My computer has probably been infected and randomly shows these symptoms:
- The Remote Procedure Call terminates abruptly and causes a system shut down
- When closing an application the following message pops up: "The instruction at "0x20b0c6b4" referenced memory at "0x00000000". The memory could not be "read". click OK to terminate the program
- The computer cannot connect to the Wireless LAN. When trying the "repair" routine, it says "PC is unable to attribute an IP address"
- When logging in my account a blank screen appears and Windows is totally blocked.

I fully scaned the computer with the following programs:
NOD 32, Zonelab (spyware), AVG 7.5 and Spysweeper . Nothing was found.

Here is the Hijackthis log.

Thank you very much for your help

Logfile of HijackThis v1.99.1
Scan saved at 18:02:39, on 14.05.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} - file://C:\Program Files\FIFA2004\update.1.1\patchx2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1125079620187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125079597703
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Welcome,

If those excellent scanners you used did not find anything you may have some serious issues other than infection type problems.

Let's try a couple more just in case.




1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


And...



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:


This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.


Post both scan reports back here please.

Thank you very much for helping me. Here are the log files. It seems that Dr. Web found a trojan Maldrop.6162 and a modified V2Px.1190 that no other scanner found.


"ROLF" - 2007-05-17 10:50:08 Service Pack 2
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\ROLF\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\sfsync03.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_NPF
-------\LEGACY_SFSYNC03
-------\NPF
-------\sfsync03


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-17 ))))))))))))))))))))))))))))))))))


2007-05-17 10:48 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-05-17 10:48 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-05-17 10:36 0 --a------ C:\WINDOWS\system32\sfsync03.dll
2007-05-16 22:47 5,408 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-16 22:47 4,324,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-16 22:47 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-05-16 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-16 20:44 65,536 --a------ C:\WINDOWS\system32\drivers\CnxE2FS.bin
2007-05-16 20:44 <DIR> d-------- C:\Program Files\Netopia
2007-05-16 20:43 52,864 --a------ C:\WINDOWS\system32\drivers\CnxTrUsb.sys
2007-05-16 20:43 3,720,196 --a------ C:\WINDOWS\system32\drivers\CnxE2Fw.bin
2007-05-16 20:43 25,984 --a------ C:\WINDOWS\system32\drivers\CnxTrLan.sys
2007-05-16 20:12 <DIR> d-------- C:\kav
2007-05-14 21:48 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2007-05-14 18:04 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-14 18:04 59,472 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-14 18:04 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-14 18:04 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-14 18:04 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-14 18:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-14 18:04 <DIR> d-------- C:\DOCUME~1\CATHER~1\APPLIC~1\PC Tools
2007-05-14 18:03 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-13 15:45 <DIR> d-------- C:\DOCUME~1\CATHER~1\APPLIC~1\Webroot
2007-05-12 11:25 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-12 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-12 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-05-11 21:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-04 19:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-05-01 19:53 <DIR> d-------- C:\Program Files\WinZix


