Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD on boot


  • This topic is locked This topic is locked
35 replies to this topic

#16 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 30 April 2010 - 11:56 AM

hey sempai,
When i ran combofix, the scan did not complete, my computer crashed midway, so there was no log created. D:

BC AdBot (Login to Remove)

 


#17 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:49 PM

Posted 30 April 2010 - 12:06 PM

Alright, run the OTL fix below and let's run Combofix again, but before that I want to warn you about cracks and keygens.

++++++++++++++++++++++

excl.gif WARNING: cracking tools/keygens/warez/pirated software excl.gif
The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is also a serious security risk:
    QUOTE(Trend Micro)
    Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.
    REFERENCE: Trend Micro - CRCK_KEYGEN.BB

    QUOTE(Trend Micro)
    [..] warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files [..] quick links in these sites also lead to malicious files. Ads and banners are also infection vectors [..]
    REFERENCE: Crack Sites Distribute VIRUX and FakeAV | Malware Blog | Trend Micro
When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a lot of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the Operating System.


Please delete this crack/patch => C:\Adobe CS4 Master Collection_ACTIVATION PATCH by P!mPdOG.ExE


++++++++++++++++++++++


1. We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    :OTL
    FF - prefs.js..browser.search.selectedEngine: "MyWebSearch"
    FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\MyWebSearch\bar\2.bin File not found
    [2010/04/16 14:55:46 | 000,000,118 | ---- | M] () -- C:\tujserrew.bat

    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.



2. Please delete your copy of ComboFix (do not uninstall) then run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.




~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#18 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 30 April 2010 - 01:10 PM

here's the OTL log:

All processes killed
========== OTL ==========
Prefs.js: "MyWebSearch" removed from browser.search.selectedEngine
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected] deleted successfully.
C:\tujserrew.bat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 476244 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HENIL
->Temp folder emptied: 3317148 bytes
->Temporary Internet Files folder emptied: 7685200 bytes
->Java cache emptied: 12142339 bytes
->FireFox cache emptied: 83125672 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2981 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 305709 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 11045558 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2413 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 727540 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 113.00 mb


OTL by OldTimer - Version 3.2.3.0 log created on 04302010_141143

Files\Folders moved on Reboot...
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RRB79IO1\empty[1].htm moved successfully.

Registry entries deleted on Reboot...


here's the combofix log:

ComboFix 10-04-29.05 - HENIL 04/30/2010 14:40:59.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2694 [GMT -4:00]
Running from: c:\documents and settings\HENIL\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HENIL\My Documents\iexplore.exe
c:\windows\system\d3d9.dll
c:\windows\system32\fjhdyfhsn.bat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-30 )))))))))))))))))))))))))))))))
.

