# ckvo process



## teamhex

What is this, I looked it up and it says its some kinda malware. I just reformatted my main drive. Maybe it came from my slave. Either way I turned it off in msconfig for startup. Let me start over......Iv noticed my pc was booting slowly and in general is acting slow. I looked into some of the process's and saw ckvo running. Keep in mind this os is 1 day old, either way I turned it off and its running fast now. How do I completely remove this and any other possible thing that may be running. Iv never had luck with ad aware or anything like that. It will never fully remove anything, so what do I do?


----------



## Respital

Please post the logs from:
Important: Please read before posting. Even if your problem is solved please post the logs as you may still be infected.


----------



## teamhex

Respital said:


> Please post the logs from:
> Important: Please read before posting. Even if your problem is solved please post the logs as you may still be infected.



Yeah sorry, im not used to this kinda stuff. I never get infected with things. If its one department I know almost nothing about its malware


----------



## teamhex

*Heres the log file*

Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 2

10/29/2008 4:52:39 PM
mbam-log-2008-10-29 (16-52-39).txt

Scan type: Quick Scan
Objects scanned: 38547
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ckvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xih9.cmd (Trojan.Agent) -> Quarantined and deleted successfully.


----------



## Respital

I also need the HiJackThis log.


----------



## teamhex

Respital said:


> I also need the HiJackThis log.



I ran a scan, and it says its clean. I guess ill run that hi-jack log too just to make sure.


----------



## teamhex

*Im assuming this is it? Or do I fail? I think it got rid of them, I also ran a scan on my thumb drive and it found 12 things. So I think what happened was It spread when I was installing my programs from the drive.
*
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:40 PM, on 10/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\utorrent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

--
End of file - 1206 bytes


----------



## teamhex

Man, its back. I cant access my C drive, it asks me what program I want to use to open it. I also cant access msconfig anymore, says it doesn't exist. My CPU usage is at least 50% at idle, I just dont know what to do. I really dont want to format my slave. It boots up fast and about after a minute it slows down.


----------



## Respital

Hello:

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## teamhex

Respital said:


> Hello:
> 
> *Download and Run ComboFix*
> *If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*
> 
> *Download this file* from one of the three below listed places :
> 
> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
> http://www.forospyware.com/sUBs/ComboFix.exe
> http://subs.geekstogo.com/ComboFix.exe
> 
> Then double click *combofix.exe* & follow the prompts.
> When finished, it shall produce *a log* for you. *Post that log* in your next reply
> .
> *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
> 
> Combofix should never take more that 20 minutes including the reboot if malware is detected.
> If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
> If that happened we want to know, and also what process you had to end.


I guess I can when I get home, are you sure this is going to fix it? I upgraded to SP3 last night, and I think I killed it for awhile, my pc is running faster now, im just afraid that when I boot it up the next time it will be back


----------



## Respital

teamhex said:


> I guess I can when I get home, are you sure this is going to fix it? I upgraded to SP3 last night, and I think I killed it for awhile, my pc is running faster now, im just afraid that when I boot it up the next time it will be back



A mod has informed me to update my instructions please now do the following:

*Let's scan for trojan:*
Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


*Please post*

The SD log
The ComboFix log
An updated HiJackThis log
An update on how your computer is running.


----------



## teamhex

Respital said:


> A mod has informed me to update my instructions please now do the following:
> 
> *Let's scan for trojan:*
> Download *SDFix* and save it to your Desktop.
> 
> Double click *SDFix.exe* and it will extract the files to %systemdrive%
> (Drive that contains the Windows Directory, typically C:\SDFix)
> 
> Please then reboot your computer in *Safe Mode* by doing the following :
> Restart your computer
> After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
> Instead of Windows loading as normal, the Advanced Options Menu should appear;
> Select the first option, to run Windows in Safe Mode, then press *Enter*.
> Choose your usual account.
> Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
> Type *Y* to begin the cleanup process.
> It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
> Press any Key and it will restart the PC.
> When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
> Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
> (Report.txt will also be copied to Clipboard ready for posting back on the forum).
> Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
> 
> 
> *Download and Run ComboFix*
> *If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*
> 
> *Download this file* from one of the three below listed places :
> 
> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
> http://www.forospyware.com/sUBs/ComboFix.exe
> http://subs.geekstogo.com/ComboFix.exe
> 
> Then double click *combofix.exe* & follow the prompts.
> When finished, it shall produce *a log* for you. *Post that log* in your next reply
> *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
> 
> Combofix should never take more that 20 minutes including the reboot if malware is detected.
> If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
> If that happened we want to know, and also what process you had to end.
> 
> 
> *Please post*
> 
> The SD log
> The ComboFix log
> An updated HiJackThis log
> An update on how your computer is running.



