Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personalized settings virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 reeko

reeko

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 14 January 2009 - 02:56 PM

Everytime I open up explorer.exe I get personalized settings for less than a second showing C:\System\(recycler)\system32.exe , before that I had another file which I deleted and Now this is showing up . I think it copies itself but I am not sure. help please , this is my HJ log


DDS (Ver_09-01-07.01) - NTFSx86
Run by Reeko at 23:50:04.25 on Wed 01/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1256.971.1033.18.3071.2136 [GMT 4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Reeko\Local Settings\Temporary Internet Files\Content.IE5\0COZYIXJ\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.emirates.net.ae:8080
uInternet Settings,ProxyOverride = *.local
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: GigagetIEHelper Class: {111caa23-6f4f-42ac-8555-b48c1d87bbab} - c:\windows\system32\gigagetbho_v10.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: VirtualNetwork Class: {6c517674-de1c-4493-977c-34a1bfab35ba} - c:\program files\virtualnetwork\VirtualNetwork.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: 304434 helper: {7a2f3a2e-4b59-4932-b2c3-2e7f13b03207} - 304434 Class
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Tunebite_WebRipPlugin Class: {aa102584-3b97-47e7-b9bc-75d54c110a7d} - c:\program files\rapidsolution\tunebite\plugins\ie\TB_WebRipIePlugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [SecureClean4Tray] "c:\program files\whitecanyon\secureclean 4\sctray4.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: HideClock = 0 (0x0)
dPolicies-explorer: HideClock = 0 (0x0)
IE: &Download All by Gigaget - c:\program files\giganology\gigaget\getallurl.htm
IE: &Download by Gigaget - c:\program files\giganology\gigaget\geturl.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\reeko\applic~1\mozilla\firefox\profiles\ohnjogag.default\
FF - prefs.js: network.proxy.ftp - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\reeko\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\components\TB_WebRipFFPlugin.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\rapidsolution\tunebite\plugins\geckobased\tunebite-firefox-surf-and-catch-extension@audials.com\plugins\np_TB_OgloPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-9-28 40840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-9-28 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-9-28 81288]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-5-16 30720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-8-13 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080813.003\NAVENG.SYS [2008-8-13 89936]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080813.003\NAVEX15.SYS [2008-8-13 856336]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-5-16 1251720]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-1-10 108648]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-6-29 45848]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-9-28 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-9-28 1079176]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2008-6-5 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [2008-6-5 3768]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\reeko\desktop\uce\tc _ rev 1176\tkanat02.sys --> c:\documents and settings\reeko\desktop\uce\tc _ rev 1176\TKanaT02.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\reeko\locals~1\temp\lredbooo.sys --> c:\docume~1\reeko\locals~1\temp\lredbooo.sys [?]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-12-12 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2008-12-12 3768]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2007-2-15 26624]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-1-30 25216]
S3 XDva207;XDva207;\??\c:\windows\system32\xdva207.sys --> c:\windows\system32\XDva207.sys [?]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-01-14 23:38 <DIR> --d----- c:\program files\Trend Micro
2009-01-14 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\sctemp