2010-04-30 02:04 . 2010-04-30 02:04 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\Threat Expert
2010-04-30 01:43 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-30 01:43 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-30 01:43 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-30 01:43 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-30 01:43 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-30 01:43 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-30 01:42 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-30 01:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-30 01:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-30 01:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-30 01:42 . 2010-04-30 18:15 -------- d-----w- c:\program files\Spyware Doctor
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-04-29 22:43 . 2010-04-29 22:43 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\drgqjjfsu
2010-04-29 22:43 . 2010-04-29 22:43 270848 ----a-w- c:\documents and settings\HENIL\o.dat
2010-04-29 20:45 . 2010-04-29 20:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-29 19:42 . 2010-04-30 18:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-04-29 18:32 . 2010-04-30 18:55 -------- d-----w- c:\documents and settings\HENIL\Application Data\WTablet
2010-04-29 18:31 . 2004-08-04 02:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-29 18:31 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-29 18:31 . 2007-02-16 00:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2010-04-29 18:31 . 2008-01-15 20:11 13480 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2010-04-29 18:31 . 2007-02-16 19:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2010-04-29 18:31 . 2010-04-29 18:31 -------- d-----w- c:\windows\system32\WTablet
2010-04-29 18:31 . 2008-03-17 20:14 15144 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2010-04-29 18:31 . 2008-05-01 22:23 181544 ------w- c:\windows\system32\Wintab32.dll
2010-04-29 18:31 . 2008-05-01 22:33 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2010-04-29 18:31 . 2008-05-01 22:40 3032360 ------w- c:\windows\system32\Pen_Tablet.exe
2010-04-29 18:31 . 2010-04-29 18:31 -------- d-----w- c:\program files\Tablet
2010-04-29 16:48 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 16:48 . 2010-04-29 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 16:48 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 18:52 . 2010-04-28 18:52 -------- d-----w- c:\program files\NOS
2010-04-28 18:46 . 2010-04-28 18:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-04-28 06:35 . 2010-04-23 13:30 552448 ----a-r- C:\OTLPE.exe
2010-04-28 06:32 . 2004-08-04 02:59 95360 ----a-w- C:\atapi.sys
2010-04-24 20:11 . 2010-04-24 20:38 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\bkup
2010-04-24 19:38 . 2010-04-24 19:38 -------- d--h--w- c:\windows\PIF
2010-04-18 14:33 . 2002-03-25 22:44 722192 ----a-w- c:\windows\system32\VB40032.DLL
2010-04-18 14:33 . 2002-03-25 22:44 60416 ----a-w- c:\windows\ST4UNST.EXE
2010-04-18 00:11 . 2010-04-30 04:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 00:11 . 2010-04-18 00:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-18 00:11 . 2010-04-18 00:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-04-18 00:11 . 2010-04-22 07:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-16 21:28 . 2010-04-24 18:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-04-08 17:02 . 2010-04-24 18:01 -------- d-----w- c:\documents and settings\HENIL\Application Data\skypePM
2010-04-08 17:02 . 2010-04-08 17:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-08 17:01 . 2010-04-24 23:33 -------- d-----w- c:\documents and settings\HENIL\Application Data\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----w- c:\program files\Common Files\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----r- c:\program files\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-01 00:34 . 2010-04-22 15:19 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\Blizzard Entertainment
2010-04-01 00:34 . 2010-04-01 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 18:55 . 2009-05-08 15:18 117760 ----a-w- c:\documents and settings\HENIL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-30 18:53 . 2008-10-25 18:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-28 18:53 . 2009-08-11 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-28 18:50 . 2010-02-10 03:34 -------- d-----w- c:\documents and settings\HENIL\Application Data\Paltalk
2010-04-28 18:45 . 2008-09-20 13:30 -------- d-----w- c:\program files\Java
2010-04-28 18:45 . 2010-04-28 18:45 152576 ----a-w- c:\documents and settings\HENIL\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2010-04-25 15:54 . 2009-11-24 22:16 -------- d-----w- c:\program files\OGPlanet
2010-04-24 23:54 . 2009-10-14 13:17 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-24 23:30 . 2009-10-14 12:51 -------- d-----w- c:\documents and settings\HENIL\Application Data\IM
2010-04-24 09:10 . 2010-02-22 04:48 43526 ----a-w- c:\windows\system32\lsUninstall.exe
2010-04-22 15:19 . 2008-09-19 18:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-21 19:12 . 2010-03-01 16:56 -------- d-----w- c:\documents and settings\HENIL\Application Data\vlc
2010-04-21 04:27 . 2009-05-08 15:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 13:05 . 2009-10-14 21:07 -------- d-----w- c:\program files\Google
2010-04-05 00:38 . 2010-02-22 05:05 -------- d-----w- c:\program files\LostSaga
2010-03-29 12:53 . 2010-04-28 18:52 32576 ----a-w- c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 12:53 . 2010-04-28 18:52 29984 ----a-w- c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-13 17:16 . 2009-05-24 04:52 -------- d-----w- c:\documents and settings\HENIL\Application Data\Apple Computer
2010-03-08 00:41 . 2010-03-07 22:38 -------- d-----w- c:\program files\igowin
2010-03-04 12:12 . 2008-10-06 04:18 -------- d-----w- c:\documents and settings\HENIL\Application Data\uTorrent
2010-03-01 06:09 . 2008-08-27 16:32 48960 ----a-w- c:\documents and settings\HENIL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 19:36 . 2010-02-28 19:35 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-02-23 17:07 . 2010-02-23 17:07 2032792 ----a-w- c:\program files\ie_ko.exe
2010-02-22 04:57 . 2010-02-22 04:57 370480 ----a-w- c:\program files\LostSaga_ActiveX_Setup.exe
2010-02-22 04:52 . 2010-02-22 04:52 370480 ----a-w- C:\LostSaga_ActiveX_Setup.exe
2010-02-17 21:38 . 2010-02-17 05:15 120 ----a-w- c:\windows\Gpayuqejako.dat
2010-02-17 06:11 . 2010-02-17 06:11 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-17 06:02 . 2010-02-17 06:02 53248 ----a-w- c:\windows\PSEXESVC.EXE
2010-02-17 05:57 . 2010-02-17 05:57 388608 ----a-w- c:\windows\system32\CF31964.exe
2010-02-17 05:15 . 2010-02-17 05:15 0 ----a-w- c:\windows\Tvabafida.bin
2010-02-17 05:11 . 2010-02-17 05:11 20 ----a-w- c:\documents and settings\NetworkService\Application Data\sgcpom.dat
.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 11:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2002-08-28 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2002-08-28 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[-] 2002-08-28 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[-] 2002-08-28 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2009-04-09 228808]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HENIL^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\HENIL\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-03-20 16:46 217544 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2004-12-17 00:49 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 04:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
2005-03-18 11:34 1228800 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-03-09 12:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 13:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 13:19 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-03-15 10:15 180224 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2008-10-21 15:17 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2008-08-27 02:13 536576 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 06:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-19 23:30 7308584 ----a-w- c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-14 21:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syrxumdk]
2010-04-29 22:43 270848 ----a-w- c:\documents and settings\HENIL\Local Settings\Application Data\drgqjjfsu\ihsgsimtssd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqcxs08"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"ANIWZCSdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\HENIL\\My Documents\\Downloads\\[ PC Games ] - Age of Empires II(FULL)(3)\\empires2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\HENIL\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\OGPlanet\\LostSaga\\autoupgrade.exe"=
"d:\\Program Files\\OGPlanet\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\LostSaga\\autoupgrade.exe"=
"c:\\Program Files\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"d:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"d:\\Program Files\\StarCraft II Beta\\Versions\\Base14093\\SC2.exe"=
"d:\\Program Files\\StarCraft II Beta\\Versions\\Base14621\\SC2.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
"43705:TCP"= 43705:TCP:uTorrent
"11606:TCP"= 11606:TCP:12skies
"11606:UDP"= 11606:UDP:12skies
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [10/12/2008 3:32 AM 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [10/12/2008 3:32 AM 5248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/29/2010 9:42 PM 218592]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/29/2010 9:43 PM 112592]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/29/2010 2:31 PM 3032360]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [4/29/2010 2:31 PM 15144]
S2 Apache2.2;Apache2.2;"c:\documents and settings\HENIL\Desktop\MaNGOS_3.0.2_Web_Repack\MaNGOS 3.0.2 Web Repack\AppServ\Apache2.2\bin\httpd.exe" -k runservice --> c:\documents and settings\HENIL\Desktop\MaNGOS_3.0.2_Web_Repack\MaNGOS 3.0.2 Web Repack\AppServ\Apache2.2\bin\httpd.exe [?]
S2 gupdate1c969ffccfc5c3c;Google Update Service (gupdate1c969ffccfc5c3c);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2009 12:43 AM 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 10:17 PM 450400]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 DBKDRVR54;DBKDRVR54;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys --> c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys [?]
S3 icm12blk;Intel® PC Camera CS780 Image Storage;c:\windows\system32\drivers\icm12blk.sys [1/9/2010 1:51 PM 14184]
S3 icm12fil;Intel® CS780 Audio Filter Driver;c:\windows\system32\drivers\icm12fil.sys [1/9/2010 1:52 PM 16312]
S3 ICM12USB;Intel® PC Camera CS780;c:\windows\system32\drivers\ICM12USB.sys [1/9/2010 1:51 PM 428152]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/29/2010 9:42 PM 366840]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/12/2008 3:27 AM 721904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-14 23:23]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 04:42]

2010-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 04:42]

2010-04-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-19 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - google.ca
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {63EE1A13-B661-43D6-842B-121848C7AAF5} - c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
.reg=exefile
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-Raptr - c:\progra~1\Raptr\raptrstub.exe
AddRemove-Jet Bingo - c:\docume~1\HENIL\LOCALS~1\APPLIC~1\JetBingo\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 14:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE02AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f58cb8
\Driver\atapi -> 0x8a8182c0
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578c34
ParseProcedure -> ntkrnlpa.exe @ 0x80577896
NDIS: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) -> SendCompleteHandler -> NDIS.sys @ 0xb9da8af9
PacketIndicateHandler -> NDIS.sys @ 0xb9db3b21
SendHandler -> NDIS.sys @ 0xb9da8938
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3076)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-04-30 15:05:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-30 19:05
ComboFix2.txt 2010-02-17 23:16
ComboFix3.txt 2008-09-29 07:00

Pre-Run: 5,863,149,568 bytes free
Post-Run: 5,820,571,648 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 974FE07ED6D3E6952DA1889C748CD260

#19 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:49 PM

Posted 30 April 2010 - 09:02 PM

Hi,

Something is not right with you Atapi.sys. scratchhead.gif

Daemon tool/software can sometimes be detected as rootkit and can interfere with our tools while we clean your PC , can you please temporary uninstall the following, you can reinstall them back once we're done:
  1. PowerISO
  2. Alcohol Soft
  3. DAEMON Tools Pro