Man im an idoit, I havent been doing all this in safe mode. Iv just being running normally, could this be why it wont go away?


----------



## Respital

teamhex said:


> Man im an idoit, I havent been doing all this in safe mode. Iv just being running normally, could this be why it wont go away?



No.

For SDFix you're suppose to run in safe mode.

For ComboFix you're suppose to boot normally.

Please follow my instructions as posted.


----------



## teamhex

Respital said:


> No.
> 
> For SDFix you're suppose to run in safe mode.
> 
> For ComboFix you're suppose to boot normally.
> 
> Please follow my instructions as posted.



I have been, its just a thought. Iv been at work all day and am currently in school, so ill run it when I get home.


----------



## teamhex

I upgraded to SP3 last night, booted my pc up when I got home and BAM! Gone...lol seems to be running great. Thanks guys.


----------



## Respital

teamhex said:


> I upgraded to SP3 last night, booted my pc up when I got home and BAM! Gone...lol seems to be running great. Thanks guys.



Did you follow the steps i gave you?

If not it's likely you're still infected and you just have a little speed boost from SP3.

Is so, please post the logs generated by the programs used.


----------



## teamhex

Respital said:


> Did you follow the steps i gave you?
> 
> If not it's likely you're still infected and you just have a little speed boost from SP3.
> 
> Is so, please post the logs generated by the programs used.



High Jack this didn't find anything, I also ran Malwarebytes and it didn't find anything either. I think its gone with this service pack. Im running alot faster, I was gaming and doing what ever last night just fine.


----------



## teamhex

Man, this sucks. Its back, im doing a full scan on everything. I guess ill try your last program.  Im about to post logs


----------



## teamhex

ComboFix 08-10-30.13 - Chris 2008-10-31 13:25:41.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1581 [GMT -5:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\ckvo1.dll
C:\xih9.cmd
D:\68.exe
D:\9.cmd
D:\Autorun.inf
D:\bo1dhu.bat
D:\ev60a2.cmd
D:\itsduel.exe
D:\xih9.cmd
E:\1rfw8hjr.com
E:\1t6yxlxx.cmd
E:\1yl2d.bat
E:\33gmhso.bat
E:\6.bat
E:\68.exe
E:\6x8be16.cmd
E:\9.cmd
E:\a1.bat
E:\autorun.inf
E:\bo1dhu.bat
E:\bwpncb6.com
E:\ev60a2.cmd
E:\f0.cmd
E:\ffojc.com
E:\fi.cmd
E:\g.com
E:\hgu.bat
E:\iefqwp.cmd
E:\itsduel.exe
E:\ivcvknr.bat
E:\kk3.bat
E:\kn6jhgc.cmd
E:\njibyekk.com
E:\r.cmd
E:\r1y1.bat
E:\r813.bat
E:\vxl.exe
E:\xih9.cmd

.
(((((((((((((((((((((((((   Files Created from 2008-09-28 to 2008-10-31  )))))))))))))))))))))))))))))))
.

