Again a high CPU usage issue

[flying_suser]

Looks like the 'str.sys' finally gone with SDfix followed by ComboFix treatment.But still I'm not happy with the CPU usage.BTW noramally at what 'update speed'(high , normal or low) one should look at the CPU usage history?

Here's the SDFix log:


SDFix: Version 1.240
Run by Administrator on Wed 02/04/2009 at 11:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 23:10:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\grkfikrol]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\khwmcm.sys"
"DisplayName"="grkfikrol"
"RulesData"=hex:03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\grkfikrol\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\str.sys 208928 bytes
C:\WINDOWS\system32\drivers\khwmcm.sys 31104 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe"="C:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe:*:Enabled:iexplore"
"C:\\Program Files\\ABC\\abc.exe"="C:\\Program Files\\ABC\\abc.exe:*:Enabled:abc"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe"="C:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe:*:Enabled:ActiveState Komodo"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*isabled:Microsoft Office Outlook"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"D:\\Cytoscape_v2.6.0\\Cytoscape.exe"="D:\\Cytoscape_v2.6.0\\Cytoscape.exe:*:Enabled:Cytoscape"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

Remaining Files :



Files with Hidden Attributes :

Tue 7 Oct 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sun 27 Jul 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 12 Apr 2008 43,008 ...H. --- "C:\Documents and Settings\SRay\My Documents\~WRL1029.tmp"
Fri 11 Apr 2008 40,960 ...H. --- "C:\Documents and Settings\SRay\My Documents\~WRL1535.tmp"
Mon 28 Jul 2008 58,368 ...H. --- "C:\Documents and Settings\SRay\My Documents\_APPLICATION_\~WRL0001.tmp"
Tue 3 Feb 2009 58,368 ...H. --- "C:\Documents and Settings\SRay\My Documents\_APPLICATION_\~WRL0002.tmp"

Finished!

 

[Osiris]

I need you to run combofix in normal mode now so I can be sure that file didnt come back.

What do you mean "Update speed"?

 

[flying_suser]

Many many thanks Osiris, and here's the ComboFix log:


