Malware won't let me connect to Anti-virus sites or servers and redirects others.

It started when on thursday, when I returned home and surely I suspected of someone fiddling through my desktop. There was an icon on the Tray. It was a red circle with a white x. an alert popped out that said something like "You've been infected with blah blah"
and after it, an "Antivirus 2009" installed would pop out which I'd close. It closed off Avast! and wouldn't allow me to open MBam nor superanti-spyware. It'd block off the installation file and the actual start up. Whenever I'd try to go to an anti-virus site or server, it woudln't let. Also would redirect other sites. I downloaded Spybot and ran it in safe-mode. That way, I got rid of lots of trojans and worms. After, I could gain access to Avast and got rid of the anti-virus 2009 installer, with the other things remaining. I got rid of a lot of other things using Avast! I manually downloaded definitions for ad-aware se from a fileshare site (can't remembername)and made a scan and got rid of on critical object. But I still have effects left and I don't know how to get rid of em. I still can't connect to update servers nor a lot of websites. And antivirus setups and programs like super-antispyware and mbam are being stopped. I ran a Hijackthis process and this is what I got.

Logfile of HijackThis v1.99.1
Scan saved at 6:50:27 PM, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
O23 - Service: WTService - Unknown owner - C:\WINDOWS\system32\atwtusb.exe

 

Hi Sandbomb

Thanks for the very detailed report of what you've done so far. It helps on my part.

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.

• When the Recovery Console has been installed, click on Yes to start the scan.


**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards

 

I can't access many sites like bleeping computer either. Can you list 5 or more sources where I can get this combofix? If not, then you can email me.

 

Hey Sandbomb

Please reboot your computer into Safe Mode With Networking by doing the following:
• Restart your computer
• After pressing the power button, repeatedly tap the F8 key.
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the option to run Windows in Safe Mode With Networking, then press Enter.
• Choose the administrator's account.

Can you download Combofix here? If so, run it in safe mode with networking then.

Best Regards

 

That was one of the first things I tried to do, run programs and connect online with Safemode, still couldn't do it.

 

Wait, I know, I'll get someone else to download it and send it to me.

 

okay, another problem. I got my hands on combofix, but it won't start.

 

False alarm. How stupid of me. I apparently did not follow the instructions right. Anyway, I did it fully right and everything seems to more than fine. Except that Avast's protection doesn't seem to be up since I disabled it to run the combofix scan.

here's the log, the red bit is worrying me.



