\Program Files\NeoSmart Technologies\iReboot\iRebootd.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 7436 bytes

cohen · Jul 15, 2008

OK, Pls do the following:

: Download and Run DSS :

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

johnb35 · Jul 15, 2008

that program errors on the following file ntdll.dll. then program closes. any reason why it would do that?

Vipernitrox · Jul 16, 2008

you can start by removing bearshare
it's one big heap of spyware-spreading crap

ceewi1 · Jul 16, 2008

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
File::
C:\WINDOWS\BMdf08443b.xml

Folder::
C:\WINDOWS\system32\olixds18
C:\Temp
```
Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
In the drop down box labeled Files of type change the type to Text file.
Save the file to your desktop.
Copy and paste that information in your next post.

sho95 · Jul 20, 2008

Download stinger
http://vil.nai.com/VIL/stinger/
and smitrem
http://noahdfear.geekstogo.com/
REMOVE all your P2P programs-most likely the cause of all your issues. Uninstall AVG cause it not good scanner remover for what you may have. Download a trial antivirus like Trenmicro or even try online scanners like house call in safe mode network.

Keep getting infected!!!!

johnb35

Administrator

cohen

New Member

johnb35

Administrator

Vipernitrox

New Member

ceewi1

VIP Member

sho95

New Member