ComboFix 09-02-03.01 - Administrator 2009-02-04 23:21:48.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.385 [GMT 5.5:30]
Running from: d:\_utilities_\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 23:02 . 2009-02-04 23:02 577,024 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-04 23:00 . 2009-02-04 23:00 <DIR> d-------- c:\windows\ERUNT
2009-02-04 22:54 . 2009-02-04 23:12 <DIR> d-------- C:\SDFix
2009-02-04 21:56 . 2009-02-04 21:56 <DIR> d-------- c:\program files\PrevxCSI
2009-02-04 21:56 . 2009-02-04 21:56 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-04 21:56 . 2009-02-04 21:56 63 --a------ c:\windows\wininit.ini
2009-02-04 12:20 . 2009-02-04 12:20 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-04 10:52 . 2009-02-04 10:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 08:41 . 2009-02-03 08:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-03 01:43 . 2009-02-03 01:43 31,104 --a------ c:\windows\system32\drivers\khwmcm.sys
2009-01-31 08:39 . 2009-01-31 08:39 <DIR> d-------- C:\Downloads
2009-01-26 11:26 . 2009-01-26 11:26 <DIR> d-------- c:\documents and settings\Mns\Application Data\Apple Computer
2009-01-25 06:10 . 2009-01-25 06:10 <DIR> d-------- c:\program files\HttpWatch
2009-01-25 05:36 . 2008-11-06 04:51 3,833,856 --a------ c:\windows\system32\cdintf300.dll
2009-01-25 05:35 . 1996-01-01 19:08 1,241 --a------ c:\windows\clikbook.ini
2009-01-25 05:01 . 2009-01-25 05:01 <DIR> d-------- c:\program files\Free Download Manager
2009-01-25 05:01 . 2009-02-04 11:03 <DIR> d-------- c:\documents and settings\Mns\Application Data\Free Download Manager
2009-01-06 06:10 . 2009-01-06 06:10 <DIR> d-------- c:\documents and settings\Mns\.cytoscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 16:29 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-03 01:19 --------- d-----w c:\program files\Common Files\Adobe
2009-01-26 13:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 07:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 05:49 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-03 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 04:28 --------- d-----w c:\program files\FinePixViewer
2008-12-27 23:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 23:54 --------- d-----w c:\program files\Java
2008-12-16 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Notepad++
2008-12-16 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 05:40 --------- d-----w c:\program files\QuickTime
2008-12-08 05:39 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-08 05:16 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-08 05:16 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-08 05:16 --------- d-----w c:\documents and settings\Mns\Application Data\TuneUp Software
2008-12-08 05:15 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-08 05:15 --------- d-----w c:\program files\TuneUp Utilities 2009
2008-12-08 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-08 04:36 --------- d-----w c:\program files\IObit
2008-12-07 02:24 --------- d-----w c:\program files\Perl Code Library
2008-11-12 11:14 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2007-05-21 17:30 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-04 23:20 4,222,516 ----a-w c:\program files\ABC-win32-v3.1.exe
2007-04-27 20:23 194,560 ----a-w c:\program files\AdbeRdr80_en_US.exe
2007-04-27 20:06 68,166 ----a-w c:\program files\HD_Speed_ENG.zip
2007-04-27 20:02 5,396,172 ----a-w c:\program files\lccwin32.exe
2007-04-27 20:02 459,966 ----a-w c:\program files\cpuspeed.exe
2007-04-23 18:11 5,355,320 ----a-w c:\program files\picasaweb-current-setup.exe
2007-04-19 19:23 92,672 ----a-w c:\program files\KillBox.exe
2007-04-16 20:44 1,494,016 ----a-w c:\program files\gsv48w32.exe
2007-04-16 20:40 6,208,000 ----a-w c:\program files\gs704w32.exe
2007-04-16 19:56 9,548,288 ----a-w c:\program files\gs853w32.exe
2007-04-14 16:12 2,023,736 ----a-w c:\program files\GoogleDesktopSetup.exe
2007-04-14 14:56 1,951,783 ----a-w c:\program files\VbRunDLLv3sp6.exe
2007-04-14 14:52 805,116 ----a-w c:\program files\Yazak_Install.exe
2007-04-13 19:21 16,263,816 ----a-w c:\program files\ActivePerl-5.8.8.820-MSWin32-x86-274739.msi
2007-04-06 18:02 6,910,136 ----a-w c:\program files\DJVUCNTL_61_EN.EXE
2007-04-03 18:14 2,685,104 ----a-w c:\program files\ccsetup138.exe
2007-04-01 17:48 1,450,649 ----a-w c:\program files\npp.4.0.2.Installer.exe
2007-04-01 14:57 9,453,630 ----a-w c:\program files\vlc-0.8.6a-win32.exe
2007-04-01 10:36 194 ----a-w c:\program files\AdbeRdr80_en_US_Nosso_error.log
2007-03-31 18:50 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-03-31 18:41 1,035,271 ----a-w c:\program files\wrar362.exe
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleiex.dll
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\pdgpecelawx.dll
2008-09-05 15:13 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 01:07 4,096 --sha-w c:\windows\system32\botrc.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_13.21.29.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-04 17:31:15 630,784 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-02-04 17:31:15 16,384 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-04 17:30:55 630,784 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-02-04 17:30:55 16,384 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 17:38:09 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 17:38:09 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 07:49:39 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-04 17:38:09 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2005-12-21 94208]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2005-12-10 24064]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-01-06 24576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-29 761945]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-01-31 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-01-31 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-21 09:46 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-10-20 14:18 339968 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2006-03-31 19:52 126976 c:\windows\system32\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"matlabserver"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Cytoscape_v2.6.0\\Cytoscape.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-04 21512]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
S1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-03-31 11520]
S1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-03-31 6016]
S2 grkfikrol;grkfikrol;c:\windows\system32\drivers\khwmcm.sys [2009-02-03 31104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-04-01 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-04-01 729416]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-08 603904]
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1614895754-725345543-1003.job
- c:\documents and settings\Mns\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-21 20:00]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 23:24:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\tphklock.dll
.
Completion time: 2009-02-04 23:26:41
ComboFix-quarantined-files.txt 2009-02-04 17:56:39
ComboFix2.txt 2009-02-04 16:46:46
ComboFix3.txt 2009-02-04 15:37:33
ComboFix4.txt 2009-02-04 07:52:30

Pre-Run: 136,429,568 bytes free
Post-Run: 123,707,392 bytes free

183

 

[Osiris]

I need you to reboot, rescan again with combofix. What I'm looking for is if Combofix says it deleted str again.