ComboFix 08-11-14.01 - user 2008-11-16 23:12:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.627 [GMT 3:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\av.dat
c:\windows\system32\DelSelf.bat
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\TDSScfmm.dll
c:\windows\system32\TDSShrxx.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSmtyd.dat
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\wservice.exe
F:\ntde1ect.com
H:\Autorun.inf
H:\ntde1ect.com
I:\ntde1ect.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 18:29 . 2008-11-16 18:29 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-16 18:29 . 2008-11-16 18:29 1,409 --a------ c:\windows\QTFont.for
2008-11-16 17:24 . 2008-11-16 17:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Media Player Classic
2008-11-16 16:58 . 2008-11-16 16:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2008-11-15 13:07 . 2008-11-16 17:25 <DIR> d-------- c:\program files\Spyware Terminator
2008-11-15 13:07 . 2008-11-16 07:50 <DIR> d-------- c:\documents and settings\user\Application Data\Spyware Terminator
2008-11-15 13:07 . 2008-11-16 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-11-15 13:07 . 2008-11-15 13:07 141,312 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-14 01:21 . 2008-11-14 01:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\vlc
2008-11-14 00:45 . 2008-11-14 00:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-11 18:39 . 2008-11-16 17:32 2,444 --a------ c:\windows\system32\TDSSlxcp.dll
2008-11-11 18:27 . 2008-11-11 18:27 2 --a------ C:\-1530450144
2008-11-11 18:23 . 2008-11-11 18:23 <DIR> d-------- c:\documents and settings\user\Application Data\TuneUp Software
2008-11-10 21:01 . 2008-11-10 21:01 4,096 --a------ c:\windows\system32\crash
2008-11-10 20:41 . 2008-11-10 21:11 <DIR> d-------- c:\program files\ATITool
2008-11-10 18:06 . 2008-11-10 18:06 <DIR> d-------- c:\program files\Max Payne
2008-10-24 13:18 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-24 13:18 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-24 13:18 . 2008-10-24 13:18 669,184 --a------ c:\windows\system32\pbsvc.exe
2008-10-24 13:18 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-24 13:18 . 2008-10-24 13:18 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2008-10-24 13:18 . 2008-10-24 13:18 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-10-24 13:18 . 2008-10-24 13:18 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-10-24 13:18 . 2008-10-24 13:18 22,328 --a------ c:\documents and settings\user\Application Data\PnkBstrK.sys
2008-10-20 19:03 . 2008-10-20 19:03 <DIR> d-------- c:\program files\Microsoft Works
2008-10-20 19:00 . 2008-10-20 19:00 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-20 18:58 . 2008-10-20 19:02 <DIR> d-------- c:\windows\SHELLNEW
2008-10-20 18:58 . 2008-10-20 18:58 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-10-20 18:56 . 2008-10-20 18:56 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 13:46 --------- d-----w c:\documents and settings\user\Application Data\SolidDocuments
2008-11-14 12:32 --------- d-----w c:\program files\Easy-Hide-IP
2008-11-14 07:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 07:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-13 02:55 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-11-11 15:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 15:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 21:16 --------- d-----w c:\documents and settings\user\Application Data\LimeWire
2008-11-07 10:43 --------- d-----w c:\documents and settings\user\Application Data\dvdcss
2008-10-20 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-20 16:03 --------- d-----w c:\program files\MSBuild
2008-10-06 05:57 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2008-10-06 05:57 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2008-10-06 05:57 --------- d-----w c:\program files\OpenAL
2008-10-06 05:55 --------- d-----w c:\program files\DAEMON Tools Pro
2008-10-06 05:55 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-10-06 05:50 --------- d-----w c:\documents and settings\user\Application Data\DAEMON Tools Pro
2008-10-06 05:30 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-03 04:07 --------- d-----w c:\program files\AGEIA Technologies
2008-10-03 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2008-10-02 23:30 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-02 22:54 --------- d-----w c:\program files\NetConceal Anonymizer
2008-10-02 19:08 --------- d-----w c:\documents and settings\user\Application Data\Ideazon
2008-10-02 19:07 --------- d-----w c:\program files\Ideazon
2008-10-02 01:09 --------- d-----w c:\program files\Winamp
2008-10-02 01:08 --------- d-----w c:\program files\shoutcASP
2008-10-01 12:49 --------- d-----w c:\program files\Messenger Plus! Live
2008-10-01 12:32 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-01 12:28 --------- d-----w c:\documents and settings\user\Application Data\ATI
2008-10-01 12:28 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-01 12:25 --------- d-----w c:\program files\ATI Technologies
2008-10-01 11:05 --------- d-----w c:\program files\Windows Live
