Ugent Help Needed!

[MacGyver1968]

reboot windows in normal mode...and double click and run combofix from your desktop.

 

[The Flemster]

I dont think its working. I'm following the instructions on Bleepingcomputer, dragging the boot disk over it, but it still wont run. Bollocks!

 

[The Flemster]

How do I reboot into Normal Mode?

 

[MacGyver1968]

How do I reboot into Normal Mode?

Just let your computer boot normally..without hitting f8...try downloading the spybot link. or do a google search for smitfraudfix.exe.

http://siri.geekstogo.com/SmitfraudFix.php

save it to your desktop, and reboot in safe mode...then run it.

 

[MacGyver1968]

I dont think its working. I'm following the instructions on Bleepingcomputer, dragging the boot disk over it, but it still wont run. Bollocks!

just double click the combofix icon and run the program.

 

[The Flemster]

Right. It's taken me fucking ages to get back in again! I've had to come back in Safe Mode cos before it would get to Desktop, work for about 60 seconds then just freexe me out.
I'm downloading the French thing now.

 

[The Flemster]

Running Smit. Works ok. Assume I do Clean?

 

[The Flemster]

Here's the Report from the scan:

SmitFraudFix v2.365

Scan done at 2:38:44.09, 20/10/2008
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\ctfmon.exe
C:\windows\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\windows

C:\windows\karna.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\system32

C:\windows\system32\brastk.exe FOUND !
C:\windows\system32\karna.dat FOUND !
C:\windows\system32\_scui.cpl FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="karna.dat"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK

C:\windows\system32\drivers\beep.sys infected !


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{01C79DFE-6A25-48C0-B0C4-B8881E914877}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Stryder]

Btw you can download and install the network installation of SP3 if your system doesn't already have it, obviously don't do it yet but it can be installed in Safemode if you have problems trying to install it later.

 

[The Flemster]

Would that help then?

 

[Stryder]

It will help later, obviously though you've got to stabilise your system enough to be able to run it.

 

[MacGyver1968]

Oh fuck YAAAAA!! if you got smit to run...we are in the home stretch. we will need to download AVG or avast to clean up the rements...but we did it!

Stryder..I want at least 2 gold stars attached next to my name for helping a fellow board member on a Sunday instead of power-leveling my cleric ..ya know..just incase I ever do anything ban worthy

 

[Stryder]

C:\windows\system32\drivers\beep.sys infected !

Btw that's part of the problem there why your reboot into normal mode didn't work

 

[Stryder]

Oh fuck YAAAAA!! if you got smit to run...we are in the home stretch. we will need to download AVG or avast to clean up the rements...but we did it!

Stryder..I want at least 2 gold stars attached next to my name for helping a fellow board member on a Sunday instead of power-leveling my cleric ..ya know..just incase I ever do anything ban worthy

I've got your back. In honesty we need a decent support section here anyway. Maybe one day something will get put together.

As for your lvl 43 Cleric, I usually get to that level and decide I can't be arsed to powerlevel to 50, it's just too much aggro hehe.

 

[The Flemster]

Right. Back in normal mode. Got Combo to do its thing. All seems okay...for now...
What should I do now? Am i really vunerable at the mo? The red cross thing is still there and---hang on! Norton's back! And I uninstalled it twice!!!
Its telling me theres a problem and its off to sort it out.
NOW i'm confused...!

 

[The Flemster]

Here's the Combo report:

ComboFix 08-10-19.03 - Compaq_Owner 2008-10-20 3:09:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.60 [GMT 1:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section not completed

((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 )))))))))))))))))))))))))))))))
.

