Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xgapsq61.exe


  • This topic is locked This topic is locked
8 replies to this topic

#1 LiamNZ

LiamNZ

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 29 July 2008 - 11:07 PM

Hey.

xGapSq61.exe has been giving me trouble lately and I've talked to your other staffers in the malware forum after attempting to remove it a few times using FileAssasin etc it keeps coming back.

Here's my log.

Deckard's System Scanner v20071014.68
Run by Liamz0r on 2008-07-30 16:04:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Liamz0r.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:21 p.m. - Liam, on 30/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\xGApSq61.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Liamz0r\Desktop\CrucialScan.exe
C:\Documents and Settings\Liamz0r\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Liamz0r.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\X03P5Qkh.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4101 bytes

-- Files created between 2008-06-30 and 2008-07-30 -----------------------------

2008-08-11 14:40:59 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-08-11 14:40:48 786432 --ah----- C:\Documents and Settings\Guest\ntuser.dat
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-08-11 14:40:48 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-08-11 14:40:48 0 d---s---- C:\Documents and Settings\Guest\Cookies
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-08-11 14:40:48 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-07-30 16:03:17 0 d-------- C:\Program Files\Trend Micro
2008-07-29 22:12:51 35842 --a------ C:\WINDOWS\system32\xGApSq61.exe
2008-07-29 07:25:19 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-29 07:25:19 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-29 07:20:08 0 d--hs---- C:\found.000
2008-07-28 22:09:55 29184 --a------ C:\WINDOWS\system32\X03P5Qkh.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-07-27 16:46:21 333203 -rahs---- C:\bootmgr
2008-07-27 16:46:20 0 d--hs---- C:\Boot
2008-07-27 01:58:58 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Malwarebytes
2008-07-27 01:58:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 01:58:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 21:13:33 171136 -rahs---- C:\grldr
2008-07-26 21:13:33 0 d--hs---- C:\$RECYCLE.BIN
2008-07-26 20:04:59 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Nero
2008-07-26 20:03:46 0 d-------- C:\Program Files\Common Files\Nero
2008-07-26 12:00:23 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-26 11:47:39 0 dr-h----- C:\Documents and Settings\Liamz0r\Recent
2008-07-26 11:30:22 66048 --a------ C:\WINDOWS\ieResetIcons.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-07-23 22:04:57 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-23 22:03:48 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-07-19 01:33:06 29760 --a------ C:\WINDOWS\system32\mXcV0RTO.exe
2008-07-14 18:31:50 4980736 --a------ C:\Documents and Settings\Liamz0r\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-30 16:00:39 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\OpenOffice.org2
2008-07-29 21:43:15 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\DNA
2008-07-28 07:10:36 0 d-------- C:\Program Files\Xfire
2008-07-27 23:46:18 0 d-------- C:\Program Files\Trillian
2008-07-27 07:58:54 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Xfire
2008-07-26 11:31:24 0 d-------- C:\Program Files\Windows Live
2008-07-26 11:28:22 0 d-------- C:\Program Files\Common Files
2008-07-21 07:20:39 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-21 07:20:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-18 00:27:23 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Adobe
2008-07-06 17:57:48 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\LimeWire
2008-07-06 10:48:23 0 d-------- C:\Program Files\LimeWire
2008-06-28 17:23:50 0 d-------- C:\Program Files\Winamp
2008-06-28 17:23:15 0 d-------- C:\Program Files\Miranda IM
2008-06-18 17:14:21 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Mozilla
2008-06-12 16:21:06 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Miranda
2008-06-01 12:32:21 0 d-------- C:\Program Files\Steam
2008-05-16 14:01:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-16 14:01:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-16 14:01:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-16 14:01:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-16 14:01:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2008-05-16 14:01:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-16 14:01:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-16 14:01:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-16 14:01:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99C6D1BB-7555-474C-91DA-D8FB62A9CC75}]
28/07/2008 10:09 p.m. - Liam 29184 --a------ C:\WINDOWS\system32\X03P5Qkh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [16/05/2008 02:01 p.m. - Liam]
"nwiz"="nwiz.exe" [16/05/2008 02:01 p.m. - Liam C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [22/12/2004 09:09 p.m. - Liam C:\WINDOWS\soundman.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/05/2008 04:09 p.m. - Liam]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [16/05/2008 02:01 p.m. - Liam]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Liamz0r^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Liamz0r\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
D:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-07-30 16:04:44 ------------