2008-10-01 10:51 --------- d-----w c:\program files\Reference Assemblies
2008-10-01 10:45 --------- d-----w c:\program files\MSXML 6.0
2008-09-30 03:31 --------- d-----w c:\program files\Google
2008-09-22 12:37 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-09-22 01:20 --------- d-----w c:\program files\MeadCo Neptune
2008-09-21 22:20 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-21 21:51 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-21 21:51 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-09-21 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-21 16:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-21 16:46 --------- d-----w c:\documents and settings\user\Application Data\Malwarebytes
2008-09-21 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-09-20 15:17 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-19 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2008-09-19 01:13 --------- d-----w c:\program files\Driver Cleaner PE
2008-09-18 19:06 --------- d-----w c:\program files\Common Files\Adobe
2008-09-17 21:05 --------- d-----w c:\program files\VstPlugins
2008-09-17 20:50 --------- d-----w c:\program files\MySpace
2008-09-17 09:34 --------- d-----w c:\program files\Western Digital
2008-09-17 09:33 --------- d-s---w c:\documents and settings\All Users\Application Data\Memeo
2008-09-17 09:00 --------- d-----w c:\program files\SystemRequirementsLab
2008-09-17 08:57 --------- d-----w c:\documents and settings\user\Application Data\SystemRequirementsLab
2008-08-21 02:19 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ------w c:\windows\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w c:\windows\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w c:\windows\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w c:\windows\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ------w c:\windows\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ------w c:\windows\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w c:\windows\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-08-21 01:17 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ------w c:\windows\system32\ati2cqag.dll
2008-08-20 18:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-03-30 13:33 3,140 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-12-22 08:44 1,413,920 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-12-22 08:44 16,928 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4673536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-06-06 1667584]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-05 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2008-05-16 79224]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-11 185896]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2005-12-20 32768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-11-15 1783808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 15:13 49152 c:\progra~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-06-07 21:32 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi3"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\WebEye\\WebEye.exe"=
"f:\\Program Files\\poser 6\\Poser.exe"=
"c:\\Program Files\\GetWare\\WebCam Live\\WebCam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"f:\\Program Files\\CapCom\\Lost Planet Extreme Condition\\LostPlanetDx9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"g:\\Games\\Doubleagent\\SCDA-Offline\\System\\SplinterCell4.exe"=
"g:\\Games\\Tom Clancy's Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"g:\\Games\\Rainbow Six\\Binaries\\R6Vegas_Game.exe"=
"f:\\Program Files\\Kane and Lynch\\kaneandlynch.exe"=
"g:\\Half-Life 2\\ahu-hl2\\hl2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26549:TCP"= 26549:TCP:BitComet 26549 TCP
"26549:UDP"= 26549:UDP:BitComet 26549 UDP
"10681:TCP"= 10681:TCP:BitComet 10681 TCP
"10681:UDP"= 10681:UDP:BitComet 10681 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-24 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-24 20560]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-03-29 360096]
R3 MA_CMIDI;%EVOL_USB.SvcDesc%;c:\windows\system32\drivers\ma_cmidi.sys [2007-11-07 21888]
S3 Alpham;Ideazon Fang Composite Keyboard Driver;c:\windows\system32\DRIVERS\Alpham.sys [2005-12-04 34944]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0aeb2e1d-905f-11dc-ba86-0011670642bb}]
\Shell\AutoRun\command - J:\ntde1ect.com
\Shell\explore\Command - J:\ntde1ect.com
\Shell\open\Command - J:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f28b44a-57a9-11dc-a2ad-00030d000001}]
\Shell\AutoRun\command - J:\sidstick.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae8d05fc-8335-11dd-bb2d-0011670642bb}]
\Shell\AutoRun\command - j:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8312c3e-45da-11dc-a2a1-00030d000001}]
\Shell\AutoRun\command - K:\ntde1ect.com
\Shell\explore\Command - K:\ntde1ect.com
\Shell\open\Command - K:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d766a2c2-470b-11dd-bb16-0011670642bb}]
\Shell\AutoRun\command - fppg1.exe
\Shell\explore\Command - fppg1.exe
\Shell\open\Command - fppg1.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-WService - WService.EXE