2008-10-20 02:50 . 2008-10-16 19:00 <DIR> d-------- C:\32788R22FWJFW
2008-10-20 02:38 . 2008-10-20 02:41 4,098 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-19 22:53 . 2008-10-19 22:53 <DIR> d-------- C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP
2008-10-19 19:55 . 2008-10-19 19:55 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Talkback
2008-10-19 19:55 . 2008-10-19 19:55 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-19 18:44 . 2008-10-19 18:44 <DIR> d-------- C:\Program Files\CCleaner
2008-10-19 18:12 . 2008-10-19 18:35 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-10-19 18:12 . 2008-10-19 18:12 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\PC Tools
2008-10-19 18:12 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-19 18:12 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-19 18:12 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-19 18:12 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-10-19 17:41 . 2008-10-20 00:14 <DIR> d-------- C:\Program Files\XP_AntiSpyware
2008-10-19 17:04 . 2008-10-19 17:21 <DIR> d-------- C:\Program Files\AntiMalware Pro
2008-10-19 17:04 . 2008-10-19 17:04 0 --a------ C:\WINDOWS\system32\MSVolume.dll
2008-10-19 16:56 . 2008-10-19 16:56 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SpywareRemover
2008-10-19 16:37 . 2008-10-19 16:37 19,899 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\bimasary.dat
2008-10-19 16:37 . 2008-10-19 16:37 19,642 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\zojaq.scr
2008-10-19 16:37 . 2008-10-19 16:37 19,555 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\zeny.scr
2008-10-19 16:37 . 2008-10-19 16:37 18,496 --a------ C:\WINDOWS\iloqige.exe
2008-10-19 16:37 . 2008-10-19 16:37 18,214 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\alifafeb.pif
2008-10-19 16:37 . 2008-10-19 16:37 17,022 --a------ C:\WINDOWS\pisopy._sy
2008-10-19 16:37 . 2008-10-19 16:37 14,047 --a------ C:\WINDOWS\system32\fahabudic.dl
2008-10-19 16:37 . 2008-10-19 16:37 13,993 --a------ C:\WINDOWS\icitapijut.vbs
2008-10-19 16:37 . 2008-10-19 16:37 13,524 --a------ C:\Program Files\Common Files\yfibagew.vbs
2008-10-19 16:37 . 2008-10-19 16:37 12,413 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\futu.dat
2008-10-19 16:37 . 2008-10-19 16:37 12,062 --a------ C:\Program Files\Common Files\dagufana.dll
2008-10-19 16:37 . 2008-10-19 16:37 10,778 --a------ C:\WINDOWS\ocanec.lib
2008-10-19 16:34 . 2008-10-20 02:53 71,710 --a------ C:\WINDOWS\system32\wini10802.exe
2008-10-19 16:29 . 2008-10-20 02:32 10,240 --a------ C:\WINDOWS\brastk.exe
2008-10-19 16:29 . 2007-08-21 08:00 1,536 --a------ C:\WINDOWS\system32\Delete_Me_Dummy_karna.dat
2008-10-19 16:27 . 2008-10-19 16:27 114 --a------ C:\WINDOWS\system32\delself.bat
2008-10-19 16:22 . 2008-10-19 16:22 77,824 --a------ C:\WINDOWS\system32\TDSSciou.dll
2008-10-19 16:22 . 2008-10-19 16:22 44,544 --a------ C:\WINDOWS\system32\av.dat
2008-10-19 16:22 . 2008-10-19 16:22 31,232 --a------ C:\WINDOWS\system32\TDSSlbqp.dll
2008-10-19 16:22 . 2008-10-19 16:22 29,696 --a------ C:\WINDOWS\system32\TDSSnrse.dll
2008-10-19 16:22 . 2008-10-19 16:22 12,288 --a------ C:\WINDOWS\system32\TDSSthym.dll
2008-10-19 16:22 . 2008-10-20 02:53 3,530 --a------ C:\WINDOWS\system32\TDSSfpmp.dll
2008-10-19 16:22 . 2008-10-19 16:22 164 --a------ C:\WINDOWS\system32\TDSSosvn.dat
2008-10-19 16:21 . 2008-10-19 16:22 36,864 --a------ C:\WINDOWS\system32\TDSSoiqh.dll
2008-10-19 09:42 . 2008-10-19 09:42 <DIR> d-------- C:\Documents and Settings\Christine Fleming\Application Data\Symantec
2008-10-18 10:35 . 2008-10-18 10:36 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\VideoEgg
2008-10-17 17:15 . 2008-10-17 17:15 24 --a------ C:\url_history.xml
2008-10-17 17:12 . 2008-10-17 17:12 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SecondLife
2008-10-17 12:27 . 2008-10-17 12:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-17 12:26 . 2008-09-25 14:27 905,216 --a------ C:\WINDOWS\system32\GearDrvs.msi
2008-10-17 11:16 . 2008-10-17 11:16 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-10-17 11:15 . 2008-10-19 22:52 <DIR> d-------- C:\Program Files\Norton 360
2008-10-17 11:12 . 2008-10-17 11:19 <DIR> d-------- C:\Program Files\Symantec
2008-10-17 11:12 . 2008-10-17 11:19 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-17 11:12 . 2008-10-17 11:19 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-17 11:12 . 2008-10-17 11:19 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-17 11:12 . 2008-10-17 11:19 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-17 10:58 . 2008-10-17 11:41 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2008-10-16 23:25 . 2008-10-19 18:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-10-16 12:16 . 2008-10-19 17:03 <DIR> d-------- C:\Program Files\NoAdware
2008-10-16 10:35 . 2008-10-16 10:35 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\WinBatch
2008-10-16 03:08 . 2008-10-16 03:08 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-16 01:22 . 2008-10-16 12:42 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-15 19:29 . 2008-08-14 11:00 2,180,352 --a------ C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 19:29 . 2008-08-14 10:58 2,136,064 --a------ C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 19:29 . 2008-08-14 10:22 2,057,728 --a------ C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 19:29 . 2008-08-14 10:22 2,015,744 --a------ C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 19:17 . 2008-10-15 19:17 <DIR> d-------- C:\Program Files\AVG
2008-10-15 19:17 . 2008-10-17 12:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\avg8
2008-10-15 16:43 . 2008-06-13 14:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-10-15 16:43 . 2008-06-13 14:10 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-15 15:11 . 2008-10-16 00:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-15 15:00 . 2008-10-15 15:00 <DIR> d--hs---- C:\WINDOWS\system32\config\systemprofile\UserData
2008-10-15 14:42 . 2008-10-15 14:42 <DIR> d-------- C:\Program Files\PrivacyEraser Computing
2008-10-15 12:45 . 2008-10-16 17:04 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-10-15 12:37 . 2008-10-17 01:44 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Azureus
2008-10-15 12:37 . 2008-10-15 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2008-10-15 12:36 . 2008-10-16 01:05 <DIR> d-------- C:\Program Files\AskBarDis
2008-10-15 12:35 . 2008-10-15 12:36 <DIR> d-------- C:\Program Files\Vuze
2008-10-15 12:26 . 2008-10-15 12:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SITEguard
2008-10-15 12:24 . 2008-10-15 12:24 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-10-15 12:24 . 2008-10-15 15:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2008-10-15 12:02 . 2008-10-17 00:07 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Motive