Thank's for the help.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 PM

Posted 30 July 2008 - 03:14 PM

Hi,

You're infected with a password stealing Trojan, so you should change all your passwords afterwards.

Also, I need to see another log as well, as it gives more info.. so perform next please:

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 LiamNZ

LiamNZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 30 July 2008 - 10:57 PM

ComboFix:

ComboFix 08-07-29.1 - Liamz0r 2008-07-31 15:51:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.716 [GMT 12:00]
Running from: C:\Documents and Settings\Liamz0r\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\X03P5Qkh.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-30 23:15 . 2008-07-30 23:15 35,842 --a------ C:\WINDOWS\system32\xGApSq61.exe
2008-07-30 16:03 . 2008-07-30 16:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 07:30 . 2008-07-30 07:30 <DIR> d-------- C:\Deckard
2008-07-29 22:12 . 2008-07-29 22:12 0 --a------ C:\WINDOWS\system32\xGApSq61.exe.a_a
2008-07-29 07:25 . 2008-07-31 15:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-07-29 07:25 . 2008-07-30 07:31 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-07-29 07:20 . 2008-07-29 07:20 <DIR> d--hs---- C:\found.000
2008-07-27 16:46 . 2008-07-27 16:46 <DIR> d--hs---- C:\Boot
2008-07-27 16:46 . 2008-01-21 14:22 333,203 -rahs---- C:\bootmgr
2008-07-27 16:46 . 2008-07-27 16:46 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-07-27 01:58 . 2008-07-27 01:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 01:58 . 2008-07-27 01:58 <DIR> d-------- C:\Documents and Settings\Liamz0r\Application Data\Malwarebytes
2008-07-27 01:58 . 2008-07-27 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-27 01:58 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 01:58 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 21:13 . 2008-07-26 21:13 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-07-26 21:13 . 2008-07-26 21:13 171,136 -rahs---- C:\grldr
2008-07-26 20:04 . 2008-07-26 20:04 <DIR> d-------- C:\Documents and Settings\Liamz0r\Application Data\Nero
2008-07-26 20:03 . 2008-07-26 11:28 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-26 11:30 . 2007-08-13 17:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-07-22 12:42 . 2008-07-22 12:42 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-07-19 01:33 . 2008-07-19 01:32 29,760 --a------ C:\WINDOWS\system32\mXcV0RTO.exe
2008-07-19 01:33 . 2008-07-19 01:33 0 --a------ C:\WINDOWS\system32\mXcV0RTO.exe.a_a
2008-06-24 16:57 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-24 16:56 . 2008-06-24 16:56 <DIR> d-------- C:\NVIDIA
2008-06-22 17:05 . 2008-07-21 07:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-22 17:05 . 2008-07-21 07:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-13 16:23 . 2008-07-30 17:03 <DIR> d-------- C:\Program Files\Trillian
2008-06-12 16:20 . 2008-06-28 17:23 <DIR> d-------- C:\Program Files\Miranda IM
2008-06-12 16:20 . 2008-06-12 16:21 <DIR> d-------- C:\Documents and Settings\Liamz0r\Application Data\Miranda
2008-06-02 16:57 . 2008-06-02 16:57 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 06:16 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-30 06:15 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-30 04:00 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\OpenOffice.org2
2008-07-29 09:43 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\DNA
2008-07-27 19:10 --------- d-----w C:\Program Files\Xfire
2008-07-26 19:58 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\Xfire
2008-07-25 23:31 --------- d-----w C:\Program Files\Windows Live
2008-07-25 11:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-25 10:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 05:57 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\LimeWire
2008-07-05 22:48 --------- d-----w C:\Program Files\LimeWire
2008-06-28 05:23 --------- d-----w C:\Program Files\Winamp
2008-06-07 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-01 00:32 --------- d-----w C:\Program Files\Steam
2008-05-15 23:48 446,464 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-05-07 04:09 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
.

