Gladiator Security Forum > infected w/ kathyros.bat

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

Nyxis

Feb 4 2008, 12:47 AM

Hi! I wanted to ask for help regarding a nasty trojan (that's what I read online) that I have in my PC and flash drives. I noticed that when I plugged my flash drive in my friend's laptop USB, it refused to open and gave an error message of kathyros.vbs then renamed my flash drive to kathyros. Now plugging it to my home PC and my laptop , it sometimes opens fine (but still named kathyros) and sometimes it refuses to open.
I searched online and found a program called flash disinfector that cleans flash drives. I've tried this on my flash drive but some how it still comes back. I've reformatted my flash drives. So far so good.
I did download HJT and ran it which shows I have kathyros.bat in my system. How would I go to properly manually delete this? Thanks for any help!

~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:39 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.irfanview.net/faq.htm
F2 - REG:system.ini: UserInit=userinit.exe,kathyros.bat
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [RK Launcher] C:\Program Files\RK Launcher\RKLauncher.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62A55B3F-405F-4D41-9EAD-B523A5866983}: NameServer = 58.69.254.135 58.69.254.137
O17 - HKLM\System\CS1\Services\Tcpip\..\{62A55B3F-405F-4D41-9EAD-B523A5866983}: NameServer = 58.69.254.135 58.69.254.137
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6325 bytes

LoPhatPhuud

Feb 4 2008, 02:02 AM

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Nyxis

Feb 6 2008, 12:11 PM

Hi LoPhatPhuud, here is my Combofix log

ComboFix 08-02.03.1 - Camille 2008-02-06 19:23:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.367 [GMT 8:00]
Running from: C:\Documents and Settings\Camille\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\AutoRun.inf
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2008-01-06 to 2008-02-06 )))))))))))))))))))))))))))))))
.