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qffsoumk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 23:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
Completion time: 2008-11-16 23:18:58
ComboFix-quarantined-files.txt 2008-11-16 20:18:55

Pre-Run: 5,073,768,448 bytes free
Post-Run: 5,057,556,480 bytes free

271 --- E O F --- 2008-09-20 15:34:30

 

False alarm. How stupid of me. I apparently did not follow the instructions right. Anyway, I did it fully right and everything seems to more than fine. Except that Avast's protection doesn't seem to be up since I disabled it to run the combofix scan.

here's the log, the red bit is worrying me.



ComboFix 08-11-14.01 - user 2008-11-16 23:12:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.627 [GMT 3:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\av.dat
c:\windows\system32\DelSelf.bat
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\TDSScfmm.dll
c:\windows\system32\TDSShrxx.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSmtyd.dat
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\wservice.exe
F:\ntde1ect.com
H:\Autorun.inf
H:\ntde1ect.com
I:\ntde1ect.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 18:29 . 2008-11-16 18:29 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-16 18:29 . 2008-11-16 18:29 1,409 --a------ c:\windows\QTFont.for
2008-11-16 17:24 . 2008-11-16 17:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Media Player Classic
2008-11-16 16:58 . 2008-11-16 16:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2008-11-15 13:07 . 2008-11-16 17:25 <DIR> d-------- c:\program files\Spyware Terminator
2008-11-15 13:07 . 2008-11-16 07:50 <DIR> d-------- c:\documents and settings\user\Application Data\Spyware Terminator
2008-11-15 13:07 . 2008-11-16 17:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator
2008-11-15 13:07 . 2008-11-15 13:07 141,312 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys
2008-11-14 01:21 . 2008-11-14 01:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\vlc
2008-11-14 00:45 . 2008-11-14 00:45 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-11 18:39 . 2008-11-16 17:32 2,444 --a------ c:\windows\system32\TDSSlxcp.dll
2008-11-11 18:27 . 2008-11-11 18:27 2 --a------ C:\-1530450144
2008-11-11 18:23 . 2008-11-11 18:23 <DIR> d-------- c:\documents and settings\user\Application Data\TuneUp Software
2008-11-10 21:01 . 2008-11-10 21:01 4,096 --a------ c:\windows\system32\crash
2008-11-10 20:41 . 2008-11-10 21:11 <DIR> d-------- c:\program files\ATITool
2008-11-10 18:06 . 2008-11-10 18:06 <DIR> d-------- c:\program files\Max Payne
2008-10-24 13:18 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-24 13:18 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-24 13:18 . 2008-10-24 13:18 669,184 --a------ c:\windows\system32\pbsvc.exe
2008-10-24 13:18 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-24 13:18 . 2008-10-24 13:18 103,736 --a------ c:\windows\system32\PnkBstrB.exe
2008-10-24 13:18 . 2008-10-24 13:18 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-10-24 13:18 . 2008-10-24 13:18 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-10-24 13:18 . 2008-10-24 13:18 22,328 --a------ c:\documents and settings\user\Application Data\PnkBstrK.sys
2008-10-20 19:03 . 2008-10-20 19:03 <DIR> d-------- c:\program files\Microsoft Works
2008-10-20 19:00 . 2008-10-20 19:00 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-20 18:58 . 2008-10-20 19:02 <DIR> d-------- c:\windows\SHELLNEW
2008-10-20 18:58 . 2008-10-20 18:58 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-10-20 18:56 . 2008-10-20 18:56 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 13:46 --------- d-----w c:\documents and settings\user\Application Data\SolidDocuments
2008-11-14 12:32 --------- d-----w c:\program files\Easy-Hide-IP
2008-11-14 07:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 07:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-13 02:55 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SolidDocuments
2008-11-11 15:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 15:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 21:16 --------- d-----w c:\documents and settings\user\Application Data\LimeWire
2008-11-07 10:43 --------- d-----w c:\documents and settings\user\Application Data\dvdcss
2008-10-20 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-20 16:03 --------- d-----w c:\program files\MSBuild
2008-10-06 05:57 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2008-10-06 05:57 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2008-10-06 05:57 --------- d-----w c:\program files\OpenAL
2008-10-06 05:55 --------- d-----w c:\program files\DAEMON Tools Pro
2008-10-06 05:55 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2008-10-06 05:50 --------- d-----w c:\documents and settings\user\Application Data\DAEMON Tools Pro
2008-10-06 05:30 685,816 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-03 04:07 --------- d-----w c:\program files\AGEIA Technologies
2008-10-03 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2008-10-02 23:30 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-02 22:54 --------- d-----w c:\program files\NetConceal Anonymizer
2008-10-02 19:08 --------- d-----w c:\documents and settings\user\Application Data\Ideazon
2008-10-02 19:07 --------- d-----w c:\program files\Ideazon
2008-10-02 01:09 --------- d-----w c:\program files\Winamp
2008-10-02 01:08 --------- d-----w c:\program files\shoutcASP
2008-10-01 12:49 --------- d-----w c:\program files\Messenger Plus! Live
2008-10-01 12:32 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-01 12:28 --------- d-----w c:\documents and settings\user\Application Data\ATI
2008-10-01 12:28 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-01 12:25 --------- d-----w c:\program files\ATI Technologies
2008-10-01 11:05 --------- d-----w c:\program files\Windows Live