+++++++++++++++++++++++++++++++++


1. Click Start > Run > copy/paste the bolded text below > press Enter. A text file will pop up, please post the contents of that file.
"C:\Qoobox\Add-Remove Programs.txt" > uninstall.txt& start uninstall.txt



2. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\program files\Cheat Engine\dbk32.sys
    c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys
    C:\Program Files\ie_ko.exe
    C:\Documents and Settings\HENIL\My Documents\LostSaga_ActiveX_Setup.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#20 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 30 April 2010 - 10:05 PM

the scan for cheat engine and disk drove UCE didnt work because the file couldnt be found. i did a personal check and i couldnt find those files either so i guess combofix might have messed up? anyways the log for the other 2 files are here:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/30 21:47:44 (CDT)
Scanner results: Scanners did not find malware!
File Name : LostSaga_ActiveX_Setup.exe
File Size : 370480 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ed462c4c64a7746efc46b9f411b35e59
SHA1 : 9dd5032c0532cb5108fb0025b465663ce8563a38
Online report : http://virscan.org/report/efe58bd9be5409e1...6d56e587ae.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100501070118 2010-05-01 40.12 -
AhnLab V3 2010.04.30.02 2010.04.30 2010-04-30 40.12 -
AntiVir 8.2.1.224 7.10.7.16 2010-04-30 0.31 -
Antiy 2.0.18 20100429.4301541 2010-04-29 0.12 -
Arcavir 2009 201004291451 2010-04-29 0.28 -
Authentium 5.1.1 201004302217 2010-04-30 1.37 -
AVAST! 4.7.4 100430-1 2010-04-30 0.07 -
AVG 8.5.793 271.1.1/2846 2010-05-01 1.25 -
BitDefender 7.81008.5692627 7.31453 2010-05-01 3.84 -
ClamAV 0.95.3 10884 2010-05-01 0.21 -
Comodo 3.13.579 4723 2010-04-30 40.13 -
CP Secure 1.3.0.5 2010.04.30 2010-04-30 0.09 -
Dr.Web 5.0.2.3300 2010.05.01 2010-05-01 7.16 -
F-Prot 4.4.4.56 20100430 2010-04-30 1.37 -
F-Secure 7.02.73807 2010.04.30.12 2010-04-30 0.66 -
Fortinet 4.0.14 11.761 2010-04-30 40.12 -
GData 21.61/21.22 20100501 2010-05-01 40.13 -
ViRobot 20100430 2010.04.30 2010-04-30 40.12 -
Ikarus T3.1.01.80 2010.04.30.75753 2010-04-30 9.89 -
JiangMin 13.0.900 2010.04.29 2010-04-29 40.12 -
Kaspersky 5.5.10 2010.04.30 2010-04-30 0.52 -
KingSoft 2009.2.5.15 2010.4.30.22 2010-04-30 40.13 -
McAfee 5400.1158 5968 2010-04-30 0.02 -
Microsoft 1.5703 2010.05.01 2010-05-01 40.13 -
Norman 6.04.12 6.04.00 2010-04-29 4.00 -
Panda 9.05.01 2010.04.30 2010-04-30 40.13 -
Trend Micro 9.120-1004 7.138.15 2010-04-30 0.14 -
Quick Heal 10.00 2010.04.29 2010-04-29 40.13 -
Rising 20.0 22.45.04.03 2010-04-30 40.13 -
Sophos 3.06.0 4.52 2010-05-01 3.70 -
Sunbelt 3.9.2418.2 6242 2010-04-30 40.13 -
Symantec 1.3.0.24 20100430.003 2010-04-30 0.13 -
nProtect 20100429.01 8053525 2010-04-29 40.13 -
The Hacker 6.5.2.0 v00274 2010-04-29 40.13 -
VBA32 3.12.12.4 20100429.2024 2010-04-29 5.46 -
VirusBuster 4.5.11.10 10.126.9/2000197 2010-04-30 3.16 -




VirSCAN.org Scanned Report :
Scanned time : 2010/04/30 21:41:13 (CDT)
Scanner results: Scanners did not find malware!
File Name : ie_ko.exe
File Size : 2032792 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 80f5bad793fcf75c29697650fe038497
SHA1 : a66f014a1961e7f7375b06e769fea9ad30fb245f
Online report : http://virscan.org/report/59535c2f6f3cb6b6...3109a8bdbf.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100501070118 2010-05-01 5.69 -
AhnLab V3 2010.04.30.02 2010.04.30 2010-04-30 2.49 -
AntiVir 8.2.1.224 7.10.7.16 2010-04-30 1.01 -
Antiy 2.0.18 20100429.4301541 2010-04-29 0.12 -
Arcavir 2009 201004291451 2010-04-29 0.26 -
Authentium 5.1.1 201004302217 2010-04-30 1.40 -
AVAST! 4.7.4 100430-1 2010-04-30 0.35 -
AVG 8.5.793 271.1.1/2846 2010-05-01 0.28 -
BitDefender 7.81008.5692627 7.31453 2010-05-01 4.09 -
ClamAV 0.95.3 10884 2010-05-01 0.72 -
Comodo 3.13.579 4723 2010-04-30 5.44 -
CP Secure 1.3.0.5 2010.04.30 2010-04-30 1.33 -
Dr.Web 5.0.2.3300 2010.05.01 2010-05-01 15.00 -
F-Prot 4.4.4.56 20100430 2010-04-30 2.21 -
F-Secure 7.02.73807 2010.04.30.12 2010-04-30 0.85 -
Fortinet 4.0.14 11.761 2010-04-30 4.60 -
GData 21.61/21.22 20100501 2010-05-01 28.88 -
ViRobot 20100430 2010.04.30 2010-04-30 1.71 -
Ikarus T3.1.01.80 2010.04.30.75753 2010-04-30 6.08 -
JiangMin 13.0.900 2010.04.29 2010-04-29 4.00 -
Kaspersky 5.5.10 2010.04.30 2010-04-30 0.38 -
KingSoft 2009.2.5.15 2010.4.30.22 2010-04-30 4.37 -
McAfee 5400.1158 5968 2010-04-30 0.02 -
Microsoft 1.5703 2010.05.01 2010-05-01 22.48 -
Norman 6.04.12 6.04.00 2010-04-29 4.00 -
Panda 9.05.01 2010.04.30 2010-04-30 25.13 -
Trend Micro 9.120-1004 7.138.15 2010-04-30 0.10 -
Quick Heal 10.00 2010.04.29 2010-04-29 9.02 -
Rising 20.0 22.45.04.03 2010-04-30 40.13 -
Sophos 3.06.0 4.52 2010-05-01 3.97 -
Sunbelt 3.9.2418.2 6242 2010-04-30 40.12 -
Symantec 1.3.0.24 20100430.003 2010-04-30 0.12 -
nProtect 20100429.01 8053525 2010-04-29 40.12 -
The Hacker 6.5.2.0 v00274 2010-04-29 40.46 -
VBA32 3.12.12.4 20100429.2024 2010-04-29 3.45 -
VirusBuster 4.5.11.10 10.126.9/2000197 2010-04-30 4.36 -