------- Sigcheck -------

2001-08-24 03:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2001-08-24 03:00 561152 be57a5c3abd240514b98f6bca872fb21 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2007-03-09 03:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\SP2GDR\user32.dll
2007-03-09 03:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\SP2QFE\user32.dll
2005-03-03 06:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\user32.dll
2005-03-03 06:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2001-08-24 03:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2006-05-20 00:15 70656 3748e0fc8c1b6ada49f98c8e69a4228c C:\WINDOWS\SoftwareDistribution\Download\7d6100e060a1f93df520847b1cd9dc71\SP1QFE\ws2_32.dll
2006-08-17 00:14 70656 7b6a08441a4f11320421599d7ecf8d41 C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\SP1QFE\ws2_32.dll
2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2007-10-11 11:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2001-08-24 03:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-03 23:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2004-08-03 23:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-10-11 18:13 659456 2005ad86a22aee68e21ee59f9ccb77f2 C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\SP2GDR\wininet.dll
2007-10-11 17:57 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\SP2QFE\wininet.dll
2004-08-03 23:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll

2001-08-24 03:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-31 05:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-31 04:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-24 03:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2001-08-24 03:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2001-08-24 03:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 21:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-02 12:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2005-03-02 12:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\ntkrnlpa.exe
2004-08-03 21:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ntkrnlpa.exe

2001-08-24 03:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 22:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-02 12:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2005-03-02 13:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\ntoskrnl.exe
2004-08-03 22:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ntoskrnl.exe

2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe
2001-08-24 03:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 22:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2GDR\explorer.exe
2007-06-13 23:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2QFE\explorer.exe

2001-08-24 03:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2001-08-24 03:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2001-08-24 03:00 13312 85b1054db58d13aa42d7dca778c30f57 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe

2001-08-24 03:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-03 23:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-11 11:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2005-06-11 12:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2qfe\spoolsv.exe
2004-08-03 23:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-07 16:09 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 21:09 77824 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Liamz0r^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Liamz0r\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
-r------- 2004-10-22 16:16 118736 D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-07 16:09]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-07 16:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-07 16:09]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-07 16:09]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MsnMsgr - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe


.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = *.local


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 15:53:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 15:55:34
ComboFix-quarantined-files.txt 2008-07-31 03:55:31

Pre-Run: 101,031,018,496 bytes free
Post-Run: 101,350,862,848 bytes free

198


HijackThis:

Deckard's System Scanner v20071014.68
Run by Liamz0r on 2008-07-31 15:57:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Liamz0r.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:51 p.m. - Liam, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Liamz0r\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Liamz0r.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2981 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-08-11 14:40:59 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-08-11 14:40:48 786432 --ah----- C:\Documents and Settings\Guest\ntuser.dat
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-08-11 14:40:48 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-08-11 14:40:48 0 d---s---- C:\Documents and Settings\Guest\Cookies
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-08-11 14:40:48 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-07-31 15:50:08 68096 --a------ C:\WINDOWS\zip.exe
2008-07-31 15:50:08 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-31 15:50:08 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-31 15:50:08 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-31 15:50:08 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-31 15:50:08 98816 --a------ C:\WINDOWS\sed.exe
2008-07-31 15:50:08 80412 --a------ C:\WINDOWS\grep.exe
2008-07-31 15:50:08 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 23:15:20 35842 --a------ C:\WINDOWS\system32\xGApSq61.exe
2008-07-30 16:03:17 0 d-------- C:\Program Files\Trend Micro
2008-07-29 07:25:19 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-29 07:25:19 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-29 07:20:08 0 d--hs---- C:\found.000
2008-07-27 16:46:21 333203 -rahs---- C:\bootmgr
2008-07-27 16:46:20 0 d--hs---- C:\Boot
2008-07-27 01:58:58 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Malwarebytes
2008-07-27 01:58:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 01:58:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 21:13:33 171136 -rahs---- C:\grldr
2008-07-26 21:13:33 0 d--hs---- C:\$RECYCLE.BIN
2008-07-26 20:04:59 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Nero
2008-07-26 20:03:46 0 d-------- C:\Program Files\Common Files\Nero
2008-07-26 12:00:23 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-26 11:47:39 0 dr-h----- C:\Documents and Settings\Liamz0r\Recent
2008-07-26 11:30:22 66048 --a------ C:\WINDOWS\ieResetIcons.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-07-23 22:04:57 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-23 22:03:48 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-07-19 01:33:06 29760 --a------ C:\WINDOWS\system32\mXcV0RTO.exe
2008-07-14 18:31:50 4980736 --a------ C:\Documents and Settings\Liamz0r\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-31 15:52:24 0 d-------- C:\Program Files\Common Files
2008-07-30 17:03:55 0 d-------- C:\Program Files\Trillian
2008-07-30 16:00:39 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\OpenOffice.org2
2008-07-29 21:43:15 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\DNA
2008-07-28 07:10:36 0 d-------- C:\Program Files\Xfire
2008-07-27 07:58:54 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Xfire
2008-07-26 11:31:24 0 d-------- C:\Program Files\Windows Live
2008-07-21 07:20:39 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-21 07:20:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-18 00:27:23 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Adobe
2008-07-06 17:57:48 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\LimeWire
2008-07-06 10:48:23 0 d-------- C:\Program Files\LimeWire
2008-06-28 17:23:50 0 d-------- C:\Program Files\Winamp
2008-06-28 17:23:15 0 d-------- C:\Program Files\Miranda IM
2008-06-18 17:14:21 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Mozilla
2008-06-12 16:21:06 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Miranda
2008-06-01 12:32:21 0 d-------- C:\Program Files\Steam
2008-05-16 14:01:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-16 14:01:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-16 14:01:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-16 14:01:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-16 14:01:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2008-05-16 14:01:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-16 14:01:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-16 14:01:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-16 14:01:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [16/05/2008 02:01 p.m. - Liam]
"SoundMan"="SOUNDMAN.EXE" [22/12/2004 09:09 p.m. - Liam C:\WINDOWS\soundman.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/05/2008 04:09 p.m. - Liam]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [16/05/2008 02:01 p.m. - Liam]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Liamz0r^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Liamz0r\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
D:\setup.exe

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-07-31 15:58:16 ------------


Edited by LiamNZ, 30 July 2008 - 11:01 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 PM

Posted 31 July 2008 - 12:38 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\xGApSq61.exe
C:\WINDOWS\system32\xGApSq61.exe.a_a
C:\WINDOWS\system32\mXcV0RTO.exe
C:\WINDOWS\system32\mXcV0RTO.exe.a_a
Dirlook::
C:\$RECYCLE.BIN
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Edited by miekiemoes, 31 July 2008 - 12:39 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 LiamNZ

LiamNZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 31 July 2008 - 04:07 AM

Thanks for the help.

ComboFix:

ComboFix 08-07-29.1 - Liamz0r 2008-07-31 21:00:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.775 [GMT 12:00]
Running from: C:\Documents and Settings\Liamz0r\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Liamz0r\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\mXcV0RTO.exe
C:\WINDOWS\system32\mXcV0RTO.exe.a_a
C:\WINDOWS\system32\xGApSq61.exe
C:\WINDOWS\system32\xGApSq61.exe.a_a
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\X03P5Qkh.dll
.
---- Previous Run -------
.
C:\WINDOWS\system32\mXcV0RTO.exe
C:\WINDOWS\system32\mXcV0RTO.exe.a_a
C:\WINDOWS\system32\xGApSq61.exe
C:\WINDOWS\system32\xGApSq61.exe.a_a

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))
.