2008-10-01 10:51 --------- d-----w c:\program files\Reference Assemblies
2008-10-01 10:45 --------- d-----w c:\program files\MSXML 6.0
2008-09-30 03:31 --------- d-----w c:\program files\Google
2008-09-22 12:37 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-09-22 01:20 --------- d-----w c:\program files\MeadCo Neptune
2008-09-21 22:20 --------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-21 21:51 --------- d-----w c:\program files\SUPERAntiSpyware
2008-09-21 21:51 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-09-21 21:51 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-21 16:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-09-21 16:46 --------- d-----w c:\documents and settings\user\Application Data\Malwarebytes
2008-09-21 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-09-20 15:17 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-19 13:04 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2008-09-19 01:13 --------- d-----w c:\program files\Driver Cleaner PE
2008-09-18 19:06 --------- d-----w c:\program files\Common Files\Adobe
2008-09-17 21:05 --------- d-----w c:\program files\VstPlugins
2008-09-17 20:50 --------- d-----w c:\program files\MySpace
2008-09-17 09:34 --------- d-----w c:\program files\Western Digital
2008-09-17 09:33 --------- d-s---w c:\documents and settings\All Users\Application Data\Memeo
2008-09-17 09:00 --------- d-----w c:\program files\SystemRequirementsLab
2008-09-17 08:57 --------- d-----w c:\documents and settings\user\Application Data\SystemRequirementsLab
2008-08-21 02:19 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-08-21 02:18 314,880 ------w c:\windows\system32\ati2dvag.dll
2008-08-21 02:08 184,320 ----a-w c:\windows\system32\atipdlxx.dll
2008-08-21 02:08 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-08-21 02:07 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-08-21 02:07 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-08-21 02:07 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-08-21 02:05 573,440 ----a-w c:\windows\system32\ati2evxx.exe
2008-08-21 02:04 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-08-21 02:01 10,084,352 ----a-w c:\windows\system32\atioglxx.dll
2008-08-21 01:55 4,094,560 ------w c:\windows\system32\ati3duag.dll
2008-08-21 01:50 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-08-21 01:38 2,377,856 ------w c:\windows\system32\ativvaxx.dll
2008-08-21 01:23 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-08-21 01:19 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-08-21 01:18 37,376 ----a-w c:\windows\system32\atiadlxx.dll
2008-08-21 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-08-21 01:17 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-08-21 01:11 561,152 ------w c:\windows\system32\ati2cqag.dll
2008-08-20 18:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-03-30 13:33 3,140 --sha-w c:\windows\system32\KGyGaAvL.sys
2007-12-22 08:44 1,413,920 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-12-22 08:44 16,928 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4673536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-06-06 1667584]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-05 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2008-05-16 79224]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-11 185896]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2005-12-20 32768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-11-15 1783808]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\user\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 15:13 49152 c:\progra~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-06-07 21:32 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll
"midi3"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\WebEye\\WebEye.exe"=
"f:\\Program Files\\poser 6\\Poser.exe"=
"c:\\Program Files\\GetWare\\WebCam Live\\WebCam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"f:\\Program Files\\CapCom\\Lost Planet Extreme Condition\\LostPlanetDx9.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"g:\\Games\\Doubleagent\\SCDA-Offline\\System\\SplinterCell4.exe"=
"g:\\Games\\Tom Clancy's Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"g:\\Games\\Rainbow Six\\Binaries\\R6Vegas_Game.exe"=
"f:\\Program Files\\Kane and Lynch\\kaneandlynch.exe"=
"g:\\Half-Life 2\\ahu-hl2\\hl2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"f:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26549:TCP"= 26549:TCP:BitComet 26549 TCP
"26549:UDP"= 26549:UDP:BitComet 26549 UDP
"10681:TCP"= 10681:TCP:BitComet 10681 TCP
"10681:UDP"= 10681:UDP:BitComet 10681 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-05-24 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-24 20560]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-03-29 360096]
R3 MA_CMIDI;%EVOL_USB.SvcDesc%;c:\windows\system32\drivers\ma_cmidi.sys [2007-11-07 21888]
S3 Alpham;Ideazon Fang Composite Keyboard Driver;c:\windows\system32\DRIVERS\Alpham.sys [2005-12-04 34944]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0aeb2e1d-905f-11dc-ba86-0011670642bb}]
\Shell\AutoRun\command - J:\ntde1ect.com
\Shell\explore\Command - J:\ntde1ect.com
\Shell\open\Command - J:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0f28b44a-57a9-11dc-a2ad-00030d000001}]
\Shell\AutoRun\command - J:\sidstick.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae8d05fc-8335-11dd-bb2d-0011670642bb}]
\Shell\AutoRun\command - j:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c8312c3e-45da-11dc-a2a1-00030d000001}]
\Shell\AutoRun\command - K:\ntde1ect.com
\Shell\explore\Command - K:\ntde1ect.com
\Shell\open\Command - K:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d766a2c2-470b-11dd-bb16-0011670642bb}]
\Shell\AutoRun\command - fppg1.exe
\Shell\explore\Command - fppg1.exe
\Shell\open\Command - fppg1.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-WService - WService.EXE