#21 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 30 April 2010 - 10:19 PM

k so for the removal of daemon tool pro and for alcohol soft was unsuccessful, cause their uninstaller didnt work, u think i should just physically delete them?

here is the uninstaller report:


로스트사가
로스트사가 ActiveX
킫orrent
32 Bit HP CIO Components Installer
Acrobat.com
Adobe Acrobat 4.0
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color Video Profiles AE CS4
Adobe Common File Installer
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Download Manager
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS2
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 9.1
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetRGB
AIO_Scan
AirPlus G
AllToAVI v4 r5394
ANIO Service
ANIWZCS2 Service
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AusLogics Disk Defrag
AutoUpdate
AV Voice Changer Software DIAMOND 6.0
BCC AE Swish Pan 6
Bonjour
Browser Defender 2.0.6.15
BufferChm
Burn My Files
Cheat Engine 5.5
Citrix Presentation Server Client
CodeBaby Player (Remove Only) 1.0.2.19
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
DAO 3.5
Debut Video Capture Software
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
Dragonica Online
DYNASTY WARRIORS 6
ERUNT 1.1j
eSupportQFolder
F4100
F4100_Help
ffdshow [rev 2527] [2008-12-19]
FileOpen Client Installer
Fraps (remove only)
FreeRIP v3.091
Game Vindicator
GameHouse
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Gothic III
GoToMeeting 4.1.0.366
Heroes of Might and Magic V
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB919880)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Smart Web Printing 1.0
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
iTunes
Java™ 6 Update 13
Java™ 6 Update 7
Jet Bingo
Korean Language Support
LimeWire PRO 4.18.8
Lost Saga
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office 2003 Web Components
Microsoft Office Word Viewer 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Applications - ENU
Microsoft Windows Journal Viewer
MilkShape 3D 1.8.4
Mozilla Firefox (3.5.9)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multisim 2001 Textbook Edition
Multisim sample circuits
MySQL Server 5.1
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OGPlanet Game Launcher
OpenOffice.org Installer 1.0
Pen Tablet
Photoshop Camera Raw
Picture Package
Pixel Bender Toolkit
PowerISO
PrimoPDF -- by Nitro PDF Software
Prism Video Converter
Project64 1.6
PSpice Student 9.1
QuickTime
Realtek AC'97 Audio
Recordpad
Rumble Fighter
Runtime Files Pack 3
Samsung SCX-4200 Series
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Skype Toolbars
Skype 4.2
SolidWorks 2009 SP03
SolutionCenter
Sony USB Driver
SpeedFan (remove only)
SplitCam
Spyware Doctor 7.0
SQLyog Community 7.12
StarCraft II Beta
Status
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Toolbox
Tortun 0.8
TrayApp
UltraVNC 1.0.8.2
UnloadSupport
UNO® - Undercover™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Ventrilo Client
VeohTV BETA
VeryPDF PDF Editor v2.3
Visual Basic 4 Runtime Files
VLC media player 1.0.5
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows XP Service Pack 2
WinRAR archiver
World of Warcraft
XileROFull
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall
Yahoo! Messenger
Yahoo! Toolbar
YV12 QuickTime Codec
ZBrush3

#22 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:49 PM

Posted 30 April 2010 - 10:45 PM

QUOTE
k so for the removal of daemon tool pro and for alcohol soft was unsuccessful, cause their uninstaller didnt work, u think i should just physically delete them?

You can try using Revo uninstaller => http://www.revouninstaller.com/

QUOTE
here is the uninstaller report:

로스트사가
로스트사가 ActiveX
Do you recognize these two?


+++++++++++++++++++++++


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent/LimeWire).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



+++++++++++++++++++++++


I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir

    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Edited by sempai, 30 April 2010 - 11:00 PM.

~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#23 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 30 April 2010 - 11:28 PM

yea those two files are for a game i play, its in a different language so it shows up all weird, its called lostsaga. safe game thumbup2.gif
okay i will install an antivirus software
anything else i need to do? Is my atapi.sys file corrupted?

EDIT: i dont use limewire or utorrent anymore, i used to last year but i read about the problems online so i stopped using it, thanks for the warning smile.gif

Edited by heniljain, 30 April 2010 - 11:30 PM.


#24 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:49 PM

Posted 30 April 2010 - 11:35 PM

QUOTE
anything else i need to do? Is my atapi.sys file corrupted?

I can't really tell, but the log is showing abnormal behavior of atapi.sys, please remove the daemon tools/software so we can continue. Thanks.
~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#25 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 01 May 2010 - 11:45 AM

okay so i uninstalled them, but they still dont show up on the uninstall.txt :


로스트사가
로스트사가 ActiveX
킫orrent
32 Bit HP CIO Components Installer
Acrobat.com
Adobe Acrobat 4.0
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color Video Profiles AE CS4
Adobe Common File Installer
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Download Manager
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS2
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 9.1
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetRGB
AIO_Scan
AirPlus G
AllToAVI v4 r5394
ANIO Service
ANIWZCS2 Service
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AusLogics Disk Defrag
AutoUpdate
AV Voice Changer Software DIAMOND 6.0
BCC AE Swish Pan 6
Bonjour
Browser Defender 2.0.6.15
BufferChm
Burn My Files
Cheat Engine 5.5
Citrix Presentation Server Client
CodeBaby Player (Remove Only) 1.0.2.19
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
DAO 3.5
Debut Video Capture Software
Destinations
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
Dragonica Online
DYNASTY WARRIORS 6
ERUNT 1.1j
eSupportQFolder
F4100
F4100_Help
ffdshow [rev 2527] [2008-12-19]
FileOpen Client Installer
Fraps (remove only)
FreeRIP v3.091
Game Vindicator
GameHouse
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Gothic III
GoToMeeting 4.1.0.366
Heroes of Might and Magic V
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB919880)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Smart Web Printing 1.0
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
iTunes
Java™ 6 Update 13
Java™ 6 Update 7
Jet Bingo
Korean Language Support
LimeWire PRO 4.18.8
Lost Saga
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office 2003 Web Components
Microsoft Office Word Viewer 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual Basic 2005 Express Edition - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Express Edition - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Applications - ENU
Microsoft Windows Journal Viewer
MilkShape 3D 1.8.4
Mozilla Firefox (3.5.9)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multisim 2001 Textbook Edition
Multisim sample circuits
MySQL Server 5.1
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OGPlanet Game Launcher
OpenOffice.org Installer 1.0
Pen Tablet
Photoshop Camera Raw
Picture Package
Pixel Bender Toolkit
PowerISO
PrimoPDF -- by Nitro PDF Software
Prism Video Converter
Project64 1.6
PSpice Student 9.1
QuickTime
Realtek AC'97 Audio
Recordpad
Rumble Fighter
Runtime Files Pack 3
Samsung SCX-4200 Series
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Skype Toolbars
Skype 4.2
SolidWorks 2009 SP03
SolutionCenter
Sony USB Driver
SpeedFan (remove only)
SplitCam
Spyware Doctor 7.0
SQLyog Community 7.12
StarCraft II Beta
Status
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Toolbox
Tortun 0.8
TrayApp
UltraVNC 1.0.8.2
UnloadSupport
UNO® - Undercover™
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Ventrilo Client
VeohTV BETA
VeryPDF PDF Editor v2.3
Visual Basic 4 Runtime Files
VLC media player 1.0.5
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows XP Service Pack 2
WinRAR archiver
World of Warcraft
XileROFull
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.1 final uninstall
Yahoo! Messenger
Yahoo! Toolbar
YV12 QuickTime Codec
ZBrush3