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

Rootkit driver pe386 is present. A rootkit scan is required

2007-08-24 20:42:59 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-17 07:50:21 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2007-05-17 07:50:21 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2007-05-16 18:43:39 -------- d-----w C:\Program Files\Cayman
2007-05-14 19:44:50 -------- d-----w C:\Program Files\SPY
2007-05-06 06:52:43 -------- d-----w C:\Program Files\Mp3Doctor
2007-05-06 06:46:25 -------- d-----w C:\Program Files\vso
2007-05-06 06:41:29 699,392 ---h--w C:\WINDOWS\system32\wodfamoh.dll
2007-05-04 21:38:24 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6205.sys
2007-05-04 20:22:19 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\SolSuite
2007-05-02 16:48:40 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\phonostar-Player
2007-04-29 08:27:58 -------- d-----w C:\Program Files\Folder Lock
2007-04-23 15:53:05 -------- d-----w C:\Program Files\webradio_magix
2007-04-23 15:35:39 -------- d-----w C:\Program Files\Ubisoft
2007-04-22 20:35:26 -------- d-----w C:\Program Files\Ashampoo
2007-04-22 19:33:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-22 19:33:15 -------- d-----w C:\Program Files\CyberLink
2007-04-22 16:11:40 -------- d-----w C:\Program Files\GameHouse
2007-04-18 16:09:10 -------- d-----w C:\Program Files\Temp
2007-04-13 21:00:11 -------- d-----w C:\Program Files\YouTubeSpider
2007-04-12 15:40:06 -------- d-----w C:\Program Files\Webroot
2007-04-12 15:39:05 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Webroot
2007-04-06 16:48:58 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Azureus
2007-04-04 17:10:40 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Real
2007-04-04 17:03:53 -------- d-----w C:\Program Files\Common Files\Real
2007-04-04 16:27:52 -------- d-----w C:\Program Files\Video Convert Master
2007-03-25 21:33:01 -------- d-----w C:\Program Files\Sega
2007-03-25 21:30:53 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-25 1624 -------- d-----w C:\Program Files\Easy CD-DA Extractor 9
2007-03-25 0905 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Riotball
2007-03-25 08:44:14 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\NCH Swift Sound
2007-03-23 18:50:25 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\BonkEnc
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 21:25:36 -------- d-----w C:\Program Files\Eraser
2007-03-11 11:06:37 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-09 17:52:52 200,768 ----a-w C:\WINDOWS\system32\klogon.dll
2007-03-08 23:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-03-08 16:26:48 -------- d-----w C:\Program Files\Microsoft Student
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-03-01 13:37:46 261 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]
{955BE0B8-BC85-4CAF-856E-8E0D8B610560}=C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL [2005-06-03 19:30]
{CF7C3CF0-4B15-11D1-ABED-709549C10000}=C:\Program Files\Advanced System Optimizer\IEHelper.dll [2004-05-08 20:59]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 09:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 21:05]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-04-22 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-03-19 00:11]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
@="0"
"DisableTaskMgr_old"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoViewOnDrive"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 15:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 16:13]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{c4b742ed-1bba-11da-a30d-00095bb581e7}]
Shell\AutoRun\command J:\setupSNK.exe


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070516-194703-443
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\
backup-20070516-194701-980
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
backup-20070516-194701-344
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
backup-20070516-194701-158
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
backup-20070516-194701-783
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
backup-20070516-194701-700
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
backup-20070516-194701-479
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 11:04:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 4096 bytes

scan completed successfully
hidden files: 1


************************************************** ******************

Completion time: 2007-05-17 11:10:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-17 11:10


--- E O F ---

Dr. Web's logfile
==============

j4_f.wav;C:\Games\GTA3MYTH\audio;Modification de V2Px.1190;Quarantaine.;
MiniBugTransporter.dll;C:\Program Files\Common Files\Real\WeatherBug;Adware.Minibug;Irréparable.Q uarantaine.;
DVD_Region_CSS_Free_v5_81_patch.exe;C:\Program Files\DVD Region+CSS Free;Tool.DVTPatch;Irréparable.Quarantaine.;
Stress.exe;C:\Program Files\Folder Lock\Gifts;Joke.Puncher;Irréparable.Quarantaine.;
A0108611.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98;Program.SpyAgent;Irréparable.Qu arantaine.;
A0108898.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98;Program.SpyAgent;Irréparable.Qu arantaine.;
A0109064.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98;Trojan.MulDrop.6162;Supprimé.;

Rootkit infection was detected by ComboFix, let's see if we can kill that now...

1. Please download gmer
   • Save it somewhere safe & unzip it to desktop
   • Double click the gmer.exe to run it and select the rootkit tab.
   • Press Scan
   • When it has finished, right-click the entry highlighted in red - ([System] pe386
     )
   • Select 'Delete the service' & then reboot your machine.

Post a new combofix log also plus a new hijackthis log.

I run gmer twice and there was no entry highlghted in red. So I didn't do anything. I tried with "Blacklight" and it finds something wrong with the file C:\sccfg.sys . The program doesn't allow to fix the problem. Thank you for your continued support.

Here are the latest log files.

"ROLF" - 2007-05-17 23:19:10 Service Pack 2
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\ROLF\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-17 ))))))))))))))))))))))))))))))))))