 

[flying_suser]

Actually I ran Combofix from administrator and safe-mode. Here;s a snapshot of my cpu_usage with update speed set at high.

 

[Osiris]

Pic is to small

 

[flying_suser]

Combofix reports failure to delete, but I couldn't find 'str.sys' in sys32\drivers either. I can't find it anywhere except in the quarantine folder and in zipped form

ComboFix 09-02-03.01 - SRay 2009-02-04 23:56:44.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.247 [GMT 5.5:30]
Running from: d:\_utilities_\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 23:02 . 2009-02-04 23:02 577,024 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-04 23:00 . 2009-02-04 23:00 <DIR> d-------- c:\windows\ERUNT
2009-02-04 22:54 . 2009-02-04 23:12 <DIR> d-------- C:\SDFix
2009-02-04 21:56 . 2009-02-04 21:56 <DIR> d-------- c:\program files\PrevxCSI
2009-02-04 21:56 . 2009-02-04 21:56 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-04 21:56 . 2009-02-04 21:56 63 --a------ c:\windows\wininit.ini
2009-02-04 12:20 . 2009-02-04 12:20 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-04 10:52 . 2009-02-04 10:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 08:41 . 2009-02-03 08:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-31 08:39 . 2009-01-31 08:39 <DIR> d-------- C:\Downloads
2009-01-26 11:26 . 2009-01-26 11:26 <DIR> d-------- c:\documents and settings\SRay\Application Data\Apple Computer
2009-01-25 06:10 . 2009-01-25 06:10 <DIR> d-------- c:\program files\HttpWatch
2009-01-25 05:36 . 2008-11-06 04:51 3,833,856 --a------ c:\windows\system32\cdintf300.dll
2009-01-25 05:35 . 1996-01-01 19:08 1,241 --a------ c:\windows\clikbook.ini
2009-01-25 05:01 . 2009-01-25 05:01 <DIR> d-------- c:\program files\Free Download Manager
2009-01-25 05:01 . 2009-02-04 11:03 <DIR> d-------- c:\documents and settings\SRay\Application Data\Free Download Manager
2009-01-06 06:10 . 2009-01-06 06:10 <DIR> d-------- c:\documents and settings\SRay\.cytoscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 16:29 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-03 01:19 --------- d-----w c:\program files\Common Files\Adobe
2009-01-26 13:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 07:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 05:49 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-03 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 04:28 --------- d-----w c:\program files\FinePixViewer
2008-12-27 23:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 23:54 --------- d-----w c:\program files\Java
2008-12-16 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Notepad++
2008-12-16 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 05:40 --------- d-----w c:\program files\QuickTime
2008-12-08 05:39 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-08 05:16 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-08 05:16 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-08 05:16 --------- d-----w c:\documents and settings\SRay\Application Data\TuneUp Software
2008-12-08 05:15 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-08 05:15 --------- d-----w c:\program files\TuneUp Utilities 2009
2008-12-08 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-08 04:36 --------- d-----w c:\program files\IObit
2008-12-07 02:24 --------- d-----w c:\program files\Perl Code Library
2008-11-12 11:14 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2007-05-21 17:30 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-04 23:20 4,222,516 ----a-w c:\program files\ABC-win32-v3.1.exe
2007-04-27 20:23 194,560 ----a-w c:\program files\AdbeRdr80_en_US.exe
2007-04-27 20:06 68,166 ----a-w c:\program files\HD_Speed_ENG.zip
2007-04-27 20:02 5,396,172 ----a-w c:\program files\lccwin32.exe
2007-04-27 20:02 459,966 ----a-w c:\program files\cpuspeed.exe
2007-04-23 18:11 5,355,320 ----a-w c:\program files\picasaweb-current-setup.exe
2007-04-19 19:23 92,672 ----a-w c:\program files\KillBox.exe
2007-04-16 20:44 1,494,016 ----a-w c:\program files\gsv48w32.exe
2007-04-16 20:40 6,208,000 ----a-w c:\program files\gs704w32.exe
2007-04-16 19:56 9,548,288 ----a-w c:\program files\gs853w32.exe