anyways, i think they are completely gone from my system... so what next sempai?

#26 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:49 PM

Posted 01 May 2010 - 11:56 AM

We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
KillAll::

File::
c:\documents and settings\HENIL\o.dat
c:\windows\Gpayuqejako.dat
c:\windows\Tvabafida.bin
C:\Adobe CS4 Master Collection_ACTIVATION PATCH by P!mPdOG.ExE

Folder::
c:\documents and settings\HENIL\Local Settings\Application Data\drgqjjfsu

DirLook::
C:\Documents and Settings\All Users\Application Data\IJr7hXvRY2
C:\Documents and Settings\HENIL\Local Settings\Application Data\IGI4W75

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#27 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 01 May 2010 - 02:05 PM

okay so when i ran combofix by doing what u said *dragging and dropping that cfscript.txt*, it said 'warning, cd emulators are running' or something like that, and then it restarted the comp, then on reboot it said 'sensed rootkit activity' and reset comp again, and then on the next reboot it said once again 'warning, cd emulators are running' and then finally on the fourth reboot it worked without any warnings... so just updating to u what happened

here's the log:

ComboFix 10-05-01.01 - HENIL 05/01/2010 13:54:48.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2538 [GMT -4:00]
Running from: c:\documents and settings\HENIL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HENIL\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"C:\Adobe CS4 Master Collection_ACTIVATION PATCH by P!mPdOG.ExE"
"c:\documents and settings\HENIL\o.dat"
"c:\windows\Gpayuqejako.dat"
"c:\windows\Tvabafida.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HENIL\Local Settings\Application Data\drgqjjfsu
c:\documents and settings\HENIL\Local Settings\Application Data\drgqjjfsu\ihsgsimtssd.exe
c:\documents and settings\HENIL\o.dat
c:\program files\WindowsUpdate
c:\windows\Gpayuqejako.dat
c:\windows\Tvabafida.bin

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-05-01 16:35 . 2010-05-01 17:43 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\Conduit
2010-05-01 16:35 . 2010-05-01 16:37 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\free-downloads.net
2010-05-01 16:35 . 2010-05-01 16:35 -------- d-----w- c:\program files\free-downloads.net
2010-05-01 16:34 . 2010-05-01 16:34 -------- d-----w- c:\program files\Alcohol Soft
2010-05-01 16:29 . 2010-05-01 16:29 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-01 06:06 . 2010-05-01 06:06 -------- d-----w- c:\program files\Easy Uninstaller
2010-05-01 05:37 . 2010-05-01 05:37 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\VS Revo Group
2010-05-01 05:33 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-01 05:33 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-01 05:33 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-01 05:33 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-01 05:33 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-01 05:33 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-01 05:33 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-01 05:33 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-01 05:33 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-01 05:33 . 2010-05-01 05:33 -------- d-----w- c:\program files\Alwil Software
2010-05-01 05:33 . 2010-05-01 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-30 02:04 . 2010-04-30 02:04 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\Threat Expert
2010-04-30 01:43 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-30 01:43 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-30 01:43 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-30 01:43 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-30 01:43 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-30 01:43 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-30 01:42 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-30 01:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-30 01:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-30 01:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-30 01:42 . 2010-04-30 18:15 -------- d-----w- c:\program files\Spyware Doctor
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-04-29 20:45 . 2010-04-29 20:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-29 19:42 . 2010-04-30 18:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-04-29 18:32 . 2010-05-01 18:05 -------- d-----w- c:\documents and settings\HENIL\Application Data\WTablet
2010-04-29 18:31 . 2004-08-04 02:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-29 18:31 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-29 18:31 . 2007-02-16 00:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2010-04-29 18:31 . 2008-01-15 20:11 13480 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2010-04-29 18:31 . 2007-02-16 19:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2010-04-29 18:31 . 2010-04-29 18:31 -------- d-----w- c:\windows\system32\WTablet
2010-04-29 18:31 . 2008-03-17 20:14 15144 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2010-04-29 18:31 . 2008-05-01 22:23 181544 ------w- c:\windows\system32\Wintab32.dll
2010-04-29 18:31 . 2008-05-01 22:33 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2010-04-29 18:31 . 2008-05-01 22:40 3032360 ------w- c:\windows\system32\Pen_Tablet.exe
2010-04-29 18:31 . 2010-04-29 18:31 -------- d-----w- c:\program files\Tablet
2010-04-29 16:48 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 16:48 . 2010-04-29 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 16:48 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 18:52 . 2010-04-28 18:52 -------- d-----w- c:\program files\NOS
2010-04-28 18:46 . 2010-04-28 18:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-04-28 06:35 . 2010-04-23 13:30 552448 ----a-r- C:\OTLPE.exe
2010-04-28 06:32 . 2004-08-04 02:59 95360 ----a-w- C:\atapi.sys
2010-04-24 20:11 . 2010-04-24 20:38 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\bkup
2010-04-24 19:38 . 2010-04-24 19:38 -------- d--h--w- c:\windows\PIF
2010-04-18 14:33 . 2002-03-25 22:44 722192 ----a-w- c:\windows\system32\VB40032.DLL
2010-04-18 14:33 . 2002-03-25 22:44 60416 ----a-w- c:\windows\ST4UNST.EXE
2010-04-18 00:11 . 2010-04-30 04:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 00:11 . 2010-04-18 00:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-18 00:11 . 2010-04-18 00:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-04-18 00:11 . 2010-04-22 07:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-16 21:28 . 2010-04-24 18:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
2010-04-08 17:02 . 2010-04-24 18:01 -------- d-----w- c:\documents and settings\HENIL\Application Data\skypePM
2010-04-08 17:02 . 2010-04-08 17:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-08 17:01 . 2010-04-24 23:33 -------- d-----w- c:\documents and settings\HENIL\Application Data\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----w- c:\program files\Common Files\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----r- c:\program files\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 18:05 . 2009-05-08 15:18 117760 ----a-w- c:\documents and settings\HENIL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-01 18:04 . 2008-10-25 18:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-01 06:10 . 2009-05-08 15:56 -------- d-----w- c:\program files\Cheat Engine
2010-04-28 18:53 . 2009-08-11 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-28 18:50 . 2010-02-10 03:34 -------- d-----w- c:\documents and settings\HENIL\Application Data\Paltalk
2010-04-28 18:45 . 2008-09-20 13:30 -------- d-----w- c:\program files\Java
2010-04-28 18:45 . 2010-04-28 18:45 152576 ----a-w- c:\documents and settings\HENIL\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2010-04-25 15:54 . 2009-11-24 22:16 -------- d-----w- c:\program files\OGPlanet
2010-04-24 23:54 . 2009-10-14 13:17 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-24 23:30 . 2009-10-14 12:51 -------- d-----w- c:\documents and settings\HENIL\Application Data\IM
2010-04-24 09:10 . 2010-02-22 04:48 43526 ----a-w- c:\windows\system32\lsUninstall.exe
2010-04-22 15:19 . 2008-09-19 18:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-21 19:12 . 2010-03-01 16:56 -------- d-----w- c:\documents and settings\HENIL\Application Data\vlc
2010-04-21 04:27 . 2009-05-08 15:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 13:05 . 2009-10-14 21:07 -------- d-----w- c:\program files\Google
2010-04-05 00:38 . 2010-02-22 05:05 -------- d-----w- c:\program files\LostSaga
2010-04-01 00:41 . 2010-04-01 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-29 12:53 . 2010-04-28 18:52 32576 ----a-w- c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 12:53 . 2010-04-28 18:52 29984 ----a-w- c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-13 17:16 . 2009-05-24 04:52 -------- d-----w- c:\documents and settings\HENIL\Application Data\Apple Computer
2010-03-08 00:41 . 2010-03-07 22:38 -------- d-----w- c:\program files\igowin
2010-03-04 12:12 . 2008-10-06 04:18 -------- d-----w- c:\documents and settings\HENIL\Application Data\uTorrent
2010-03-01 06:09 . 2008-08-27 16:32 48960 ----a-w- c:\documents and settings\HENIL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 19:36 . 2010-02-28 19:35 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-02-23 17:07 . 2010-02-23 17:07 2032792 ----a-w- c:\program files\ie_ko.exe
2010-02-22 04:57 . 2010-02-22 04:57 370480 ----a-w- c:\program files\LostSaga_ActiveX_Setup.exe
2010-02-22 04:52 . 2010-02-22 04:52 370480 ----a-w- C:\LostSaga_ActiveX_Setup.exe
2010-02-17 06:11 . 2010-02-17 06:11 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-17 06:02 . 2010-02-17 06:02 53248 ----a-w- c:\windows\PSEXESVC.EXE
2010-02-17 05:57 . 2010-02-17 05:57 388608 ----a-w- c:\windows\system32\CF31964.exe
2010-02-17 05:11 . 2010-02-17 05:11 20 ----a-w- c:\documents and settings\NetworkService\Application Data\sgcpom.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\IJr7hXvRY2 ----