2007-05-17 11:12 <DIR> d-------- C:\DOCUME~1\ROLF\DoctorWeb
2007-05-17 11:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-17 10:36 0 --a------ C:\WINDOWS\system32\sfsync03.dll
2007-05-16 22:47 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-05-16 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-16 20:44 65,536 --a------ C:\WINDOWS\system32\drivers\CnxE2FS.bin
2007-05-16 20:44 <DIR> d-------- C:\Program Files\Netopia
2007-05-16 20:43 52,864 --a------ C:\WINDOWS\system32\drivers\CnxTrUsb.sys
2007-05-16 20:43 3,720,196 --a------ C:\WINDOWS\system32\drivers\CnxE2Fw.bin
2007-05-16 20:43 25,984 --a------ C:\WINDOWS\system32\drivers\CnxTrLan.sys
2007-05-16 20:12 <DIR> d-------- C:\kav
2007-05-14 21:48 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2007-05-14 18:04 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-14 18:04 59,472 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-14 18:04 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-14 18:04 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-14 18:04 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-14 18:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-14 18:04 <DIR> d-------- C:\DOCUME~1\CATHER~1\APPLIC~1\PC Tools
2007-05-14 18:03 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-13 15:45 <DIR> d-------- C:\DOCUME~1\CATHER~1\APPLIC~1\Webroot
2007-05-12 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-12 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-05-11 21:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-04 19:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-05-01 19:53 <DIR> d-------- C:\Program Files\WinZix


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-08-24 20:42:59 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-17 21:38:19 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2007-05-17 21:38:19 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2007-05-16 18:43:39 -------- d-----w C:\Program Files\Cayman
2007-05-14 19:44:50 -------- d-----w C:\Program Files\SPY
2007-05-06 06:52:43 -------- d-----w C:\Program Files\Mp3Doctor
2007-05-06 06:46:25 -------- d-----w C:\Program Files\vso
2007-05-06 06:41:29 699,392 ---h--w C:\WINDOWS\system32\wodfamoh.dll
2007-05-04 21:38:24 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6205.sys
2007-05-04 20:22:19 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\SolSuite
2007-05-02 16:48:40 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\phonostar-Player
2007-04-29 08:27:58 -------- d-----w C:\Program Files\Folder Lock
2007-04-23 15:53:05 -------- d-----w C:\Program Files\webradio_magix
2007-04-23 15:35:39 -------- d-----w C:\Program Files\Ubisoft
2007-04-22 20:35:26 -------- d-----w C:\Program Files\Ashampoo
2007-04-22 19:33:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-22 19:33:15 -------- d-----w C:\Program Files\CyberLink
2007-04-22 16:11:40 -------- d-----w C:\Program Files\GameHouse
2007-04-18 16:09:10 -------- d-----w C:\Program Files\Temp
2007-04-13 21:00:11 -------- d-----w C:\Program Files\YouTubeSpider
2007-04-12 15:40:06 -------- d-----w C:\Program Files\Webroot
2007-04-12 15:39:05 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Webroot
2007-04-06 16:48:58 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Azureus
2007-04-04 17:10:40 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Real
2007-04-04 17:03:53 -------- d-----w C:\Program Files\Common Files\Real
2007-04-04 16:27:52 -------- d-----w C:\Program Files\Video Convert Master
2007-03-25 21:33:01 -------- d-----w C:\Program Files\Sega
2007-03-25 21:30:53 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-25 1624 -------- d-----w C:\Program Files\Easy CD-DA Extractor 9
2007-03-25 0905 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Riotball
2007-03-25 08:44:14 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\NCH Swift Sound
2007-03-23 18:50:25 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\BonkEnc
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 21:25:36 -------- d-----w C:\Program Files\Eraser
2007-03-11 11:06:37 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-08 23:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-03-08 16:26:48 -------- d-----w C:\Program Files\Microsoft Student
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-03-01 13:37:46 261 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]
{955BE0B8-BC85-4CAF-856E-8E0D8B610560}=C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL [2005-06-03 19:30]
{CF7C3CF0-4B15-11D1-ABED-709549C10000}=C:\Program Files\Advanced System Optimizer\IEHelper.dll [2004-05-08 20:59]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 09:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 21:05]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-04-22 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-03-19 00:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
@="0"
"DisableTaskMgr_old"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoViewOnDrive"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 15:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 16:13]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{c4b742ed-1bba-11da-a30d-00095bb581e7}]
Shell\AutoRun\command J:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 23:40:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 4096 bytes

scan completed successfully
hidden files: 1


************************************************** ******************

Completion time: 2007-05-17 23:45:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-17 23:45
C:\ComboFix2.txt ... 2007-05-17 11:10


--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 00:00:07, on 18.05.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ROLF\Desktop\gmer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://blueadit.bluewin.ch/adsl/router/index_f.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} - file://C:\Program Files\FIFA2004\update.1.1\patchx2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1125079620187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125079597703
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Never seen that before. Combofix definately flagged in red a pe386 rootkit infection but it doesn't show up on the removal process. Strange.

That file that blacklight found combofix found too, after research appears to be a driver for dvd or something like that and not harmful. It was caught by them because it is hidden. I will continue looking for more information but in the meantime how is your computer behaving?