2008-10-31 13:21 . 2008-10-27 00:01	<DIR>	d--------	C:\SDFix
2008-10-30 20:34 . 2008-10-30 20:34	<DIR>	d--------	C:\WINDOWS\LastGood
2008-10-29 21:47 . 2008-10-29 21:47	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-10-29 21:47 . 2008-04-14 05:42	294,912	-----c---	C:\WINDOWS\system32\dllcache\dlimport.exe
2008-10-29 21:44 . 2006-12-29 00:31	19,569	--a------	C:\WINDOWS\002897_.tmp
2008-10-29 19:30 . 2008-10-29 19:30	<DIR>	d--------	C:\Program Files\DAEMON Tools Lite
2008-10-29 18:18 . 2008-10-29 18:18	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\DAEMON Tools
2008-10-29 18:18 . 2008-10-29 18:18	717,296	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2008-10-29 17:10 . 2008-10-29 17:10	<DIR>	d--------	C:\Program Files\Trend Micro
2008-10-29 16:49 . 2008-10-29 16:49	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-10-29 16:49 . 2008-10-22 16:10	15,504	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-10-29 16:48 . 2008-10-29 16:49	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-10-29 16:48 . 2008-10-29 16:48	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-29 16:48 . 2008-10-22 16:10	38,496	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-29 16:44 . 2008-10-29 16:44	<DIR>	d--------	C:\Program Files\uTorrent
2008-10-29 16:44 . 2008-10-29 19:17	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\uTorrent
2008-10-27 22:51 . 2008-10-27 22:51	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\vlc
2008-10-27 22:50 . 2008-10-27 22:50	<DIR>	d--------	C:\Program Files\VideoLAN
2008-10-27 22:04 . 2008-06-13 06:05	272,128	---------	C:\WINDOWS\system32\drivers\bthport.sys
2008-10-27 22:04 . 2008-06-13 06:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-27 22:03 . 2008-08-14 05:11	2,189,184	-----c---	C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-27 22:03 . 2008-08-14 05:09	2,145,280	-----c---	C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-27 22:03 . 2008-08-14 04:33	2,066,048	-----c---	C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-27 22:03 . 2008-08-14 04:33	2,023,936	-----c---	C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-27 22:03 . 2008-09-15 07:12	1,846,400	-----c---	C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-27 22:03 . 2008-04-11 14:04	691,712	-----c---	C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-27 22:03 . 2008-09-08 05:41	333,824	-----c---	C:\WINDOWS\system32\dllcache\srv.sys
2008-10-27 22:03 . 2008-05-08 09:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-27 22:02 . 2008-10-15 11:34	337,408	-----c---	C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-27 21:36 . 2008-10-27 21:36	13,646	--a------	C:\WINDOWS\system32\wpa.bak

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 03:32	---------	d-----w	C:\Program Files\Steam
2008-10-28 01:52	---------	d-----w	C:\Program Files\Realtek
2008-10-28 01:49	315,392	----a-w	C:\WINDOWS\HideWin.exe
2008-10-28 01:34	---------	d-----w	C:\Program Files\Intel
2008-10-28 01:16	---------	d-----w	C:\Program Files\microsoft frontpage
2008-10-28 01:01	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-10-28 01:01	---------	d-----w	C:\Program Files\ATI Technologies
2008-10-28 01:00	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-10-28 00:55	---------	d-----w	C:\Documents and Settings\Chris\Application Data\mjusbsp
2008-09-24 03:09	3,331,072	----a-w	C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 03:05	593,920	------w	C:\WINDOWS\system32\ati2sgag.exe
2008-09-24 02:18	425,984	----a-w	C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17	311,296	----a-w	C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09	10,772,480	----a-w	C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07	188,416	----a-w	C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06	43,520	----a-w	C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06	26,112	----a-w	C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06	143,360	----a-w	C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06	143,360	----a-w	C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:04	581,632	----a-w	C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03	53,248	----a-w	C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56	307,200	----a-w	C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54	4,008,864	----a-w	C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38	2,399,744	----a-w	C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24	48,640	----a-w	C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20	380,928	----a-w	C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19	39,424	----a-w	C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18	53,248	----a-w	C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18	253,952	----a-w	C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18	17,408	----a-w	C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12	573,440	----a-w	C:\WINDOWS\system32\ati2cqag.dll
2008-09-15 12:12	1,846,400	----a-w	C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41	333,824	----a-w	C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:30	666,112	----a-w	C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09	2,145,280	----a-w	C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33	2,023,936	----a-w	C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-30 17:00	90,112	----a-w	C:\WINDOWS\system32\atibrtmon.exe
2008-07-07 20:26	253,952	----a-w	C:\WINDOWS\system32\es.dll
2006-06-24 06:48	32,768	----a-r	C:\WINDOWS\inf\UpdateUSB.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-01 16:23 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-27 19:58 1410296 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 13:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-03-26 11:14 16859136 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Chris\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-02-02 36864]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83a-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83b-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - J:\xih9.cmd
\Shell\explore\Command - J:\xih9.cmd
\Shell\open\Command - J:\xih9.cmd

*Newly Created Service* - MBAMSWISSARMY
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kamsoft - C:\WINDOWS\system32\ckvo.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\37qluhek.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 13:26:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-31 13:27:15
ComboFix-quarantined-files.txt  2008-10-31 18:27:11

Pre-Run: 20,092,260,352 bytes free
Post-Run: 20,209,512,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

188	--- E O F ---	2008-10-31 18:18:18


----------



## Respital

I also need the log from SDFix.


----------



## teamhex

Respital said:


> I also need the log from SDFix.



Iv yet to run it, so I guess ill just boot in safe mode and run it. Logs in a few mins.