2008-02-04 00:19 . 2008-02-04 00:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 23:37 . 2008-02-03 23:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-03 23:37 . 2008-02-04 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 23:09 . 2008-02-03 23:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 23:09 . 2008-02-03 23:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 23:09 . 2008-02-03 23:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 23:08 . 2008-02-03 23:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-03 23:01 . 2008-02-03 23:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-28 19:02 . 2008-01-28 19:02 30,352 --a------ C:\Documents and Settings\Saki\Application Data\GDIPFONTCACHEV1.DAT
2008-01-26 06:19 . 2007-08-31 04:33 1,105 -rahs---- C:\WINDOWS\system32\kathyros.vbs
2008-01-26 06:19 . 2007-08-31 04:26 544 -rahs---- C:\WINDOWS\system32\kathyros.reg
2008-01-26 06:19 . 2007-08-31 04:25 428 -rahs---- C:\WINDOWS\system32\kathyros.bat
2008-01-26 06:18 . 2007-08-31 04:33 1,105 -rahs---- C:\kathyros.vbs
2008-01-26 06:18 . 2007-08-31 04:26 544 -rahs---- C:\kathyros.reg
2008-01-26 06:18 . 2007-08-31 04:25 428 -rahs---- C:\kathyros.bat
2008-01-25 16:51 . 2008-01-25 16:58 <DIR> d-------- C:\Program Files\WinMX
2008-01-18 08:27 . 2008-02-06 19:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 08:27 . 2008-01-18 08:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 08:25 . 2008-01-18 08:25 <DIR> d-------- C:\Program Files\iPod
2008-01-18 08:24 . 2008-01-18 08:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 11:30 10,242,080 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-06 11:28 124,208 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-04 23:13 --------- d-----w C:\Documents and Settings\Saki\Application Data\uTorrent
2008-02-04 22:54 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-04 17:34 --------- d-----w C:\Program Files\mIRC
2008-02-04 00:43 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-02 13:14 12,968,594 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-02 02:10 --------- d-----w C:\Documents and Settings\Camille\Application Data\Skype
2008-02-01 07:40 --------- d-----w C:\Documents and Settings\Camille\Application Data\uTorrent
2008-01-31 14:04 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-30 08:09 --------- d-----w C:\Program Files\a-squared Free
2008-01-28 13:27 --------- d-----w C:\Documents and Settings\Saki\Application Data\FileZilla
2008-01-28 05:48 --------- d-----w C:\Documents and Settings\Saki\Application Data\ZoomBrowser EX
2008-01-28 05:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-27 04:32 3,108,352 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp
2008-01-27 04:32 1,440,256 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp
2008-01-25 09:57 --------- d-----w C:\Program Files\IZArc
2008-01-20 07:06 1,885,696 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp
2008-01-20 02:55 3,695,616 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp
2008-01-20 02:55 1,415,680 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp
2008-01-18 00:19 --------- d-----w C:\Program Files\QuickTime
2008-01-16 13:32 1,405,440 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2008-01-14 08:21 --------- d-----w C:\Program Files\FileZilla Client
2008-01-11 06:19 543,744 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp
2008-01-11 01:03 3,394,560 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp
2008-01-01 16:06 --------- d-----w C:\Program Files\Java
2008-01-01 16:01 --------- d-----w C:\Program Files\Common Files\Java
2007-12-28 00:18 4,017,664 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2007-12-26 12:34 1,367,040 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp
2007-12-19 03:06 --------- d-----w C:\Documents and Settings\Camille\Application Data\FileZilla
2007-12-17 02:10 3,482,624 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2007-12-13 14:04 --------- d-----w C:\Program Files\SmartFTP Client
2007-12-13 14:02 --------- d-----w C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-12-07 10:55 859,648 ----a-w C:\WINDOWS\Internet Logs\xDB6E.tmp
2007-12-07 10:55 2,022,400 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2007-12-07 05:39 4,405,248 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 15:12 724,992 ----a-w C:\WINDOWS\iun6002.exe
2007-11-23 05:46 2,004,992 ----a-w C:\WINDOWS\Internet Logs\xDB6C.tmp
2007-11-21 10:02 30,352 -c--a-w C:\Documents and Settings\Camille\Application Data\GDIPFONTCACHEV1.DAT
2007-11-21 00:55 2,674,176 ----a-w C:\WINDOWS\Internet Logs\xDB6A.tmp
2007-11-21 00:55 2,002,944 ----a-w C:\WINDOWS\Internet Logs\xDB6B.tmp
2007-11-19 09:00 1,999,872 ----a-w C:\WINDOWS\Internet Logs\xDB69.tmp
2007-11-19 09:00 1,290,240 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp
2007-11-17 13:09 2,658,816 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2007-11-16 05:58 3,926,016 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp
2007-11-16 05:58 1,996,288 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp
2007-11-14 08:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-10 03:47 1,971,712 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 04:17 1,966,080 -c--a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2007-11-04 10:49 3,069,440 -c--a-w C:\WINDOWS\Internet Logs\xDB62.tmp
2007-11-02 08:23 3,790,336 -c--a-w C:\WINDOWS\Internet Logs\xDB61.tmp
2007-10-27 03:33 1,934,848 -c--a-w C:\WINDOWS\Internet Logs\xDB60.tmp
2007-10-16 17:29 3,190,784 -c--a-w C:\WINDOWS\Internet Logs\xDB5E.tmp
2007-10-16 17:29 1,914,368 -c--a-w C:\WINDOWS\Internet Logs\xDB5F.tmp
2007-10-09 13:33 2,681,856 -c--a-w C:\WINDOWS\Internet Logs\xDB5D.tmp
2007-10-05 12:50 3,001,856 -c--a-w C:\WINDOWS\Internet Logs\xDB5B.tmp
2007-10-05 12:50 1,889,792 -c--a-w C:\WINDOWS\Internet Logs\xDB5C.tmp
2007-09-24 06:13 316,928 ----a-w C:\WINDOWS\Internet Logs\xDB5A.tmp
2007-09-24 02:56 1,874,432 -c--a-w C:\WINDOWS\Internet Logs\xDB59.tmp
2007-09-24 02:56 1,836,544 -c--a-w C:\WINDOWS\Internet Logs\xDB58.tmp
2007-09-23 01:35 3,292,160 -c--a-w C:\WINDOWS\Internet Logs\xDB57.tmp
2007-09-19 13:32 116,526 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_19_11_21_02_small.dmp.zip
2007-09-15 08:55 2,757,120 -c--a-w C:\WINDOWS\Internet Logs\xDB56.tmp
2007-09-12 06:50 3,371,008 -c--a-w C:\WINDOWS\Internet Logs\xDB54.tmp
2007-09-12 06:50 1,831,424 -c--a-w C:\WINDOWS\Internet Logs\xDB55.tmp
2007-09-01 02:11 3,281,920 -c--a-w C:\WINDOWS\Internet Logs\xDB52.tmp
2007-09-01 02:11 1,802,240 ----a-w C:\WINDOWS\Internet Logs\xDB53.tmp
2007-08-25 10:27 3,732,992 -c--a-w C:\WINDOWS\Internet Logs\xDB50.tmp
2007-08-25 10:27 1,792,512 -c--a-w C:\WINDOWS\Internet Logs\xDB51.tmp
2007-08-25 08:24 1,792,000 -c--a-w C:\WINDOWS\Internet Logs\xDB4F.tmp
2007-08-17 17:00 2,811,904 -c--a-w C:\WINDOWS\Internet Logs\xDB4E.tmp
2007-08-17 03:21 1,771,008 -c--a-w C:\WINDOWS\Internet Logs\xDB4D.tmp
2007-08-17 03:20 3,097,088 -c--a-w C:\WINDOWS\Internet Logs\xDB4C.tmp
2007-08-10 23:14 1,758,720 -c--a-w C:\WINDOWS\Internet Logs\xDB4B.tmp
2007-08-08 07:09 92,692 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_08_10_54_51_small.dmp.zip
2007-08-08 07:09 117,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_08_10_48_39_small.dmp.zip
2007-08-08 02:14 4,758,016 -c--a-w C:\WINDOWS\Internet Logs\xDB4A.tmp
2007-08-05 03:07 1,746,432 -c--a-w C:\WINDOWS\Internet Logs\xDB49.tmp
2007-07-31 14:54 193,024 ----a-w C:\WINDOWS\Internet Logs\xDB47.tmp
2007-07-31 14:54 1,729,536 -c--a-w C:\WINDOWS\Internet Logs\xDB48.tmp
2007-07-31 11:29 2,716,672 -c--a-w C:\WINDOWS\Internet Logs\xDB45.tmp
2007-07-31 11:29 1,725,440 -c--a-w C:\WINDOWS\Internet Logs\xDB46.tmp
2007-07-31 06:34 325,120 ----a-w C:\WINDOWS\Internet Logs\xDB43.tmp
2007-07-31 06:34 1,722,880 -c--a-w C:\WINDOWS\Internet Logs\xDB44.tmp
2007-07-31 00:03 2,962,944 -c--a-w C:\WINDOWS\Internet Logs\xDB42.tmp
2007-07-28 09:56 4,335,104 -c--a-w C:\WINDOWS\Internet Logs\xDB41.tmp
2007-07-24 11:48 1,713,152 -c--a-w C:\WINDOWS\Internet Logs\xDB40.tmp
2007-07-20 07:26 2,957,312 -c--a-w C:\WINDOWS\Internet Logs\xDB3E.tmp
2007-07-20 07:26 1,704,960 -c--a-w C:\WINDOWS\Internet Logs\xDB3F.tmp
2007-07-16 09:26 1,697,280 -c--a-w C:\WINDOWS\Internet Logs\xDB3D.tmp
2007-07-15 08:29 2,982,400 -c--a-w C:\WINDOWS\Internet Logs\xDB3C.tmp
2007-07-11 06:06 2,424,320 -c--a-w C:\WINDOWS\Internet Logs\xDB3A.tmp
2007-07-11 06:06 1,692,672 -c--a-w C:\WINDOWS\Internet Logs\xDB3B.tmp
2007-07-10 09:52 3,247,104 -c--a-w C:\WINDOWS\Internet Logs\xDB38.tmp
2007-07-10 09:52 1,691,648 -c--a-w C:\WINDOWS\Internet Logs\xDB39.tmp
2007-06-30 14:10 2,870,784 -c--a-w C:\WINDOWS\Internet Logs\xDB37.tmp
2007-08-30 20:25 428 --sha-r C:\WINDOWS\system32\kathyros.bat
2007-08-30 20:26 544 --sha-r C:\WINDOWS\system32\kathyros.reg
2007-08-30 20:33 1,105 --sha-r C:\WINDOWS\system32\kathyros.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Camille\Application Data\Mozilla\Firefox\Profiles\a5tbmhmk.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 20:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 20:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 21:00 65536]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-31 12:15 1838592]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\Saki\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2003-03-07 19:57:24 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-11 13:30:02 113664]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-04-11 11:30:23 127488]
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2003-03-07 19:57:24 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SpywareBlaster.lnk - C:\Program Files\SpywareBlaster\spywareblaster.exe [2007-04-11 13:59:51 995328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 08:50]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 18:53]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 08:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 08:50]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 08:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 08:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 08:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 23:40:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 19:32:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-06 19:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 11:36:02
.
2008-01-11 01:02:31 --- E O F ---