2009-01-14 23:20 1,044,480 a------- c:\windows\system32\ROBOEX32.DLL
2009-01-14 23:20 335,872 a------- c:\windows\system32\SCshell402.dll
2009-01-14 23:20 278,528 a------- c:\windows\system32\SCService4.dll
2009-01-14 23:20 <DIR> --d----- c:\program files\WhiteCanyon
2009-01-14 16:16 <DIR> --d----- c:\program files\Atari
2009-01-12 18:51 244 a---h--- C:\sqmnoopt14.sqm
2009-01-12 18:51 232 a---h--- C:\sqmdata14.sqm
2009-01-12 18:49 954,726 a------- C:\reint.exe
2009-01-11 18:21 244 a---h--- C:\sqmnoopt13.sqm
2009-01-11 18:21 232 a---h--- C:\sqmdata13.sqm
2009-01-10 23:29 <DIR> --d----- c:\program files\Free Hide Folder
2009-01-10 01:18 <DIR> --d----- c:\documents and settings\reeko\EurekaLog
2009-01-09 21:11 232 a---h--- C:\sqmdata12.sqm
2009-01-09 21:11 244 a---h--- C:\sqmnoopt12.sqm
2009-01-08 14:13 <DIR> --d----- c:\program files\HelpWithMath
2009-01-08 13:56 <DIR> --d----- c:\windows\Downloaded Installations
2009-01-08 11:54 954,721 a------- C:\cauhex.exe
2009-01-07 07:06 90,112 ac------ c:\windows\system32\dllcache\hasc.exe
2009-01-07 07:06 14,588 ac------ c:\windows\system32\dllcache\qi3p5f.msp
2009-01-07 07:06 3,416 ac------ c:\windows\system32\dllcache\jlt3c.zip
2009-01-07 07:06 61,440 ac------ c:\windows\system32\dllcache\ctcr.exe
2009-01-07 07:06 28,964 ac------ c:\windows\system32\dllcache\dic1f7.msp
2009-01-07 07:06 4,280 ac------ c:\windows\system32\dllcache\comdlg32
2009-01-07 07:06 88 ac------ c:\windows\system32\dllcache\a5ip63.msp
2009-01-07 07:06 2 ac------ c:\windows\system32\dllcache\a5ip60.msp
2009-01-07 07:06 954,721 a------- C:\cauhek.exe
2009-01-06 14:05 <DIR> --d----- c:\program files\GetData
2008-12-29 13:31 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-29 13:31 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-29 13:31 <DIR> --d----- c:\program files\iPod
2008-12-29 13:31 <DIR> --d----- c:\program files\iTunes
2008-12-29 13:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-28 14:42 <DIR> --d----- c:\program files\Web Publish
2008-12-28 01:27 0 a------- c:\windows\ativpsrm.bin
2008-12-25 16:30 244 a---h--- C:\sqmnoopt11.sqm
2008-12-25 16:30 232 a---h--- C:\sqmdata11.sqm
2008-12-25 16:16 244 a---h--- C:\sqmnoopt10.sqm
2008-12-25 16:16 232 a---h--- C:\sqmdata10.sqm
2008-12-23 19:48 <DIR> --d----- C:\ATI
2008-12-23 19:36 599,552 -c------ c:\windows\system32\dllcache\crypt32.dll
2008-12-23 19:36 177,664 -c------ c:\windows\system32\dllcache\wintrust.dll
2008-12-23 18:54 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-12-23 14:52 206,256 a------- c:\windows\system32\idmmbc.dll
2008-12-22 20:43 <DIR> --d----- c:\windows\system32\scripting
2008-12-22 20:43 <DIR> --d----- c:\windows\l2schemas
2008-12-22 20:43 <DIR> --d----- c:\windows\system32\en
2008-12-22 20:43 <DIR> --d----- c:\windows\system32\bits
2008-12-22 20:38 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-22 19:47 20,992 -------- c:\windows\system32\spupdwxp.exe
2008-12-22 19:46 37,376 -------- c:\windows\system32\l2gpstore.dll
2008-12-22 19:45 43,008 -------- c:\windows\system32\drivers\amdagp.sys
2008-12-22 19:45 42,752 -------- c:\windows\system32\drivers\alim1541.sys
2008-12-22 19:45 44,928 -------- c:\windows\system32\drivers\agpcpq.sys
2008-12-22 19:45 42,368 -------- c:\windows\system32\drivers\agp440.sys
2008-12-22 19:45 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll
2008-12-22 19:45 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll
2008-12-22 19:45 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll
2008-12-22 19:45 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll
2008-12-22 19:45 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll
2008-12-22 19:45 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll
2008-12-22 19:45 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll
2008-12-22 19:45 136,192 -------- c:\windows\system32\aaclient.dll
2008-12-17 19:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Launcher
2008-12-17 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Graboid Inc
2008-12-17 18:43 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2008-12-17 18:42 <DIR> --d----- c:\program files\Graboid
2008-12-16 15:07 <DIR> --dshr-- C:\SYSTEM