----------



## teamhex

*SDFix: Version 1.238 *
Run by Chris on Fri 10/31/2008 at 05:16 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


*Checking Files *: 

No Trojan Files Found


----------



## Respital

Well ComboFix deleted a lot of infected files, we need to make sure they are all gone. 

Let's run two more checks. 
During the next two checks be sure to have any flash drives used with the computer connected.


*How to run a scan with Malwarebytes' Anti-Malware*

Download Malwarebytes' Anti-Malware from *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Full Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
_If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately._


*Run Kaspersky Online AV Scanner*
Using *Internet Explorer* Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the *Accept* button at the end of the page.

_Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%._

 Read the *Requirements and limitations* before you click *Accept*.
 Allow the ActiveX download if necessary.
 Once the database has downloaded, click *Next*.
 Click *Scan Settings* and change the "*Scan using the following antivirus database*" from *standard* to *extended* and then click *OK*.
 Click on "*My Computer*" and then put the kettle on!
When the scan has completed, click *Save Report As...*
 Enter a name for the file in the *Filename:* text box and then click the down arrow to the right of *Save as type:* and select *text file (*.txt)*
 Click *Save* - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


In your next reply i will need:

The Malwarebytes' Anti-Malware Log
The Kaspersky online scanner log
A fresh HiJackThis log
An update on how your PC is behaving


----------



## teamhex

Alrighty. Im on it!
Thanks for the help mate, everything seems to be running great, im going to go ahead and do those follow up tests.

Still running malwarebytes but its found 2 files already that are infected, im going to finish this complete scan and try the other one.


----------



## teamhex

Before removing

Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 3

10/31/2008 5:55:52 PM
mbam-log-2008-10-31 (17-55-50).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 76100
Time elapsed: 20 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\E\1yl2d.bat.vir (Trojan.Vundo) -> No action taken.
C:\Qoobox\Quarantine\E\6x8be16.cmd.vir (Spyware.OnlineGames) -> No action taken.
E:\m88coaim.exe (Spyware.OnlineGames) -> No action taken.


----------



## teamhex

AFTER deleteing the files it showed
Im now going to run the online one

Malwarebytes' Anti-Malware 1.30
Database version: 1337
Windows 5.1.2600 Service Pack 3

10/31/2008 5:56:34 PM
mbam-log-2008-10-31 (17-56-34).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 76100
Time elapsed: 20 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\E\1yl2d.bat.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\E\6x8be16.cmd.vir (Spyware.OnlineGames) -> Quarantined and deleted successfully.
E:\m88coaim.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.


----------



## teamhex

Man this is starting to suck, every time its something new


KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 31, 2008 21:35:26
Records in database: 1365140
Scan settings
Scan using the following database 	extended
Scan archives 	yes
Scan mail databases 	yes
Scan area 	My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 	33571
Threat name 	46
Infected objects 	60
Suspicious objects 	0
Duration of the scan 	00:25:42