and my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:07 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Camille\Application Data\Mozilla\Firefox\Profiles\a5tbmhmk.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Camille\Application Data\Mozilla\Firefox\Profiles/a5tbmhmk.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177396259217
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19D4C964-A1D3-4017-A74F-6722873624AF}: NameServer = 58.69.254.44 58.69.254.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{79199C67-8C5B-4EB7-AEA6-8E0EB44E3590}: NameServer = 58.69.254.43,58.69.254.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D4C964-A1D3-4017-A74F-6722873624AF}: NameServer = 58.69.254.44 58.69.254.46
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7862 bytes

Thanks! By the way, my laptop is also infected. Could I post the logs here or should I start another thread for it? I ran combofix on it. Thanks for you help! :)

LoPhatPhuud

Feb 7 2008, 02:21 AM

Post your Laptop log in a new thread.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE

File::
C:\WINDOWS\system32\kathyros.vbs
C:\WINDOWS\system32\kathyros.reg
C:\WINDOWS\system32\kathyros.bat
C:\kathyros.vbs
C:\kathyros.reg
C:\kathyros.bat

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Nyxis

Feb 7 2008, 03:08 AM

Hi here is my new Combofix log after following the steps you mentioned above

ComboFix 08-02.03.1 - Camille 2008-02-07 11:26:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.321 [GMT 8:00]
Running from: C:\Documents and Settings\Camille\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Camille\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\kathyros.bat
C:\kathyros.reg
C:\kathyros.vbs
C:\WINDOWS\system32\kathyros.bat
C:\WINDOWS\system32\kathyros.reg
C:\WINDOWS\system32\kathyros.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kathyros.bat
C:\kathyros.reg
C:\kathyros.vbs
C:\WINDOWS\system32\kathyros.bat
C:\WINDOWS\system32\kathyros.reg
C:\WINDOWS\system32\kathyros.vbs