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qffsoumk.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 23:15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqlt.sys"
.
Completion time: 2008-11-16 23:18:58
ComboFix-quarantined-files.txt 2008-11-16 20:18:55

Pre-Run: 5,073,768,448 bytes free
Post-Run: 5,057,556,480 bytes free

271 --- E O F --- 2008-09-20 15:34:30

 

Hey Sandbomb

Didn't ComboFix ask you to download the Recovery Console as shown in my instructions?

Now, can your security programs start? How about MBAM? If so, please follow the instructions below:

Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Code:

Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards

 

I ran a scan with Mbam and found on object which was removed. Everything else on my PC is back to normal and it's functioning very well.
And to answer your question, I never got a prompt to download recovery installer or anything. Should I be worried?


Malwarebytes' Anti-Malware 1.28
Database version: 1186
Windows 5.1.2600 Service Pack 2

11/17/2008 6:16:54 PM
mbam-log-2008-11-17 (18-16-54).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|)
Objects scanned: 343046
Time elapsed: 3 hour(s), 16 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSSlxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Hey Sandbomb

Did you run Combofix in normal mode or safe mode?

You look good to me. I'll give the all-clean sign!

Best Regards

 

I think I ran it in normal mode
>_>

 

No prob, Sandbomb. Looks like something that can't be explained... so I won't bother. You're all clean anyways...

Best Regards

 

Alright, thank you very much, C. I owe you tonnes. Will be sure to try and pass on the help to others.

 

You're welcome, Sandbomb.

 

Hey guys,
I seriously need some help
I tried pressing F8
when i rebooted the computer
but it just has a long beep sound
i have a hewlett packard computer
with Windows XP
and then says that the keyboard is detached
and then at the bottom it says [F9- Boot Options]
I really need some help
My AIM is oh snap DMA
someone please help me
This computer won't let me run most antiviral things
and it won't let me go to most antivirus sites
and when i boot up it shows me a norton antivirus thing
that says that the options have been changed

 

wait no
for some reason
there is a password set on my admin
is there any other way?

 

I'm sorry for continually posting new things
For some reason
I can't get into Safe Mode with networking
It won't let me
It loads half way
and stops

 

Hey xfiler

Please open a new thread, and try these instructions:
http://forums.afterdawn.com/thread_view.cfm/684139#4261714

Best Regards