File name 	Threat name 	Threats count
C:\Qoobox\Quarantine\C\autorun.inf.vir	Infected: Worm.Win32.AutoRun.rja	1	
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckvo0.dll.vir	Infected: Packed.Win32.Krap.b	1	
C:\Qoobox\Quarantine\C\xih9.cmd.vir	Infected: Packed.Win32.Krap.b	1	
C:\Qoobox\Quarantine\D\68.exe.vir	Infected: Trojan-GameThief.Win32.Magania.agtn	1	
C:\Qoobox\Quarantine\D\9.cmd.vir	Infected: Trojan-GameThief.Win32.Magania.ahbf	1	
C:\Qoobox\Quarantine\D\autorun.inf.vir	Infected: Worm.Win32.AutoRun.rja	1	
C:\Qoobox\Quarantine\D\bo1dhu.bat.vir	Infected: Trojan-GameThief.Win32.OnLineGames.tnyo	1	
C:\Qoobox\Quarantine\D\ev60a2.cmd.vir	Infected: Trojan-GameThief.Win32.Magania.aguq	1	
C:\Qoobox\Quarantine\D\itsduel.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.tncg	1	
C:\Qoobox\Quarantine\D\xih9.cmd.vir	Infected: Packed.Win32.Krap.b	1	
C:\Qoobox\Quarantine\E\1rfw8hjr.com.vir	Infected: Trojan.Win32.Vaklik.cjw	1	
C:\Qoobox\Quarantine\E\1t6yxlxx.cmd.vir	Infected: Worm.Win32.AutoRun.mug	1	
C:\Qoobox\Quarantine\E\33gmhso.bat.vir	Infected: Trojan.Win32.Vaklik.bvg	1	
C:\Qoobox\Quarantine\E\6.bat.vir	Infected: Trojan.Win32.Vaklik.cce	1	
C:\Qoobox\Quarantine\E\68.exe.vir	Infected: Trojan-GameThief.Win32.Magania.agtn	1	
C:\Qoobox\Quarantine\E\9.cmd.vir	Infected: Trojan-GameThief.Win32.Magania.ahbf	1	
C:\Qoobox\Quarantine\E\a1.bat.vir	Infected: Worm.Win32.AutoRun.ndh	1	
C:\Qoobox\Quarantine\E\autorun.inf.vir	Infected: Worm.Win32.AutoRun.rja	1	
C:\Qoobox\Quarantine\E\bo1dhu.bat.vir	Infected: Trojan-GameThief.Win32.OnLineGames.tnyo	1	
C:\Qoobox\Quarantine\E\bwpncb6.com.vir	Infected: Worm.Win32.AutoRun.lxm	1	
C:\Qoobox\Quarantine\E\ev60a2.cmd.vir	Infected: Trojan-GameThief.Win32.Magania.aguq	1	
C:\Qoobox\Quarantine\E\f0.cmd.vir	Infected: Trojan.Win32.Vaklik.cay	1	
C:\Qoobox\Quarantine\E\ffojc.com.vir	Infected: Worm.Win32.AutoRun.eks	1	
C:\Qoobox\Quarantine\E\fi.cmd.vir	Infected: Worm.Win32.AutoRun.ekv	1	
C:\Qoobox\Quarantine\E\g.com.vir	Infected: Trojan.Win32.Vaklik.cgo	1	
C:\Qoobox\Quarantine\E\hgu.bat.vir	Infected: Trojan-GameThief.Win32.Magania.vzi	1	
C:\Qoobox\Quarantine\E\iefqwp.cmd.vir	Infected: Trojan.Win32.Vaklik.asv	1	
C:\Qoobox\Quarantine\E\itsduel.exe.vir	Infected: Trojan-GameThief.Win32.OnLineGames.tncg	1	
C:\Qoobox\Quarantine\E\ivcvknr.bat.vir	Infected: Trojan.Win32.Vaklik.bym	1	
C:\Qoobox\Quarantine\E\kk3.bat.vir	Infected: Trojan-GameThief.Win32.Magania.abkt	1	
C:\Qoobox\Quarantine\E\kn6jhgc.cmd.vir	Infected: Trojan.Win32.Vaklik.cmb	1	
C:\Qoobox\Quarantine\E\njibyekk.com.vir	Infected: Trojan.Win32.Vaklik.cfk	1	
C:\Qoobox\Quarantine\E\r.cmd.vir	Infected: Trojan.Win32.Vaklik.bct	1	
C:\Qoobox\Quarantine\E\r1y1.bat.vir	Infected: Trojan-GameThief.Win32.OnLineGames.tdqz	1	
C:\Qoobox\Quarantine\E\r813.bat.vir	Infected: Trojan.Win32.Vaklik.cpe	1	
C:\Qoobox\Quarantine\E\vxl.exe.vir	Infected: Trojan-GameThief.Win32.Magania.acqa	1	
C:\Qoobox\Quarantine\E\xih9.cmd.vir	Infected: Packed.Win32.Krap.b	1	
D:\2fiji.com	Infected: Trojan-GameThief.Win32.Magania.aiau	1	
D:\xlk9.com	Infected: Trojan-GameThief.Win32.Magania.aigw	1	
E:\00hoeav.com	Infected: Trojan.Win32.Vaklik.bmk	1	
E:\qwc.exe	Infected: Trojan-GameThief.Win32.Magania.jag	1	
E:\klp8j6i.com	Infected: Worm.Win32.AutoRun.egy	1	
E:\0gjn3yw.exe	Infected: Trojan.Win32.Vaklik.bop	1	
E:\k.com	Infected: Worm.Win32.AutoRun.ekz	1	
E:\p83gjy.exe	Infected: Trojan.Win32.Vaklik.bwc	1	
E:\ybj8df.exe	Infected: Trojan.Win32.Vaklik.cbl	1	
E:\e9ehn1m8.com	Infected: Trojan.Win32.Vaklik.cce	1	
E:\g2pfnid.com	Infected: Trojan.Win32.Vaklik.chp	1	
E:\jk.exe	Infected: Trojan.Win32.Vaklik.cgo	1	
E:\e.com	Infected: Trojan.Win32.Vaklik.coh	1	
E:\uis.com	Infected: Trojan.Win32.Vaklik.coo	1	
E:\22xo.exe	Infected: Trojan-GameThief.Win32.Magania.abkz	1	
E:\xqf.com	Infected: Trojan-GameThief.Win32.Magania.ytx	1	
E:\knupkb.com	Infected: Worm.Win32.AutoRun.llw	1	
E:\xvlyb.exe	Infected: Trojan.Win32.Vaklik.csd	1	
E:\ph.com	Infected: Trojan-GameThief.Win32.Magania.abgx	1	
E:\ktnquo.exe	Infected: Worm.Win32.AutoRun.mrx	1	
E:\39lpji.com	Infected: Worm.Win32.AutoRun.nan	1	
E:\2fiji.com	Infected: Trojan-GameThief.Win32.Magania.aiau	1	
E:\xlk9.com	Infected: Trojan-GameThief.Win32.Magania.aigw	1	
The selected area was scanned.