2008-10-15 12:01 . 2008-10-15 12:02 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-10-15 12:01 . 2008-10-15 12:02 <DIR> d-------- C:\Program Files\BT Broadband Desktop Help
2008-10-15 12:01 . 2008-10-15 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Motive
2008-10-15 12:01 . 2002-01-05 06:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-10-15 12:01 . 2001-10-11 11:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-10-15 12:00 . 2008-10-15 12:04 <DIR> d-------- C:\Program Files\Yahoo!
2008-10-15 12:00 . 2008-10-15 12:03 <DIR> d-------- C:\Program Files\BTHomeHub
2008-10-15 11:57 . 2008-10-15 11:57 102,194 --a------ C:\WINDOWS\system32\cont_dcads-remove.exe
2008-10-15 11:57 . 2008-10-15 11:57 79,085 --a------ C:\WINDOWS\system32\xaikdlzhyt.exe
2008-10-03 18:41 . 2008-10-03 18:41 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 02:04 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-10-20 02:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-19 21:53 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2008-10-19 17:46 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-10-17 19:12 49,890 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-10-17 18:02 --------- d-----w C:\Program Files\Google
2008-10-16 09:51 --------- d-----w C:\Program Files\HP
2008-10-16 09:49 --------- d-----w C:\Program Files\Hewlett-Packard
2008-10-16 00:41 --------- d-----w C:\Program Files\Dopewars
2008-10-16 00:06 --------- d-----w C:\Program Files\Wanadoo
2008-10-16 00:04 --------- d-----w C:\Program Files\Microsoft AutoRoute
2008-10-16 00:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-16 00:03 --------- d-----w C:\Program Files\Hoyle Casino 3D
2008-10-16 00:02 --------- d-----w C:\Program Files\Ground Zero
2008-10-15 13:22 --------- d-----w C:\Program Files\StackerBlocks3D
2008-10-15 13:22 --------- d-----w C:\Program Files\GameTop.com
2008-10-15 10:59 --------- d-----w C:\Program Files\Lx_cats
2008-10-10 07:58 82,944 ----a-w C:\windows\system32\o4Patch.exe
2008-10-10 07:58 82,944 ----a-w C:\windows\system32\IEDFix.C.exe
2008-10-03 14:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\dvdcss
2008-10-01 14:51 87,552 ----a-w C:\windows\system32\VACFix.exe
2008-09-15 11:57 1,846,016 ----a-w C:\windows\system32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w C:\windows\system32\dllcache\win32k.sys
2008-09-08 22:38 88,576 ----a-w C:\windows\system32\AntiXPVSTFix.exe
2008-08-28 10:04 333,056 ----a-w C:\windows\system32\drivers\srv.sys
2008-08-28 10:04 333,056 ----a-w C:\windows\system32\dllcache\srv.sys
2008-08-27 08:24 3,593,216 ----a-w C:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w C:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ----a-w C:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ----a-w C:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ----a-w C:\windows\system32\dllcache\ieakui.dll
2008-08-18 11:19 82,432 ----a-w C:\windows\system32\404Fix.exe
2008-08-14 10:00 2,180,352 ----a-w C:\windows\system32\ntoskrnl.exe
2008-08-14 09:51 138,368 ----a-w C:\windows\system32\dllcache\afd.sys
2008-08-14 09:22 2,057,728 ----a-w C:\windows\system32\ntkrnlpa.exe
2008-04-10 14:30 25 -c--a-w C:\Program Files\InventoryBuildersettings.ini
1998-08-24 12:09 10,000 -c--a-w C:\windows\inf\unregpn.exe
2007-11-22 22:44 0 -csha-w C:\windows\system32\ping.com
2007-11-22 22:44 0 -csha-w C:\windows\system32\tracert.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-02-24 147456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-13 663552]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"PCDrSmartMonitor"="C:\Program Files\PC-Doctor 5 for Windows\PcdSmartMonitor.exe" [2005-12-20 368640]
"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-08-09 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2007-11-01 1475072]
"btbb_wcm_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2007-11-29 1474048]
"LXCGCATS"="C:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 988512]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-07-16 1166216]
"ftutil2"="ftutil2.dll" [2004-06-07 C:\WINDOWS\system32\ftutil2.dll]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
VirtualExpander.lnk - C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe [2006-10-02 434176]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-03-04 1183744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ZMBV"= zmbv.dll
"VIDC.VDOM"= vdowave.drv
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2mtxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSpqxt.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 149352]
R2 McciCMService;McciCMService;C:\Program Files\Common Files\Motive\McciCMService.exe [2007-11-17 303104]
S0 ati2mtxx;ati2mtxx;C:\windows\system32\Drivers\ati2mtxx.sys [ ]
S3 ATIXPGAA;ATIXPGAA;C:\Program Files\PC-Doctor 5 for Windows\ATIXPGAA.SYS [ ]
S3 COH_Mon;COH_Mon;C:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-11-17 19712]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [ ]
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-11-17 18304]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [ ]
S3 PCD5SRVC{085326CB-51A3560A-05010003};PCD5SRVC{085326CB-51A3560A-05010003} - PCDR Kernel Mode Service Helper Driver;C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [2005-11-21 21120]
S3 Unilocator;Unilocator;C:\WINDOWS\system32\locatrNT.exe [1996-09-30 120832]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
ShellIconOverlayIdentifiers-{E4000AC4-5E5F-4956-807A-C5854405D64F} - %SystemRoot%\system32\VirtualExpander\VEShellExt.dll
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-LClock - C:\Program Files\LClock\LClock.exe
HKCU-Run-ViStart - C:\Program Files\ViStart\ViStart.exe
HKCU-Run-ViOrb - C:\Program Files\ViOrb\ViOrb.exe
HKCU-Run-TrueTransparency - C:\Program Files\TrueTransparency\TrueTransparency.exe
HKCU-Run-AntiMalwareProMFCT - C:\Program Files\AntiMalware Pro\AntiMalwarePro.exe
HKLM-Run-TkBellExe - C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-Quick Registry Cleaner - C:\Program Files\Quick Registry Cleaner\QuickRegistryCleaner.exe
HKLM-Run-jkpbqnxrbaopoelsh - C:\WINDOWS\system32\fcpwjxnpvah.dll
HKLM-Run-XP Antispyware 2009 - C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe
HKLM-Run-PCDrProfiler - (no file)
HKU-Default-Run-DWQueuedReporting - C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
HKU-Default-Run-brastk - C:\windows\system32\brastk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\DOCUME~1\COMPAQ~1\APPLIC~1\Mozilla\Firefox\Profiles\7cyv5bxs.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 03:10:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\RGI1.tmp 7075 bytes