2007-04-14 16:12 2,023,736 ----a-w c:\program files\GoogleDesktopSetup.exe
2007-04-14 14:56 1,951,783 ----a-w c:\program files\VbRunDLLv3sp6.exe
2007-04-14 14:52 805,116 ----a-w c:\program files\Yazak_Install.exe
2007-04-13 19:21 16,263,816 ----a-w c:\program files\ActivePerl-5.8.8.820-MSWin32-x86-274739.msi
2007-04-06 18:02 6,910,136 ----a-w c:\program files\DJVUCNTL_61_EN.EXE
2007-04-03 18:14 2,685,104 ----a-w c:\program files\ccsetup138.exe
2007-04-01 17:48 1,450,649 ----a-w c:\program files\npp.4.0.2.Installer.exe
2007-04-01 14:57 9,453,630 ----a-w c:\program files\vlc-0.8.6a-win32.exe
2007-04-01 10:36 194 ----a-w c:\program files\AdbeRdr80_en_US_Nosso_error.log
2007-03-31 18:50 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-03-31 18:41 1,035,271 ----a-w c:\program files\wrar362.exe
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleiex.dll
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\pdgpecelawx.dll
2008-09-05 15:13 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 01:07 4,096 --sha-w c:\windows\system32\botrc.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_13.21.29.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-04 17:31:15 630,784 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-02-04 17:31:15 16,384 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-04 17:30:55 630,784 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-02-04 17:30:55 16,384 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 18:29:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 18:29:41 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 07:49:39 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-04 18:29:41 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2005-12-21 94208]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2005-12-10 24064]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-01-06 24576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-29 761945]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-01-31 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-01-31 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-21 09:46 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-10-20 14:18 339968 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2006-03-31 19:52 126976 c:\windows\system32\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"matlabserver"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Cytoscape_v2.6.0\\Cytoscape.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-04 21512]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-03-31 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-03-31 6016]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-04-01 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-04-01 729416]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-08 603904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56f84647-1b34-11dd-9daf-000fb0cdfb7d}]
\Shell\AutoRun\command - mvxm.cmd
\Shell\explore\Command - mvxm.cmd
\Shell\open\Command - mvxm.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1614895754-725345543-1003.job
- c:\documents and settings\SRay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-21 20:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\SRay\Application Data\Mozilla\Firefox\Profiles\uh9lqryb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 172.16.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\HttpWatch\Firefox\components\httpwatchff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\SRay\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 23:59:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\str.sys 0 bytes
c:\windows\system32\drivers\khwmcm.sys 31104 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\grkfikrol]
"ImagePath"="\??\c:\windows\system32\drivers\khwmcm.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\PMSveH.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-05 0:02:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 18:31:58
ComboFix2.txt 2009-02-04 18:15:26
ComboFix3.txt 2009-02-04 16:46:46
ComboFix4.txt 2009-02-04 15:37:33
ComboFix5.txt 2009-02-04 18:26:19