----------



## teamhex

My pc seems to be running fine, but that thing said it found a bunch of stuff 
If it helps, I deleted that quaritine folder, also that E drive is a IP phone called magic jack. Maybe that turd is giving me this stuff
Is there some program that can kill everything? Ill even pay for it, its got to be the ultimate remover/scanner


----------



## Respital

Well it detected a lot of stuff so that's good.

As i lack the privledge to give you a ComboFix script i will do what i can.

Please run ComboFix again.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Please remember to post an updated HiJackThis log.


----------



## teamhex

Heres the log

ComboFix 08-10-30.13 - Chris 2008-10-31 20:12:07.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1597 [GMT -5:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2008-10-01 to 2008-11-01  )))))))))))))))))))))))))))))))
.

2008-10-31 18:45 . 2008-04-14 05:42	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2008-10-31 18:45 . 2008-04-14 00:15	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-31 18:45 . 2008-04-14 00:15	15,104	--a--c---	C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-31 18:45 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2008-10-31 18:16 . 2008-10-31 18:16	<DIR>	d--------	C:\Program Files\JAM Software
2008-10-31 18:00 . 2008-10-31 18:00	<DIR>	d--------	C:\WINDOWS\Sun
2008-10-31 17:58 . 2008-10-31 17:58	<DIR>	d--------	C:\Program Files\Java
2008-10-31 17:58 . 2008-10-31 17:58	410,976	--a------	C:\WINDOWS\system32\deploytk.dll
2008-10-31 17:58 . 2008-10-31 17:58	73,728	--a------	C:\WINDOWS\system32\javacpl.cpl
2008-10-31 17:15 . 2008-10-31 17:15	578,560	--a--c---	C:\WINDOWS\system32\dllcache\user32.dll
2008-10-31 17:14 . 2008-10-31 17:14	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-10-31 13:21 . 2008-10-31 17:20	<DIR>	d--------	C:\SDFix
2008-10-29 21:47 . 2008-10-29 21:47	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-10-29 21:47 . 2008-04-14 05:42	294,912	-----c---	C:\WINDOWS\system32\dllcache\dlimport.exe
2008-10-29 21:44 . 2006-12-29 00:31	19,569	--a------	C:\WINDOWS\002897_.tmp
2008-10-29 19:30 . 2008-10-29 19:30	<DIR>	d--------	C:\Program Files\DAEMON Tools Lite
2008-10-29 18:18 . 2008-10-29 18:18	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\DAEMON Tools
2008-10-29 18:18 . 2008-10-29 18:18	717,296	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2008-10-29 17:10 . 2008-10-29 17:10	<DIR>	d--------	C:\Program Files\Trend Micro
2008-10-29 16:49 . 2008-10-29 16:49	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\Malwarebytes
2008-10-29 16:49 . 2008-10-22 16:10	15,504	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-10-29 16:48 . 2008-10-29 16:49	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-10-29 16:48 . 2008-10-29 16:48	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-29 16:48 . 2008-10-22 16:10	38,496	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-29 16:44 . 2008-10-29 16:44	<DIR>	d--------	C:\Program Files\uTorrent
2008-10-29 16:44 . 2008-10-29 19:17	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\uTorrent
2008-10-27 22:51 . 2008-10-27 22:51	<DIR>	d--------	C:\Documents and Settings\Chris\Application Data\vlc
2008-10-27 22:50 . 2008-10-27 22:50	<DIR>	d--------	C:\Program Files\VideoLAN
2008-10-27 22:04 . 2008-06-13 06:05	272,128	---------	C:\WINDOWS\system32\drivers\bthport.sys
2008-10-27 22:04 . 2008-06-13 06:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-27 22:03 . 2008-08-14 05:11	2,189,184	-----c---	C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-27 22:03 . 2008-08-14 05:09	2,145,280	-----c---	C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-27 22:03 . 2008-08-14 04:33	2,066,048	-----c---	C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-27 22:03 . 2008-08-14 04:33	2,023,936	-----c---	C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-27 22:03 . 2008-09-15 07:12	1,846,400	-----c---	C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-27 22:03 . 2008-04-11 14:04	691,712	-----c---	C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-27 22:03 . 2008-09-08 05:41	333,824	-----c---	C:\WINDOWS\system32\dllcache\srv.sys
2008-10-27 22:03 . 2008-05-08 09:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-27 22:02 . 2008-10-15 11:34	337,408	-----c---	C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-27 21:36 . 2008-10-27 21:36	13,646	--a------	C:\WINDOWS\system32\wpa.bak