---- Directory of c:\documents and settings\HENIL\Local Settings\Application Data\IGI4W75 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2009-12-31 15:53 2349080 ----a-w- c:\program files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HENIL^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\HENIL\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2004-12-17 00:49 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 04:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
2005-03-18 11:34 1228800 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-03-09 12:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 13:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 13:19 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2008-10-21 15:17 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2008-08-27 02:13 536576 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 06:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-19 23:30 7308584 ----a-w- c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-14 21:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqcxs08"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"ANIWZCSdService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\HENIL\\My Documents\\Downloads\\[ PC Games ] - Age of Empires II(FULL)(3)\\empires2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\HENIL\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\OGPlanet\\LostSaga\\autoupgrade.exe"=
"d:\\Program Files\\OGPlanet\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\LostSaga\\autoupgrade.exe"=
"c:\\Program Files\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"d:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"d:\\Program Files\\StarCraft II Beta\\Versions\\Base14093\\SC2.exe"=
"d:\\Program Files\\StarCraft II Beta\\Versions\\Base14621\\SC2.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
"43705:TCP"= 43705:TCP:uTorrent
"11606:TCP"= 11606:TCP:12skies
"11606:UDP"= 11606:UDP:12skies
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/29/2010 9:42 PM 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/1/2010 1:33 AM 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/1/2010 1:33 AM 19024]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/29/2010 9:43 PM 112592]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/29/2010 2:31 PM 3032360]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [4/29/2010 2:31 PM 15144]
S2 Apache2.2;Apache2.2;"c:\documents and settings\HENIL\Desktop\MaNGOS_3.0.2_Web_Repack\MaNGOS 3.0.2 Web Repack\AppServ\Apache2.2\bin\httpd.exe" -k runservice --> c:\documents and settings\HENIL\Desktop\MaNGOS_3.0.2_Web_Repack\MaNGOS 3.0.2 Web Repack\AppServ\Apache2.2\bin\httpd.exe [?]
S2 gupdate1c969ffccfc5c3c;Google Update Service (gupdate1c969ffccfc5c3c);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2009 12:43 AM 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 10:17 PM 450400]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 DBKDRVR54;DBKDRVR54;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys --> c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys [?]
S3 icm12blk;Intel® PC Camera CS780 Image Storage;c:\windows\system32\drivers\icm12blk.sys [1/9/2010 1:51 PM 14184]
S3 icm12fil;Intel® CS780 Audio Filter Driver;c:\windows\system32\drivers\icm12fil.sys [1/9/2010 1:52 PM 16312]
S3 ICM12USB;Intel® PC Camera CS780;c:\windows\system32\drivers\ICM12USB.sys [1/9/2010 1:51 PM 428152]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/29/2010 9:42 PM 366840]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2010 12:29 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-14 23:23]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 04:42]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 04:42]

2010-05-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-19 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - free-downloads.net Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1098640&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {63EE1A13-B661-43D6-842B-121848C7AAF5} - c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
MSConfigStartUp-PWRISOVM - c:\program files\PowerISO\PWRISOVM.EXE
MSConfigStartUp-syrxumdk - c:\documents and settings\HENIL\Local Settings\Application Data\drgqjjfsu\ihsgsimtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 14:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(680)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2010-05-01 14:13:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 18:13
ComboFix2.txt 2010-04-30 19:05
ComboFix3.txt 2010-02-17 23:16
ComboFix4.txt 2008-09-29 07:00

Pre-Run: 5,626,548,224 bytes free
Post-Run: 5,605,777,408 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - F605D3BA2D156FF4CA4328320FC46A7A


#28 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:49 PM

Posted 02 May 2010 - 12:06 AM

Hi,

QUOTE
okay so when i ran combofix by doing what u said *dragging and dropping that cfscript.txt*, it said 'warning, cd emulators are running' or something like that,

This is the reason why I wanted you to uninstall the daemon tools/software.