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{085326CB-51A3560A-05010003}]
"ImagePath"="\??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms"
.
Completion time: 2008-10-20 3:16:27
ComboFix-quarantined-files.txt 2008-10-20 02:16:19

Pre-Run: 46,258,417,664 bytes free
Post-Run: 46,598,336,512 bytes free

269 --- E O F --- 2008-10-17 19:21:46

 

[The Flemster]

I gotta say, if this the end of my crisis, you guys have been incredible!
Really, I'm so grateful you took all this time to help me out. On a Sunday too!
Above and Beyond, really! Mentioned in Dispatches, etc.

If there's any way I can ever return the favour... well, you know where to find me!

UPDATE: The red cross thing has gone!!! I think it's worked!
I think I'm not going to work tomorrow! I think it's 3:30 in the morning here!

Thanks again guys-- you rock!

The (eternally in your debt) Flemster.

 

[MacGyver1968]

fucking bad ass! we kicked it's fucking russian ass!!! download the free version of AVG 8.0 to clean up the remnants..and you'll be ready to view porn again!

 

[The Flemster]

Woohoo! Will AVG work alongside Norton ok?
Bea Arthur doesn;t know what she's got comin'... time for the Golden (shower) Girls!

 

[MacGyver1968]

Norton is a memory hog...AVG works just a well..without draging your system down...and its fucking free.