2008-07-31 19:34 . 2008-07-31 19:34 <DIR> d-------- C:\Graphics
2008-07-30 16:03 . 2008-07-30 16:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 07:30 . 2008-07-30 07:30 <DIR> d-------- C:\Deckard
2008-07-29 07:25 . 2008-07-31 18:45 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-07-29 07:25 . 2008-07-30 07:31 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2008-07-29 07:20 . 2008-07-29 07:20 <DIR> d--hs---- C:\found.000
2008-07-27 16:46 . 2008-07-27 16:46 <DIR> d--hs---- C:\Boot
2008-07-27 16:46 . 2008-01-21 14:22 333,203 -rahs---- C:\bootmgr
2008-07-27 16:46 . 2008-07-27 16:46 8,192 -ra-s---- C:\BOOTSECT.BAK
2008-07-27 01:58 . 2008-07-27 01:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 01:58 . 2008-07-27 01:58 <DIR> d-------- C:\Documents and Settings\Liamz0r\Application Data\Malwarebytes
2008-07-27 01:58 . 2008-07-27 01:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-27 01:58 . 2008-07-23 20:20 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 01:58 . 2008-07-23 20:20 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 21:13 . 2008-07-26 21:13 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-07-26 21:13 . 2008-07-26 21:13 171,136 -rahs---- C:\grldr
2008-07-26 20:04 . 2008-07-26 20:04 <DIR> d-------- C:\Documents and Settings\Liamz0r\Application Data\Nero
2008-07-26 20:03 . 2008-07-26 11:28 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-26 11:30 . 2007-08-13 17:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-07-22 12:42 . 2008-07-22 12:42 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-24 16:57 . 2008-06-11 14:48 18,772 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-24 16:56 . 2008-06-24 16:56 <DIR> d-------- C:\NVIDIA
2008-06-22 17:05 . 2008-07-21 07:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-22 17:05 . 2008-07-21 07:20 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-13 16:23 . 2008-07-30 17:03 <DIR> d-------- C:\Program Files\Trillian
2008-06-12 16:20 . 2008-06-28 17:23 <DIR> d-------- C:\Program Files\Miranda IM
2008-06-12 16:20 . 2008-06-12 16:21 <DIR> d-------- C:\Documents and Settings\Liamz0r\Application Data\Miranda
2008-06-02 16:57 . 2008-06-02 16:57 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 08:35 137,840 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-31 08:34 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-30 04:00 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\OpenOffice.org2
2008-07-29 09:43 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\DNA
2008-07-27 19:10 --------- d-----w C:\Program Files\Xfire
2008-07-26 19:58 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\Xfire
2008-07-25 23:31 --------- d-----w C:\Program Files\Windows Live
2008-07-25 11:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-25 10:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-25 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 05:57 --------- d-----w C:\Documents and Settings\Liamz0r\Application Data\LimeWire
2008-07-05 22:48 --------- d-----w C:\Program Files\LimeWire
2008-06-28 05:23 --------- d-----w C:\Program Files\Winamp
2008-06-07 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-01 00:32 --------- d-----w C:\Program Files\Steam
2008-05-15 23:48 446,464 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-05-07 04:09 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\$RECYCLE.BIN ----

2008-07-26 21:13 129 --ahs---- C:\$RECYCLE.BIN\S-1-5-21-493512218-2453615080-4230740772-1000\desktop.ini