Pre-Run: 120,680,448 bytes free
Post-Run: 246,886,400 bytes free

229

 

[Osiris]

Figured that would happen....:freak:

Delete all files of str, in quar, in zipped form, etc.

Then turn off System Restore

Reboot

Scan with Combofix again

post a new combo log, reboot once again and then post another combo log.

Lets see if that works

 

[flying_suser]

Deleted all files of str, in quar, in zipped form, etc.
Turned of System Restore
Rebooted
Ran Combofix
Here's the logthe file doesnt seem to be deleted)

I've two accounts Administrator and myown, all the operations mentioned here were done from my own account and NOT from the administrator. Shall I've to do it from administrator? Or shall I continue to reboot once again and run Combofix once again?

ComboFix 09-02-03.01 - SRay 2009-02-05 0:36:11.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.250 [GMT 5.5:30]
Running from: d:\_utilities_\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 23:02 . 2009-02-04 23:02 577,024 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-02-04 23:00 . 2009-02-04 23:00 <DIR> d-------- c:\windows\ERUNT
2009-02-04 22:54 . 2009-02-04 23:12 <DIR> d-------- C:\SDFix
2009-02-04 21:56 . 2009-02-04 21:56 <DIR> d-------- c:\program files\PrevxCSI
2009-02-04 21:56 . 2009-02-04 21:56 21,512 --a------ c:\windows\system32\drivers\pxscan.sys
2009-02-04 21:56 . 2009-02-04 21:56 63 --a------ c:\windows\wininit.ini
2009-02-04 12:20 . 2009-02-04 12:20 <DIR> d-------- c:\program files\MSConfig CleanUp
2009-02-04 10:52 . 2009-02-04 10:52 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 08:41 . 2009-02-03 08:41 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-31 08:39 . 2009-01-31 08:39 <DIR> d-------- C:\Downloads
2009-01-26 11:26 . 2009-01-26 11:26 <DIR> d-------- c:\documents and settings\SRay\Application Data\Apple Computer
2009-01-25 06:10 . 2009-01-25 06:10 <DIR> d-------- c:\program files\HttpWatch
2009-01-25 05:36 . 2008-11-06 04:51 3,833,856 --a------ c:\windows\system32\cdintf300.dll
2009-01-25 05:35 . 1996-01-01 19:08 1,241 --a------ c:\windows\clikbook.ini
2009-01-25 05:01 . 2009-01-25 05:01 <DIR> d-------- c:\program files\Free Download Manager
2009-01-25 05:01 . 2009-02-04 11:03 <DIR> d-------- c:\documents and settings\SRay\Application Data\Free Download Manager
2009-01-06 06:10 . 2009-01-06 06:10 <DIR> d-------- c:\documents and settings\SRay\.cytoscape