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-01 00:40	---------	d-----w	C:\Program Files\Steam
2008-10-28 01:52	---------	d-----w	C:\Program Files\Realtek
2008-10-28 01:49	315,392	----a-w	C:\WINDOWS\HideWin.exe
2008-10-28 01:34	---------	d-----w	C:\Program Files\Intel
2008-10-28 01:16	---------	d-----w	C:\Program Files\microsoft frontpage
2008-10-28 01:01	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-10-28 01:01	---------	d-----w	C:\Program Files\ATI Technologies
2008-10-28 01:00	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-10-28 00:55	---------	d-----w	C:\Documents and Settings\Chris\Application Data\mjusbsp
2008-09-24 03:09	3,331,072	----a-w	C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-09-24 03:05	593,920	------w	C:\WINDOWS\system32\ati2sgag.exe
2008-09-24 02:18	425,984	----a-w	C:\WINDOWS\system32\ATIDEMGX.dll
2008-09-24 02:17	311,296	----a-w	C:\WINDOWS\system32\ati2dvag.dll
2008-09-24 02:09	10,772,480	----a-w	C:\WINDOWS\system32\atioglxx.dll
2008-09-24 02:07	188,416	----a-w	C:\WINDOWS\system32\atipdlxx.dll
2008-09-24 02:06	43,520	----a-w	C:\WINDOWS\system32\ati2edxx.dll
2008-09-24 02:06	26,112	----a-w	C:\WINDOWS\system32\Ati2mdxx.exe
2008-09-24 02:06	143,360	----a-w	C:\WINDOWS\system32\Oemdspif.dll
2008-09-24 02:06	143,360	----a-w	C:\WINDOWS\system32\ati2evxx.dll
2008-09-24 02:04	581,632	----a-w	C:\WINDOWS\system32\ati2evxx.exe
2008-09-24 02:03	53,248	----a-w	C:\WINDOWS\system32\ATIDDC.DLL
2008-09-24 01:56	307,200	----a-w	C:\WINDOWS\system32\atiiiexx.dll
2008-09-24 01:54	4,008,864	----a-w	C:\WINDOWS\system32\ati3duag.dll
2008-09-24 01:38	2,399,744	----a-w	C:\WINDOWS\system32\ativvaxx.dll
2008-09-24 01:24	48,640	----a-w	C:\WINDOWS\system32\amdpcom32.dll
2008-09-24 01:20	380,928	----a-w	C:\WINDOWS\system32\atikvmag.dll
2008-09-24 01:19	39,424	----a-w	C:\WINDOWS\system32\atiadlxx.dll
2008-09-24 01:18	53,248	----a-w	C:\WINDOWS\system32\drivers\ati2erec.dll
2008-09-24 01:18	253,952	----a-w	C:\WINDOWS\system32\atiok3x2.dll
2008-09-24 01:18	17,408	----a-w	C:\WINDOWS\system32\atitvo32.dll
2008-09-24 01:12	573,440	----a-w	C:\WINDOWS\system32\ati2cqag.dll
2008-09-15 12:12	1,846,400	----a-w	C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41	333,824	----a-w	C:\WINDOWS\system32\drivers\srv.sys
2008-08-20 05:30	666,112	----a-w	C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09	2,145,280	----a-w	C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33	2,023,936	----a-w	C:\WINDOWS\system32\ntkrnlpa.exe
2006-06-24 06:48	32,768	----a-r	C:\WINDOWS\inf\UpdateUSB.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-01 16:23 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-27 19:58 1410296 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 13:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2008-03-26 11:14 16859136 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\Chris\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-02-02 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83a-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8232b83b-a48e-11dd-8bf7-f1955dcc1f35}]
\Shell\AutoRun\command - J:\xih9.cmd
\Shell\explore\Command - J:\xih9.cmd
\Shell\open\Command - J:\xih9.cmd

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\37qluhek.default\
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-31 20:12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-31 20:13:36
ComboFix-quarantined-files.txt  2008-11-01 01:13:33
ComboFix2.txt  2008-10-31 18:27:15

Pre-Run: 16,250,286,080 bytes free
Post-Run: 16,287,870,976 bytes free

148	--- E O F ---	2008-10-31 18:18:18


----------



## Respital

Lets take a deeper look.