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-06 20:51 . 2008-02-06 20:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-06 20:50 . 2008-02-06 20:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-06 20:50 . 2008-02-06 20:50 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-04 00:19 . 2008-02-04 00:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 23:37 . 2008-02-03 23:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-03 23:37 . 2008-02-04 23:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 23:09 . 2008-02-03 23:30 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-03 23:09 . 2008-02-03 23:30 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-03 23:09 . 2008-02-03 23:30 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-03 23:08 . 2008-02-03 23:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-03 23:01 . 2008-02-03 23:06 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-28 19:02 . 2008-01-28 19:02 30,352 --a------ C:\Documents and Settings\Saki\Application Data\GDIPFONTCACHEV1.DAT
2008-01-25 16:51 . 2008-01-25 16:58 <DIR> d-------- C:\Program Files\WinMX
2008-01-18 08:27 . 2008-02-07 11:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 08:27 . 2008-01-18 08:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 08:25 . 2008-01-18 08:25 <DIR> d-------- C:\Program Files\iPod
2008-01-18 08:24 . 2008-01-18 08:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 03:30 10,903,584 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-06 14:02 --------- d-----w C:\Program Files\mIRC
2008-02-06 11:28 124,208 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-04 23:13 --------- d-----w C:\Documents and Settings\Saki\Application Data\uTorrent
2008-02-04 22:54 --------- d-----w C:\Program Files\PeerGuardian2
2008-02-04 00:43 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-02 13:14 12,968,594 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-02 02:10 --------- d-----w C:\Documents and Settings\Camille\Application Data\Skype
2008-02-01 07:40 --------- d-----w C:\Documents and Settings\Camille\Application Data\uTorrent
2008-01-31 14:04 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-30 08:09 --------- d-----w C:\Program Files\a-squared Free
2008-01-28 13:27 --------- d-----w C:\Documents and Settings\Saki\Application Data\FileZilla
2008-01-28 05:48 --------- d-----w C:\Documents and Settings\Saki\Application Data\ZoomBrowser EX
2008-01-28 05:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-27 04:32 3,108,352 ----a-w C:\WINDOWS\Internet Logs\xDB79.tmp
2008-01-27 04:32 1,440,256 ----a-w C:\WINDOWS\Internet Logs\xDB7A.tmp
2008-01-25 09:57 --------- d-----w C:\Program Files\IZArc
2008-01-20 07:06 1,885,696 ----a-w C:\WINDOWS\Internet Logs\xDB78.tmp
2008-01-20 02:55 3,695,616 ----a-w C:\WINDOWS\Internet Logs\xDB76.tmp
2008-01-20 02:55 1,415,680 ----a-w C:\WINDOWS\Internet Logs\xDB77.tmp
2008-01-18 00:19 --------- d-----w C:\Program Files\QuickTime
2008-01-16 13:32 1,405,440 ----a-w C:\WINDOWS\Internet Logs\xDB75.tmp
2008-01-14 08:21 --------- d-----w C:\Program Files\FileZilla Client
2008-01-11 06:19 543,744 ----a-w C:\WINDOWS\Internet Logs\xDB74.tmp
2008-01-11 01:03 3,394,560 ----a-w C:\WINDOWS\Internet Logs\xDB73.tmp
2008-01-01 16:06 --------- d-----w C:\Program Files\Java
2008-01-01 16:01 --------- d-----w C:\Program Files\Common Files\Java
2007-12-28 00:18 4,017,664 ----a-w C:\WINDOWS\Internet Logs\xDB72.tmp
2007-12-26 12:34 1,367,040 ----a-w C:\WINDOWS\Internet Logs\xDB71.tmp
2007-12-19 03:06 --------- d-----w C:\Documents and Settings\Camille\Application Data\FileZilla
2007-12-17 02:10 3,482,624 ----a-w C:\WINDOWS\Internet Logs\xDB70.tmp
2007-12-13 14:04 --------- d-----w C:\Program Files\SmartFTP Client
2007-12-13 14:02 --------- d-----w C:\Program Files\SmartFTP Client 2.5 Setup Files
2007-12-07 10:55 859,648 ----a-w C:\WINDOWS\Internet Logs\xDB6E.tmp
2007-12-07 10:55 2,022,400 ----a-w C:\WINDOWS\Internet Logs\xDB6F.tmp
2007-12-07 05:39 4,405,248 ----a-w C:\WINDOWS\Internet Logs\xDB6D.tmp
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 15:12 724,992 ----a-w C:\WINDOWS\iun6002.exe
2007-11-23 05:46 2,004,992 ----a-w C:\WINDOWS\Internet Logs\xDB6C.tmp
2007-11-21 10:02 30,352 -c--a-w C:\Documents and Settings\Camille\Application Data\GDIPFONTCACHEV1.DAT
2007-11-21 00:55 2,674,176 ----a-w C:\WINDOWS\Internet Logs\xDB6A.tmp
2007-11-21 00:55 2,002,944 ----a-w C:\WINDOWS\Internet Logs\xDB6B.tmp
2007-11-19 09:00 1,999,872 ----a-w C:\WINDOWS\Internet Logs\xDB69.tmp
2007-11-19 09:00 1,290,240 ----a-w C:\WINDOWS\Internet Logs\xDB68.tmp