------- Sigcheck -------

2001-08-24 03:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2004-08-03 23:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2001-08-24 03:00 561152 be57a5c3abd240514b98f6bca872fb21 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2007-03-09 03:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\SP2GDR\user32.dll
2007-03-09 03:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\SoftwareDistribution\Download\4d9d678c0d8af22c04a4a7fc7f1ff86c\SP2QFE\user32.dll
2005-03-03 06:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\user32.dll
2005-03-03 06:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\user32.dll
2004-08-03 23:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2001-08-24 03:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2006-05-20 00:15 70656 3748e0fc8c1b6ada49f98c8e69a4228c C:\WINDOWS\SoftwareDistribution\Download\7d6100e060a1f93df520847b1cd9dc71\SP1QFE\ws2_32.dll
2006-08-17 00:14 70656 7b6a08441a4f11320421599d7ecf8d41 C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\SP1QFE\ws2_32.dll
2004-08-03 23:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2007-10-11 11:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2001-08-24 03:00 593920 cf9f1eef71f42ede71b6f4aa05d5ca1a C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-03 23:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ie7\wininet.dll
2004-08-03 23:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-10-11 18:13 659456 2005ad86a22aee68e21ee59f9ccb77f2 C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\SP2GDR\wininet.dll
2007-10-11 17:57 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\SP2QFE\wininet.dll
2004-08-03 23:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll

2001-08-24 03:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-10-31 05:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2GDR\tcpip.sys
2007-10-31 04:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\SP2QFE\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-24 03:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-03 23:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2001-08-24 03:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 22:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 22:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2001-08-24 03:00 1896704 46e2e3dcf54b819cfb2ebfe48a22b5c9 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 21:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2005-03-02 12:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2005-03-02 12:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\ntkrnlpa.exe
2004-08-03 21:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ntkrnlpa.exe

2001-08-24 03:00 1982208 a29222d5281056e497408fcc9062f749 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 22:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2005-03-02 12:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2005-03-02 13:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2qfe\ntoskrnl.exe
2004-08-03 22:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ntoskrnl.exe

2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe
2001-08-24 03:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
2007-06-13 22:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2GDR\explorer.exe
2007-06-13 23:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\SP2QFE\explorer.exe

2001-08-24 03:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-03 23:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2001-08-24 03:00 11776 8a590ea109b5e0c7629e022f8a6b17c5 C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-03 23:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2001-08-24 03:00 13312 85b1054db58d13aa42d7dca778c30f57 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-03 23:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe

2001-08-24 03:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-03 23:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-11 11:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2005-06-11 12:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2qfe\spoolsv.exe
2004-08-03 23:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-07 16:09 1177368]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 21:09 77824 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Liamz0r^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Liamz0r\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 18:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-07 16:09]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-07 16:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-07 16:09]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-07 16:09]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-31 21:04:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-31 21:06:03
ComboFix-quarantined-files.txt 2008-07-31 09:05:41
ComboFix2.txt 2008-07-31 03:55:35

Pre-Run: 100,692,709,376 bytes free
Post-Run: 101,282,435,072 bytes free

198


HijackThis:

Deckard's System Scanner v20071014.68
Run by Liamz0r on 2008-07-31 21:07:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Liamz0r.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:45 p.m. - Liam, on 31/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Liamz0r\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Liamz0r.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2948 bytes