*: Download and Run DSS :*

Download *Deckard's System Scanner (DSS)* to your *Desktop*. You must be logged onto an account with administrator privileges.

*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt* <- this one will be maximized and *extra.txt*<- this one will be minimized.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* and the *extra.txt* in your reply.

Post post a new HiJackThis log after this scan it is a *must*.


----------



## teamhex

Respital said:


> Lets take a deeper look.
> 
> *: Download and Run DSS :*
> 
> Download *Deckard's System Scanner (DSS)* to your *Desktop*. You must be logged onto an account with administrator privileges.
> 
> *Close* all applications and windows.
> *Double-click* on *dss.exe* to run it, and follow the prompts.
> When the scan is complete, two text files will open - *main.txt* <- this one will be maximized and *extra.txt*<- this one will be minimized.
> Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* and the *extra.txt* in your reply.
> 
> Post post a new HiJackThis log after this scan it is a *must*.



Im sorry, but at this point, this is just madness. Iv gone through how many programs? For some reason the link wont work, the page wont load.
I went back a directory on the site, this is what I found
"Deckard's System Scanner interacts with a specific rootkit (tdssserv) in a way that may make your system unusable (altering the svchost netsvcs registry entry). This download link has been removed until a fix is released by Deckard. For your own protection, please do not attempt to download this tool from other sites."


----------



## Respital

Okay, please post a *new* hijackthis log and wait for a pro to let you know if anything needs to be fixed, please be patient. Until a pro has told you your log is clean please avoid important things such as banking.


----------



## teamhex

Respital said:


> Okay, please post a *new* hijackthis log and wait for a pro to let you know if anything needs to be fixed, please be patient. Until a pro has told you your log is clean please avoid important things such as banking.


Will do, but I think its gone, Hi jack this has found nothing. Heres the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:32 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chris\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Chris\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3451 bytes


----------



## Respital

teamhex said:


> Will do, but I think its gone, Hi jack this has found nothing. Heres the log.



HiJackThis is not a scanner. HJT is a diagnostic program so that we know whats going on, on your computer. So HiJackThis doesn't look for anything a security pro has to manually look up each line of the log. Please be patient.


----------



## teamhex

Respital said:


> HiJackThis is not a scanner. HJT is a diagnostic program so that we know whats going on, on your computer. So HiJackThis doesn't look for anything a security pro has to manually look up each line of the log. Please be patient.



Yeah it just checks running processes. Everything on it looks normal to me. Im not security pro, but I know what processes should and shouldn't be running.
BTW Respital Thanks, no one else has jumped in and attempted to help. Again Thanks a Ton Mate.


----------



## Respital

teamhex said:


> Yeah it just checks running processes. Everything on it looks normal to me. Im not security pro, but I know what processes should and shouldn't be running.
> BTW Respital Thanks, no one else has jumped in and attempted to help. Again Thanks a Ton Mate.



No problem. I try to do as much as i can.


----------



## teamhex

Respital said:


> No problem. I try to do as much as i can.



This thing popped up again on my system, its got to be hiding somewhere. I just keep running the steps and it stays gone for a day or so. I guess im going to just toss or reformat my flash drives and both HD's. I really don't want to format my slave, but if I have to.


----------



## Respital

teamhex said:


> This thing popped up again on my system, its got to be hiding somewhere. I just keep running the steps and it stays gone for a day or so. I guess im going to just toss or reformat my flash drives and both HD's. I really don't want to format my slave, but if I have to.



Hold on a minute! 

It's likely that it's from a flash drive, figure out which one you plugged in when it popped up again and report back.


----------



## teamhex

Respital said:


> Hold on a minute!
> 
> It's likely that it's from a flash drive, figure out which one you plugged in when it popped up again and report back.



The crazy thing is I had it pluged in when I ran Combo/SD fix and it cleaned some stuff off along with stuff on the C and D drive. So its still somewhere.


----------