2007-11-17 13:09 2,658,816 ----a-w C:\WINDOWS\Internet Logs\xDB67.tmp
2007-11-16 05:58 3,926,016 ----a-w C:\WINDOWS\Internet Logs\xDB65.tmp
2007-11-16 05:58 1,996,288 ----a-w C:\WINDOWS\Internet Logs\xDB66.tmp
2007-11-14 08:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-14 08:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-10 03:47 1,971,712 ----a-w C:\WINDOWS\Internet Logs\xDB64.tmp
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 04:17 1,966,080 -c--a-w C:\WINDOWS\Internet Logs\xDB63.tmp
2007-11-04 10:49 3,069,440 -c--a-w C:\WINDOWS\Internet Logs\xDB62.tmp
2007-11-02 08:23 3,790,336 -c--a-w C:\WINDOWS\Internet Logs\xDB61.tmp
2007-10-27 03:33 1,934,848 -c--a-w C:\WINDOWS\Internet Logs\xDB60.tmp
2007-10-16 17:29 3,190,784 -c--a-w C:\WINDOWS\Internet Logs\xDB5E.tmp
2007-10-16 17:29 1,914,368 -c--a-w C:\WINDOWS\Internet Logs\xDB5F.tmp
2007-10-09 13:33 2,681,856 -c--a-w C:\WINDOWS\Internet Logs\xDB5D.tmp
2007-10-05 12:50 3,001,856 -c--a-w C:\WINDOWS\Internet Logs\xDB5B.tmp
2007-10-05 12:50 1,889,792 -c--a-w C:\WINDOWS\Internet Logs\xDB5C.tmp
2007-09-24 06:13 316,928 ----a-w C:\WINDOWS\Internet Logs\xDB5A.tmp
2007-09-24 02:56 1,874,432 -c--a-w C:\WINDOWS\Internet Logs\xDB59.tmp
2007-09-24 02:56 1,836,544 -c--a-w C:\WINDOWS\Internet Logs\xDB58.tmp
2007-09-23 01:35 3,292,160 -c--a-w C:\WINDOWS\Internet Logs\xDB57.tmp
2007-09-19 13:32 116,526 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_09_19_11_21_02_small.dmp.zip
2007-09-15 08:55 2,757,120 -c--a-w C:\WINDOWS\Internet Logs\xDB56.tmp
2007-09-12 06:50 3,371,008 -c--a-w C:\WINDOWS\Internet Logs\xDB54.tmp
2007-09-12 06:50 1,831,424 -c--a-w C:\WINDOWS\Internet Logs\xDB55.tmp
2007-09-01 02:11 3,281,920 -c--a-w C:\WINDOWS\Internet Logs\xDB52.tmp
2007-09-01 02:11 1,802,240 ----a-w C:\WINDOWS\Internet Logs\xDB53.tmp
2007-08-25 10:27 3,732,992 -c--a-w C:\WINDOWS\Internet Logs\xDB50.tmp
2007-08-25 10:27 1,792,512 -c--a-w C:\WINDOWS\Internet Logs\xDB51.tmp
2007-08-25 08:24 1,792,000 -c--a-w C:\WINDOWS\Internet Logs\xDB4F.tmp
2007-08-17 17:00 2,811,904 -c--a-w C:\WINDOWS\Internet Logs\xDB4E.tmp
2007-08-17 03:21 1,771,008 -c--a-w C:\WINDOWS\Internet Logs\xDB4D.tmp
2007-08-17 03:20 3,097,088 -c--a-w C:\WINDOWS\Internet Logs\xDB4C.tmp
2007-08-10 23:14 1,758,720 -c--a-w C:\WINDOWS\Internet Logs\xDB4B.tmp
2007-08-08 07:09 92,692 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_08_10_54_51_small.dmp.zip
2007-08-08 07:09 117,043 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_08_10_48_39_small.dmp.zip
2007-08-08 02:14 4,758,016 -c--a-w C:\WINDOWS\Internet Logs\xDB4A.tmp
2007-08-05 03:07 1,746,432 -c--a-w C:\WINDOWS\Internet Logs\xDB49.tmp
2007-07-31 14:54 193,024 ----a-w C:\WINDOWS\Internet Logs\xDB47.tmp
2007-07-31 14:54 1,729,536 -c--a-w C:\WINDOWS\Internet Logs\xDB48.tmp
2007-07-31 11:29 2,716,672 -c--a-w C:\WINDOWS\Internet Logs\xDB45.tmp
2007-07-31 11:29 1,725,440 -c--a-w C:\WINDOWS\Internet Logs\xDB46.tmp
2007-07-31 06:34 325,120 ----a-w C:\WINDOWS\Internet Logs\xDB43.tmp
2007-07-31 06:34 1,722,880 -c--a-w C:\WINDOWS\Internet Logs\xDB44.tmp
2007-07-31 00:03 2,962,944 -c--a-w C:\WINDOWS\Internet Logs\xDB42.tmp
2007-07-28 09:56 4,335,104 -c--a-w C:\WINDOWS\Internet Logs\xDB41.tmp
2007-07-24 11:48 1,713,152 -c--a-w C:\WINDOWS\Internet Logs\xDB40.tmp
2007-07-20 07:26 2,957,312 -c--a-w C:\WINDOWS\Internet Logs\xDB3E.tmp
2007-07-20 07:26 1,704,960 -c--a-w C:\WINDOWS\Internet Logs\xDB3F.tmp
2007-07-16 09:26 1,697,280 -c--a-w C:\WINDOWS\Internet Logs\xDB3D.tmp
2007-07-15 08:29 2,982,400 -c--a-w C:\WINDOWS\Internet Logs\xDB3C.tmp
2007-07-11 06:06 2,424,320 -c--a-w C:\WINDOWS\Internet Logs\xDB3A.tmp
2007-07-11 06:06 1,692,672 -c--a-w C:\WINDOWS\Internet Logs\xDB3B.tmp
2007-07-10 09:52 3,247,104 -c--a-w C:\WINDOWS\Internet Logs\xDB38.tmp
2007-07-10 09:52 1,691,648 -c--a-w C:\WINDOWS\Internet Logs\xDB39.tmp
2007-06-30 14:10 2,870,784 -c--a-w C:\WINDOWS\Internet Logs\xDB37.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Camille\Application Data\Mozilla\Firefox\Profiles\a5tbmhmk.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 04:32 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 20:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 04:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 04:32 455168]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 21:00 79224]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 20:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 21:00 65536]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-31 12:15 1838592]
"PC Suite for Smartphones"="C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