-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-08-11 14:40:59 0 d-------- C:\Documents and Settings\Guest\Application Data\Identities
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\Templates
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\Start Menu
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\SendTo
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\Recent
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\PrintHood
2008-08-11 14:40:48 786432 --ah----- C:\Documents and Settings\Guest\ntuser.dat
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\NetHood
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\My Documents
2008-08-11 14:40:48 0 d--h----- C:\Documents and Settings\Guest\Local Settings
2008-08-11 14:40:48 0 dr------- C:\Documents and Settings\Guest\Favorites
2008-08-11 14:40:48 0 d-------- C:\Documents and Settings\Guest\Desktop
2008-08-11 14:40:48 0 d---s---- C:\Documents and Settings\Guest\Cookies
2008-08-11 14:40:48 0 dr-h----- C:\Documents and Settings\Guest\Application Data
2008-08-11 14:40:48 0 d---s---- C:\Documents and Settings\Guest\Application Data\Microsoft
2008-07-31 19:34:19 0 d-------- C:\Graphics
2008-07-31 15:50:08 68096 --a------ C:\WINDOWS\zip.exe
2008-07-31 15:50:08 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-31 15:50:08 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-31 15:50:08 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-31 15:50:08 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-31 15:50:08 98816 --a------ C:\WINDOWS\sed.exe
2008-07-31 15:50:08 80412 --a------ C:\WINDOWS\grep.exe
2008-07-31 15:50:08 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-30 16:03:17 0 d-------- C:\Program Files\Trend Micro
2008-07-29 07:25:19 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-07-29 07:25:19 0 d-------- C:\WINDOWS\system32\CatRoot
2008-07-29 07:20:08 0 d--hs---- C:\found.000
2008-07-27 16:46:21 333203 -rahs---- C:\bootmgr
2008-07-27 16:46:20 0 d--hs---- C:\Boot
2008-07-27 01:58:58 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Malwarebytes
2008-07-27 01:58:53 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-27 01:58:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 21:13:33 171136 -rahs---- C:\grldr
2008-07-26 21:13:33 0 d--hs---- C:\$RECYCLE.BIN
2008-07-26 20:04:59 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Nero
2008-07-26 20:03:46 0 d-------- C:\Program Files\Common Files\Nero
2008-07-26 12:00:23 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-26 11:47:39 0 dr-h----- C:\Documents and Settings\Liamz0r\Recent
2008-07-26 11:30:22 66048 --a------ C:\WINDOWS\ieResetIcons.exe <Not Verified; Microsoft Corporation; Windows® Internet Explorer>
2008-07-23 22:04:57 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-07-23 22:03:48 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-07-14 18:31:50 4980736 --a------ C:\Documents and Settings\Liamz0r\ntuser.dat


-- Find3M Report ---------------------------------------------------------------

2008-07-31 21:03:01 0 d-------- C:\Program Files\Common Files
2008-07-30 17:03:55 0 d-------- C:\Program Files\Trillian
2008-07-30 16:00:39 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\OpenOffice.org2
2008-07-29 21:43:15 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\DNA
2008-07-28 07:10:36 0 d-------- C:\Program Files\Xfire
2008-07-27 07:58:54 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Xfire
2008-07-26 11:31:24 0 d-------- C:\Program Files\Windows Live
2008-07-21 07:20:39 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-21 07:20:39 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-18 00:27:23 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Adobe
2008-07-06 17:57:48 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\LimeWire
2008-07-06 10:48:23 0 d-------- C:\Program Files\LimeWire
2008-06-28 17:23:50 0 d-------- C:\Program Files\Winamp
2008-06-28 17:23:15 0 d-------- C:\Program Files\Miranda IM
2008-06-18 17:14:21 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Mozilla
2008-06-12 16:21:06 0 d-------- C:\Documents and Settings\Liamz0r\Application Data\Miranda
2008-06-01 12:32:21 0 d-------- C:\Program Files\Steam
2008-05-16 14:01:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-16 14:01:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-16 14:01:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-16 14:01:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-16 14:01:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2008-05-16 14:01:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-16 14:01:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-16 14:01:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-16 14:01:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [16/05/2008 02:01 p.m. - Liam]
"SoundMan"="SOUNDMAN.EXE" [22/12/2004 09:09 p.m. - Liam C:\WINDOWS\soundman.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/05/2008 04:09 p.m. - Liam]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [16/05/2008 02:01 p.m. - Liam]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Liamz0r^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Liamz0r\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"




-- End of Deckard's System Scanner: finished at 2008-07-31 21:08:11 ------------


Edited by LiamNZ, 31 July 2008 - 04:08 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 PM

Posted 31 July 2008 - 11:32 AM

Hi,

This looks OK again.
Please change ALL your passwords since they are known.

Then; * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 LiamNZ

LiamNZ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 01 August 2008 - 05:35 AM

Thanks for the help. No more annoying pop-ups and I've changed my passwords. Thanks for the service you've got here. :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 PM

Posted 01 August 2008 - 06:23 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:06 PM

Posted 05 August 2008 - 11:55 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users