+++++++++++++++++++++


1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\windows\system32\XDva296.sys
c:\windows\system32\XDva332.sys
c:\windows\system32\XDva343.sys
C:\Documents and Settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{63EE1A13-B661-43D6-842B-121848C7AAF5}"=-

Driver::
XDva296
XDva332
XDva343


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




2. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


~Semp

Posted Image
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)

#29 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 02 May 2010 - 01:06 AM

alright!! time for some updates for you sempai tongue.gif
first of all no more pop up tabs and no more random freezing of computer (observed this since today morning)
second, gmer actually worked this time so wooot!
third, here's the combofix log:

ComboFix 10-05-01.04 - HENIL 05/02/2010 1:20.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2558 [GMT -4:00]
Running from: c:\documents and settings\HENIL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HENIL\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}"
"c:\windows\system32\XDva296.sys"
"c:\windows\system32\XDva332.sys"
"c:\windows\system32\XDva343.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}
c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}\chrome.manifest
c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}\chrome\content\_cfg.js
c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}\chrome\content\overlay.xul
c:\documents and settings\HENIL\Local Settings\Application Data\{63EE1A13-B661-43D6-842B-121848C7AAF5}\install.rdf
c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar
c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar\cache.dat
c:\documents and settings\LocalService\Local Settings\Application Data\AskToolbar\config.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA296
-------\Legacy_XDVA332
-------\Legacy_XDVA343
-------\Service_XDva296
-------\Service_XDva332
-------\Service_XDva343


((((((((((((((((((((((((( Files Created from 2010-04-02 to 2010-05-02 )))))))))))))))))))))))))))))))
.