C:\Documents and Settings\Saki\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2003-03-07 19:57:24 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-04-11 13:30:02 113664]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2007-04-11 11:30:23 127488]
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2003-03-07 19:57:24 299008]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
SpywareBlaster.lnk - C:\Program Files\SpywareBlaster\spywareblaster.exe [2007-04-11 13:59:51 995328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\WINDOWS\system32\DRIVERS\zebrceb.sys [2007-04-13 08:50]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 18:53]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2007-04-13 08:50]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2007-04-13 08:50]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2007-04-13 08:50]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2007-04-13 08:50]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\WINDOWS\system32\DRIVERS\zebrsce.sys [2007-04-13 08:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22cd96cc-12ee-11dc-a5d3-001195606b39}]
\Shell\AutoRun\command - H:\
\Shell\explore\Command - WScript.exe .\kathyros.vbs
\Shell\open\Command - WScript.exe .\kathyros.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 23:40:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 11:30:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-07 11:32:05
ComboFix-quarantined-files.txt 2008-02-07 03:31:53
ComboFix2.txt 2008-02-07 03:16:14
ComboFix3.txt 2008-02-07 03:01:08
ComboFix4.txt 2008-02-06 11:36:08
.
2008-01-11 01:02:31 --- E O F ---

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:56 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Camille\Application Data\Mozilla\Firefox\Profiles\a5tbmhmk.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Camille\Application Data\Mozilla\Firefox\Profiles/a5tbmhmk.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177396259217
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19D4C964-A1D3-4017-A74F-6722873624AF}: NameServer = 58.69.254.44 58.69.254.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{79199C67-8C5B-4EB7-AEA6-8E0EB44E3590}: NameServer = 58.69.254.43,58.69.254.46
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D4C964-A1D3-4017-A74F-6722873624AF}: NameServer = 58.69.254.44 58.69.254.46
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8075 bytes