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 16:29 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-02-03 01:19 --------- d-----w c:\program files\Common Files\Adobe
2009-01-26 13:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 07:34 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 10:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 10:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-14 05:49 --------- d-----w c:\program files\Paint Shop Pro 5
2009-01-03 04:28 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-03 04:28 --------- d-----w c:\program files\FinePixViewer
2008-12-27 23:54 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 23:54 --------- d-----w c:\program files\Java
2008-12-16 22:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Notepad++
2008-12-16 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 05:40 --------- d-----w c:\program files\QuickTime
2008-12-08 05:39 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-08 05:16 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2008-12-08 05:16 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2008-12-08 05:16 --------- d-----w c:\documents and settings\SRay\Application Data\TuneUp Software
2008-12-08 05:15 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-08 05:15 --------- d-----w c:\program files\TuneUp Utilities 2009
2008-12-08 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-12-08 04:36 --------- d-----w c:\program files\IObit
2008-12-07 02:24 --------- d-----w c:\program files\Perl Code Library
2008-11-12 11:14 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2007-05-21 17:30 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-04 23:20 4,222,516 ----a-w c:\program files\ABC-win32-v3.1.exe
2007-04-27 20:23 194,560 ----a-w c:\program files\AdbeRdr80_en_US.exe
2007-04-27 20:06 68,166 ----a-w c:\program files\HD_Speed_ENG.zip
2007-04-27 20:02 5,396,172 ----a-w c:\program files\lccwin32.exe
2007-04-27 20:02 459,966 ----a-w c:\program files\cpuspeed.exe
2007-04-23 18:11 5,355,320 ----a-w c:\program files\picasaweb-current-setup.exe
2007-04-19 19:23 92,672 ----a-w c:\program files\KillBox.exe
2007-04-16 20:44 1,494,016 ----a-w c:\program files\gsv48w32.exe
2007-04-16 20:40 6,208,000 ----a-w c:\program files\gs704w32.exe
2007-04-16 19:56 9,548,288 ----a-w c:\program files\gs853w32.exe
2007-04-14 16:12 2,023,736 ----a-w c:\program files\GoogleDesktopSetup.exe
2007-04-14 14:56 1,951,783 ----a-w c:\program files\VbRunDLLv3sp6.exe
2007-04-14 14:52 805,116 ----a-w c:\program files\Yazak_Install.exe
2007-04-13 19:21 16,263,816 ----a-w c:\program files\ActivePerl-5.8.8.820-MSWin32-x86-274739.msi
2007-04-06 18:02 6,910,136 ----a-w c:\program files\DJVUCNTL_61_EN.EXE
2007-04-03 18:14 2,685,104 ----a-w c:\program files\ccsetup138.exe
2007-04-01 17:48 1,450,649 ----a-w c:\program files\npp.4.0.2.Installer.exe
2007-04-01 14:57 9,453,630 ----a-w c:\program files\vlc-0.8.6a-win32.exe
2007-04-01 10:36 194 ----a-w c:\program files\AdbeRdr80_en_US_Nosso_error.log
2007-03-31 18:50 6,006,832 ----a-w c:\program files\Firefox Setup 2.0.0.3.exe
2007-03-31 18:41 1,035,271 ----a-w c:\program files\wrar362.exe
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleiex.dll
2009-01-14 05:48 0 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\pdgpecelawx.dll
2008-09-05 15:13 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2004-08-04 01:07 4,096 --sha-w c:\windows\system32\botrc.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_13.21.29.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-04 17:31:15 630,784 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2009-02-04 17:31:15 16,384 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 09:57:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-04 17:30:55 630,784 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-02-04 17:30:55 16,384 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-04 19:09:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-04 07:49:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-04 19:09:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-04 07:49:39 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-04 19:09:12 81,920 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2005-12-21 94208]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2005-12-10 24064]
"PMHandler"="c:\windows\system32\PMHandler.exe" [2006-01-06 24576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-29 761945]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-01-31 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-01-31 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-21 09:46 24576 c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2005-10-20 14:18 339968 c:\windows\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
--a------ 2006-03-31 19:52 126976 c:\windows\system32\tsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"matlabserver"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\ZakFromAnotherPlanet\\Yazak Chat\\iexplore.exe"=
"c:\\Program Files\\ABC\\abc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\ActiveState Komodo IDE 4.1\\lib\\mozilla\\komodo.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Cytoscape_v2.6.0\\Cytoscape.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-02-04 21512]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2007-03-31 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2007-03-31 6016]
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [2005-12-21 10240]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2007-04-01 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-04-01 729416]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-08 603904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56f84647-1b34-11dd-9daf-000fb0cdfb7d}]
\Shell\AutoRun\command - mvxm.cmd
\Shell\explore\Command - mvxm.cmd
\Shell\open\Command - mvxm.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1614895754-725345543-1003.job
- c:\documents and settings\SRay\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-21 20:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - c:\documents and settings\SRay\Application Data\Mozilla\Firefox\Profiles\uh9lqryb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 172.16.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\HttpWatch\Firefox\components\httpwatchff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\SRay\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 00:39:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\str.sys 0 bytes
c:\windows\system32\drivers\khwmcm.sys 31104 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\grkfikrol]
"ImagePath"="\??\c:\windows\system32\drivers\khwmcm.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\windows\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\PMSveH.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-05 0:41:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 19:11:19
ComboFix2.txt 2009-02-04 18:32:03
ComboFix3.txt 2009-02-04 18:15:26
ComboFix4.txt 2009-02-04 16:46:46
ComboFix5.txt 2009-02-04 19:05:49

Pre-Run: 380,051,456 bytes free
Post-Run: 367,112,192 bytes free

229

 

[Osiris]

This is a fun one

Open Notepad
Copy/paste the text in the code box below into notepad:
---------------------------------------------------------------

File::
C:\WINDOWS.0\system32\drivers\anngk.sys
C:\WINDOWS.0\system32\drivers\str.sys
C:\WINDOWS.0\system32\rs32net.exe
C:\WINDOWS.0\system32\13.tmp
C:\WINDOWS.0\system32\11.tmp
C:\WINDOWS.0\srchasst
C:\WINDOWS.0\system32\drivers\ethjibmi.sys
C:\nnhuci.exe
C:\hcsu.exe
C:\WINDOWS.0\system32\rAGikUtv.ini
C:\WINDOWS.0\system32\rAGikUtv.ini2

Driver::
ethjibmi
anngk
str



Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop:
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
Post the new Combo log

Then reboot, and run combo once again and post its new log