Well, it's slightly better in the sense that the RCP procedure stopped shutting down the system every minute, but the computer is still unable to give an IP address so that I still can't access the Internet (be it with a standard modem or the wireless lan). The error message "memory .." still appears everytime I close an application. I get a new error message that I didn't have at the beginning (procedure xyz (I don't have it in front of me) was interrupted, do you want to inform Microsoft).

What about the trojan Maldrop.6162 and a modified V2Px.1190?

Let's do another rootkit scan to be sure.



Download - www.uploads.ejvindh.net/rustbfix.exe ...and save it to your desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.
Note: If the infection is found, the tool will produce 2 logs


Those two Dr, Web found were quarantined.


To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Uncheck cookies

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.


Then Reboot (Exit)



Do an online scan (scan only tool) with Kaspersky WebScanner
[Internet Explorer required]


Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    - Extended (if available otherwise Standard)
  • Scan Options:
    - Scan Archives
    - Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the results of the scan back here please and a new hijackthis log.

Rustbfix doest not find anything.

This morning my computer is in the same state as at the right beginning:
- In Windows normal mode, the scren remains blank when logging in
- When logging in in mode "no reboot on errors", Windows Explorer sees only the "my document" directory. It is unable to read the c:\ or any other drive or directory
- The Remote Procedure Call terminates abruptly and causes a system shut down
- When closing an application the following message pops up: "The instruction at "0x20b0c6b4" referenced memory at "0x00000000". The memory could not be "read". click OK to terminate the program
- The computer cannot connect to the Wireless LAN. When trying the "repair" routine, it says "PC is unable to attribute an IP address"

So I could not perform an online Kaspersky scan.

Here are the latest log files . Thank you very much!

Logfile of HijackThis v1.99.1
Scan saved at 10:34:07, on 19.05.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://blueadit.bluewin.ch/adsl/router/index_f.html
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} - file://C:\Program Files\FIFA2004\update.1.1\patchx2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1125079620187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125079597703
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} - http://support.euro.dell.com/global/...r/PROFILER.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe



"ROLF" - 2007-05-19 10:03:12 Service Pack 2
ComboFix 07-05.17.V - Running from: "C:\Documents and Settings\ROLF\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-19 ))))))))))))))))))))))))))))))))))


2007-05-19 09:50 <DIR> d-------- C:\Program Files\CCleaner
2007-05-19 09:45 <DIR> d-------- C:\Rustbfix
2007-05-17 11:12 <DIR> d-------- C:\DOCUME~1\ROLF\DoctorWeb
2007-05-17 11:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-17 10:36 0 --a------ C:\WINDOWS\system32\sfsync03.dll
2007-05-16 22:47 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-05-16 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-05-16 20:44 65,536 --a------ C:\WINDOWS\system32\drivers\CnxE2FS.bin
2007-05-16 20:44 <DIR> d-------- C:\Program Files\Netopia
2007-05-16 20:43 52,864 --a------ C:\WINDOWS\system32\drivers\CnxTrUsb.sys
2007-05-16 20:43 3,720,196 --a------ C:\WINDOWS\system32\drivers\CnxE2Fw.bin
2007-05-16 20:43 25,984 --a------ C:\WINDOWS\system32\drivers\CnxTrLan.sys
2007-05-16 20:12 <DIR> d-------- C:\kav
2007-05-14 21:48 2,560 --a------ C:\WINDOWS\system32\drivers\mchInjDrv.sys
2007-05-14 18:04 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-05-14 18:04 59,472 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-05-14 18:04 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-14 18:04 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-05-14 18:04 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-05-14 18:04 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-05-14 18:04 <DIR> d-------- C:\DOCUME~1\CATHER~1\APPLIC~1\PC Tools
2007-05-14 18:03 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-13 15:45 <DIR> d-------- C:\DOCUME~1\CATHER~1\APPLIC~1\Webroot
2007-05-12 11:25 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-12 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-12 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Creative
2007-05-11 21:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-05-04 19:07 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-05-01 19:53 <DIR> d-------- C:\Program Files\WinZix