LoPhatPhuud

Feb 7 2008, 03:30 AM

I am not sure what happened, but the files I wanted to delete are still there. We'll use a different method.

First, I want to clean up a little and remove ComboFix since we will not be using it right now.

From the Desktop:
Start --> Run --> ComboFix /u (Press Enter)

That will completely remove ComboFix and its associated folders.

THen...

1. Please download [url=1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text (including the words 'Files to delete:') contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

QUOTE

Files to delete:
C:\WINDOWS\system32\kathyros.vbs
C:\WINDOWS\system32\kathyros.reg
C:\WINDOWS\system32\kathyros.bat
C:\kathyros.vbs
C:\kathyros.reg
C:\kathyros.bat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Nyxis

Feb 7 2008, 03:36 AM

Hi, please recheck my logs above. I redid the steps since I was thinking I did something wrong (checked another thread that had the kathyros problem and hers got fixed) I must have missed something when I typed the file into notepad.
Thanks!

LoPhatPhuud

Feb 7 2008, 07:04 PM

Thanks, they seem to be gone. Let's move forward...

First;
Please download ATF Cleaner by Atribune.

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Second:
Go ahead and remove ComboFix, if you haven't already done so

Start --> Run --> ComboFix /u (press Enter)

Third:
We should be done, but let me know if there are still outstanding issues.

Nyxis

Feb 7 2008, 10:43 PM

Thanks LoPhatPhuud

If I plug in my flash drive would that reinfect my PC (if it has the kathyros)? Is there a safe way for me to scan if my flash drive has this? Thanks for all your help!

LoPhatPhuud

Feb 7 2008, 10:48 PM

If you make sure that auto play is disabled before you insert a USBdrive, you should be able to erase it without infecting your system. ALso, your AntiVirus ahould catch these if they did try to execute.

Nyxis

Feb 8 2008, 11:47 PM

QUOTE (LoPhatPhuud @ Feb 8 2008, 06:48 AM)

Thanks! :)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.