2010-05-01 19:59 . 2010-05-01 19:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\free-downloads.net
2010-05-01 16:35 . 2010-05-01 17:43 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\Conduit
2010-05-01 16:35 . 2010-05-01 16:37 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\free-downloads.net
2010-05-01 16:35 . 2010-05-01 16:35 -------- d-----w- c:\program files\free-downloads.net
2010-05-01 16:34 . 2010-05-01 16:34 -------- d-----w- c:\program files\Alcohol Soft
2010-05-01 16:29 . 2010-05-01 16:29 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-01 06:06 . 2010-05-01 06:06 -------- d-----w- c:\program files\Easy Uninstaller
2010-05-01 05:37 . 2010-05-01 05:37 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\VS Revo Group
2010-05-01 05:33 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-01 05:33 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-01 05:33 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-01 05:33 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-01 05:33 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-01 05:33 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-01 05:33 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-01 05:33 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-01 05:33 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-01 05:33 . 2010-05-01 05:33 -------- d-----w- c:\program files\Alwil Software
2010-05-01 05:33 . 2010-05-01 05:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-30 02:04 . 2010-04-30 02:04 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\Threat Expert
2010-04-30 01:43 . 2010-01-22 13:56 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-30 01:43 . 2010-01-22 13:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-30 01:43 . 2010-01-22 13:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-30 01:43 . 2010-01-22 13:55 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-30 01:43 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-30 01:43 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-30 01:42 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-30 01:42 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-30 01:42 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-30 01:42 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-30 01:42 . 2010-04-30 18:15 -------- d-----w- c:\program files\Spyware Doctor
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-30 01:42 . 2010-04-30 01:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2010-04-29 20:45 . 2010-04-29 20:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-29 19:42 . 2010-04-30 18:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-04-29 18:32 . 2010-05-02 05:28 -------- d-----w- c:\documents and settings\HENIL\Application Data\WTablet
2010-04-29 18:31 . 2004-08-04 02:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-04-29 18:31 . 2004-08-04 02:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-04-29 18:31 . 2007-02-16 00:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2010-04-29 18:31 . 2008-01-15 20:11 13480 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2010-04-29 18:31 . 2007-02-16 19:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2010-04-29 18:31 . 2010-04-29 18:31 -------- d-----w- c:\windows\system32\WTablet
2010-04-29 18:31 . 2008-03-17 20:14 15144 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2010-04-29 18:31 . 2008-05-01 22:23 181544 ------w- c:\windows\system32\Wintab32.dll
2010-04-29 18:31 . 2008-05-01 22:33 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2010-04-29 18:31 . 2008-05-01 22:40 3032360 ------w- c:\windows\system32\Pen_Tablet.exe
2010-04-29 18:31 . 2010-04-29 18:31 -------- d-----w- c:\program files\Tablet
2010-04-29 16:48 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 16:48 . 2010-04-29 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 16:48 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 18:52 . 2010-04-28 18:52 -------- d-----w- c:\program files\NOS
2010-04-28 18:46 . 2010-04-28 18:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-04-28 06:35 . 2010-04-23 13:30 552448 ----a-r- C:\OTLPE.exe
2010-04-28 06:32 . 2004-08-04 02:59 95360 ----a-w- C:\atapi.sys
2010-04-24 20:11 . 2010-04-24 20:38 -------- d-----w- c:\documents and settings\HENIL\Local Settings\Application Data\bkup
2010-04-24 19:38 . 2010-04-24 19:38 -------- d--h--w- c:\windows\PIF
2010-04-18 14:33 . 2002-03-25 22:44 722192 ----a-w- c:\windows\system32\VB40032.DLL
2010-04-18 14:33 . 2002-03-25 22:44 60416 ----a-w- c:\windows\ST4UNST.EXE
2010-04-18 00:11 . 2010-04-30 04:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 00:11 . 2010-04-18 00:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-18 00:11 . 2010-04-18 00:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FileOpen
2010-04-18 00:11 . 2010-04-22 07:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 17:02 . 2010-04-24 18:01 -------- d-----w- c:\documents and settings\HENIL\Application Data\skypePM
2010-04-08 17:02 . 2010-04-08 17:02 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-04-08 17:01 . 2010-04-24 23:33 -------- d-----w- c:\documents and settings\HENIL\Application Data\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----w- c:\program files\Common Files\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----r- c:\program files\Skype
2010-04-08 17:01 . 2010-04-08 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-02 05:28 . 2009-05-08 15:18 117760 ----a-w- c:\documents and settings\HENIL\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-02 05:27 . 2008-10-25 18:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-01 06:10 . 2009-05-08 15:56 -------- d-----w- c:\program files\Cheat Engine
2010-04-28 18:53 . 2009-08-11 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-28 18:50 . 2010-02-10 03:34 -------- d-----w- c:\documents and settings\HENIL\Application Data\Paltalk
2010-04-28 18:45 . 2008-09-20 13:30 -------- d-----w- c:\program files\Java
2010-04-28 18:45 . 2010-04-28 18:45 152576 ----a-w- c:\documents and settings\HENIL\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2010-04-25 15:54 . 2009-11-24 22:16 -------- d-----w- c:\program files\OGPlanet
2010-04-24 23:54 . 2009-10-14 13:17 -------- d-----w- c:\program files\Windows Desktop Search
2010-04-24 23:30 . 2009-10-14 12:51 -------- d-----w- c:\documents and settings\HENIL\Application Data\IM
2010-04-24 09:10 . 2010-02-22 04:48 43526 ----a-w- c:\windows\system32\lsUninstall.exe
2010-04-22 15:19 . 2008-09-19 18:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-21 19:12 . 2010-03-01 16:56 -------- d-----w- c:\documents and settings\HENIL\Application Data\vlc
2010-04-21 04:27 . 2009-05-08 15:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 13:05 . 2009-10-14 21:07 -------- d-----w- c:\program files\Google
2010-04-05 00:38 . 2010-02-22 05:05 -------- d-----w- c:\program files\LostSaga
2010-04-01 00:41 . 2010-04-01 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-03-29 12:53 . 2010-04-28 18:52 32576 ----a-w- c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-03-29 12:53 . 2010-04-28 18:52 29984 ----a-w- c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-03-13 17:16 . 2009-05-24 04:52 -------- d-----w- c:\documents and settings\HENIL\Application Data\Apple Computer
2010-03-08 00:41 . 2010-03-07 22:38 -------- d-----w- c:\program files\igowin
2010-03-04 12:12 . 2008-10-06 04:18 -------- d-----w- c:\documents and settings\HENIL\Application Data\uTorrent
2010-03-01 06:09 . 2008-08-27 16:32 48960 ----a-w- c:\documents and settings\HENIL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 19:36 . 2010-02-28 19:35 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-02-23 17:07 . 2010-02-23 17:07 2032792 ----a-w- c:\program files\ie_ko.exe
2010-02-22 04:57 . 2010-02-22 04:57 370480 ----a-w- c:\program files\LostSaga_ActiveX_Setup.exe
2010-02-22 04:52 . 2010-02-22 04:52 370480 ----a-w- C:\LostSaga_ActiveX_Setup.exe
2010-02-17 06:11 . 2010-02-17 06:11 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-17 06:02 . 2010-02-17 06:02 53248 ----a-w- c:\windows\PSEXESVC.EXE
2010-02-17 05:57 . 2010-02-17 05:57 388608 ----a-w- c:\windows\system32\CF31964.exe
2010-02-17 05:11 . 2010-02-17 05:11 20 ----a-w- c:\documents and settings\NetworkService\Application Data\sgcpom.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2009-12-31 15:53 2349080 ----a-w- c:\program files\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\beep.sys]
@="beep"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HENIL^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\HENIL\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2004-12-17 00:49 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 04:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
2005-03-18 11:34 1228800 ----a-w- c:\program files\D-Link\AirPlus G\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 01:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-03-09 12:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-01-15 13:19 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-01-15 13:19 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2008-10-21 15:17 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2008-08-27 02:13 536576 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-04-06 06:27 26102056 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-19 23:30 7308584 ----a-w- c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-14 21:07 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-08-28 14:18 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqcxs08"=3 (0x3)
"COMSysApp"=3 (0x3)
"CiSvc"=3 (0x3)
"ANIWZCSdService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\HENIL\\My Documents\\Downloads\\[ PC Games ] - Age of Empires II(FULL)(3)\\empires2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\HENIL\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Program Files\\OGPlanet\\LostSaga\\autoupgrade.exe"=
"d:\\Program Files\\OGPlanet\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\LostSaga\\autoupgrade.exe"=
"c:\\Program Files\\LostSaga\\lostsaga.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"d:\\Program Files\\StarCraft II Beta\\StarCraft II.exe"=
"d:\\Program Files\\StarCraft II Beta\\Versions\\Base14093\\SC2.exe"=
"d:\\Program Files\\StarCraft II Beta\\Versions\\Base14621\\SC2.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server
"43705:TCP"= 43705:TCP:uTorrent
"11606:TCP"= 11606:TCP:12skies
"11606:UDP"= 11606:UDP:12skies
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/29/2010 9:42 PM 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/1/2010 1:33 AM 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/1/2010 1:33 AM 19024]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [4/29/2010 9:43 PM 112592]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [4/29/2010 2:31 PM 3032360]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [4/29/2010 2:31 PM 15144]
S2 Apache2.2;Apache2.2;"c:\documents and settings\HENIL\Desktop\MaNGOS_3.0.2_Web_Repack\MaNGOS 3.0.2 Web Repack\AppServ\Apache2.2\bin\httpd.exe" -k runservice --> c:\documents and settings\HENIL\Desktop\MaNGOS_3.0.2_Web_Repack\MaNGOS 3.0.2 Web Repack\AppServ\Apache2.2\bin\httpd.exe [?]
S2 gupdate1c969ffccfc5c3c;Google Update Service (gupdate1c969ffccfc5c3c);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2009 12:43 AM 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 10:17 PM 450400]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [3/19/2009 11:31 AM 83240]
S3 DBKDRVR54;DBKDRVR54;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys --> c:\documents and settings\HENIL\Desktop\Disk_Drove_UCE\Disk Drove UCE\disk_1024.sys [?]
S3 icm12blk;Intel® PC Camera CS780 Image Storage;c:\windows\system32\drivers\icm12blk.sys [1/9/2010 1:51 PM 14184]
S3 icm12fil;Intel® CS780 Audio Filter Driver;c:\windows\system32\drivers\icm12fil.sys [1/9/2010 1:52 PM 16312]
S3 ICM12USB;Intel® PC Camera CS780;c:\windows\system32\drivers\ICM12USB.sys [1/9/2010 1:51 PM 428152]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/29/2010 9:42 PM 366840]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 --> c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/1/2010 12:29 PM 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-14 23:23]

2010-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 04:42]

2010-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-02 04:42]

2010-05-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-11-19 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - free-downloads.net Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT1098640&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\HENIL\Application Data\Mozilla\Firefox\Profiles\no7l1sf4.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrch.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-02 01:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(672)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-02 01:36:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-02 05:36
ComboFix2.txt 2010-05-01 18:13
ComboFix3.txt 2010-04-30 19:05
ComboFix4.txt 2010-02-17 23:16
ComboFix5.txt 2010-05-02 05:19

Pre-Run: 5,607,723,008 bytes free
Post-Run: 5,573,107,712 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A5F940B29B8F7C215A3C0EFCA7BB9E8D

#30 heniljain

heniljain
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:49 AM

Posted 02 May 2010 - 01:07 AM

double post...

Edited by heniljain, 02 May 2010 - 01:14 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users