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-08-24 20:42:59 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-19 08:13:48 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2007-05-19 08:13:48 384 ----a-w C:\WINDOWS\system32\DVCState-{00000005-00000000-00000004-00001102-00000004-20061102}.dat
2007-05-16 18:43:39 -------- d-----w C:\Program Files\Cayman
2007-05-14 19:44:50 -------- d-----w C:\Program Files\SPY
2007-05-06 06:52:43 -------- d-----w C:\Program Files\Mp3Doctor
2007-05-06 06:46:25 -------- d-----w C:\Program Files\vso
2007-05-06 06:41:29 699,392 ---h--w C:\WINDOWS\system32\wodfamoh.dll
2007-05-04 21:38:24 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6205.sys
2007-05-04 20:22:19 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\SolSuite
2007-05-02 16:48:40 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\phonostar-Player
2007-04-29 08:27:58 -------- d-----w C:\Program Files\Folder Lock
2007-04-23 15:53:05 -------- d-----w C:\Program Files\webradio_magix
2007-04-23 15:35:39 -------- d-----w C:\Program Files\Ubisoft
2007-04-22 20:35:26 -------- d-----w C:\Program Files\Ashampoo
2007-04-22 19:33:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-22 19:33:15 -------- d-----w C:\Program Files\CyberLink
2007-04-22 16:11:40 -------- d-----w C:\Program Files\GameHouse
2007-04-18 16:09:10 -------- d-----w C:\Program Files\Temp
2007-04-13 21:00:11 -------- d-----w C:\Program Files\YouTubeSpider
2007-04-12 15:40:06 -------- d-----w C:\Program Files\Webroot
2007-04-12 15:39:05 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Webroot
2007-04-06 16:48:58 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Azureus
2007-04-04 17:10:40 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Real
2007-04-04 17:03:53 -------- d-----w C:\Program Files\Common Files\Real
2007-04-04 16:27:52 -------- d-----w C:\Program Files\Video Convert Master
2007-03-25 21:33:01 -------- d-----w C:\Program Files\Sega
2007-03-25 21:30:53 -------- d-----w C:\Program Files\DAEMON Tools
2007-03-25 1624 -------- d-----w C:\Program Files\Easy CD-DA Extractor 9
2007-03-25 0905 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\Riotball
2007-03-25 08:44:14 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\NCH Swift Sound
2007-03-23 18:50:25 -------- d-----w C:\DOCUME~1\ROLF\APPLIC~1\BonkEnc
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 21:25:36 -------- d-----w C:\Program Files\Eraser
2007-03-11 11:06:37 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-08 23:01:42 1,087,216 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-03-08 16:26:48 -------- d-----w C:\Program Files\Microsoft Student
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys
2007-03-01 13:37:46 261 ----a-w C:\WINDOWS\popcinfo.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 14:22]
{955BE0B8-BC85-4CAF-856E-8E0D8B610560}=C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL [2005-06-03 19:30]
{CF7C3CF0-4B15-11D1-ABED-709549C10000}=C:\Program Files\Advanced System Optimizer\IEHelper.dll [2004-05-08 20:59]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 09:50]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 21:05]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-04-22 18:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-03-19 00:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
@="0"
"DisableTaskMgr_old"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoViewOnDrive"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"="C:\PROGRA~1\DVDREG~1\DVDShell.dll" [2004-10-09 15:18]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 16:13]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{c4b742ed-1bba-11da-a30d-00095bb581e7}]
Shell\AutoRun\command J:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-19 10:15:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\sccfg.sys 4096 bytes

scan completed successfully
hidden files: 1


************************************************** ******************

Completion time: 2007-05-19 10:20:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-19 10:20
C:\ComboFix2.txt ... 2007-05-17 23:45
C:\ComboFix3.txt ... 2007-05-17 11:10


--- E O F ---

That is a shame, it looks like your computer is having some type of problem possibly from corrupted files from the Trojans you had.

Try this:

Use the System File Checker (SFC) – typical runtime is 30 minutes:
Sometimes when you install third party software, it may overwrite important operating system files. This can cause instability - or worse. Windows XP includes a command line tool that you can use if you think this may have happened (for example, if you get a message box warning that there is a problem with a .dll or the system just seems unstable). Here's how to use it:

Click Start | Run.
In the Run box, type/copy&paste: sfc /scannow (notice the space plus slash).
Windows will scan all protected Windows files to verify that they are intact and in their original versions. If they're not, corrupt, missing or incorrect files are replaced. You may be prompted to insert your Windows XP installation CD if your Dllcache folder (where Windows keeps a copy of essential system files) has become corrupt or has been deleted.


Another tool that scans deep but doesn't remove anything and proably can be burned to disc.



Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop and double-click on it.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
The program will take longer to run, but will give us more information.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
The logfile is named 'Startup Programs' by default and will be located where the program is.

Please post the entire contents of this logfile for me to see.