==================== Find3M ====================

2009-01-08 19:18 14,588 a------- c:\windows\inf\yl5vf.zip
2009-01-06 08:11 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 08:11 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 08:11 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 08:11 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-04 03:15 28,964 a------- c:\windows\inf\kl1f7.zip
2008-12-22 20:47 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 14:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-10 21:41 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-12-10 18:57 3,532 a------- C:\drmHeader.bin
2008-12-02 02:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-02 00:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-02 00:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-02 00:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-02 00:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-02 00:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-02 00:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-02 00:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-02 00:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-02 00:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-02 00:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-02 00:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-02 00:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-02 00:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 23:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 23:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 23:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 23:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 23:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 23:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 23:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-01 23:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 23:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-01 23:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-22 11:24 3,416 a------- c:\windows\inf\jlt3c.zip
2008-11-13 18:18 599,552 a------- c:\windows\system32\crypt32.dll
2008-11-13 18:18 177,664 a------- c:\windows\system32\wintrust.dll
2008-11-06 16:51 87,608 a------- c:\docume~1\reeko\applic~1\inst.exe
2008-11-06 16:51 47,360 a------- c:\docume~1\reeko\applic~1\pcouffin.sys
2008-11-06 15:50 145,504 a------- c:\windows\system32\bgsvcgen.exe
2008-11-06 15:50 59,488 a------- c:\windows\system32\GenSvcInst.exe
2008-10-30 18:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-29 02:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-29 02:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-29 02:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-29 02:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-29 02:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-23 16:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-21 22:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-21 21:40 81,920 a------- c:\windows\system32\ATIODE.exe
2008-10-21 21:40 45,056 a------- c:\windows\system32\ATIODCLI.exe
2008-10-17 00:38 826,368 a------- c:\windows\system32\wininet.dll
2008-06-19 01:10 22,328 a------- c:\docume~1\reeko\applic~1\PnkBstrK.sys
2007-09-05 11:02 90,112 a------- c:\windows\inf\hasc.exe
2007-09-05 11:02 61,440 a------- c:\windows\inf\ctcr.exe

============= FINISH: 23:50:36.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 26 January 2009 - 06:19 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 reeko

reeko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 26 January 2009 - 09:36 PM

Hi. thanks for helping , this is the combo fix log .(btw: It didn't ask me if I wanted a recovery console or not)

ComboFix 09-01-21.04 - Reeko 01/27/2009 6:10:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.1.1033.18.3071.2294 [GMT 4:00]
Running from: c:\documents and settings\Reeko\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Reeko\Application Data\inst.exe
c:\windows\f49f4daa.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\AutoRun.inf

----- BITS: Possible infected sites -----

hxxp://www.graboid.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILVMONEYDRIVER53
-------\Service_IlvMoneyDRIVER53


((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 02:22 --------- d-----w c:\documents and settings\Reeko\Application Data\DMCache
2009-01-27 02:17 --------- d-----w c:\program files\microsoft frontpage
2009-01-27 02:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-27 02:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-27 02:11 77,824 ----a-w c:\windows\system32\kdfapi.dll
2009-01-27 02:11 722,472 ----a-w c:\windows\system32\kdfmgr.exe
2009-01-27 02:11 192,512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-01-27 02:07 53,248 ----a-w c:\windows\system32\Kdfhok.dll
2009-01-26 23:45 --------- d-----w c:\documents and settings\All Users\Application Data\Tiancity
2009-01-26 23:41 --------- d-----w c:\program files\TianCity
2009-01-26 20:16 --------- d-----w c:\program files\TimeAdjuster
2009-01-26 20:08 --------- d-----w c:\program files\SubMagic
2009-01-26 20:04 --------- d-----w c:\program files\URUSoft
2009-01-25 16:40 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-25 16:31 846,336 ----a-w c:\windows\system32\kdfinj.dll
2009-01-25 16:16 --------- d-----w c:\program files\Trend Micro
2009-01-25 16:10 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-01-25 16:10 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-01-25 16:10 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-01-25 16:10 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-01-25 16:10 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-01-25 16:10 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-01-25 16:10 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-01-25 16:10 1,195,448 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-01-25 16:03 --------- d-----w c:\program files\Symantec
2009-01-25 15:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 15:30 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-25 15:28 --------- d-----w c:\program files\Unlocker
2009-01-25 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-25 15:25 26,808 ----a-w c:\windows\system32\drivers\pxark.sys
2009-01-25 15:25 --------- d-----w c:\program files\PrevxCSI
2009-01-25 15:10 --------- d-----w c:\documents and settings\Reeko\Application Data\Eltima Software
2009-01-25 01:31 2,285,056 ----a-w c:\windows\system32\TUKernel.exe
2009-01-25 01:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 01:04 --------- d-----w c:\program files\Yahoo!
2009-01-25 01:03 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution
2009-01-25 00:59 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-01-25 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-01-25 00:54 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-25 00:54 360,192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-01-25 00:54 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-01-25 00:54 --------- d-----w c:\documents and settings\Reeko\Application Data\TuneUp Software
2009-01-25 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-01-25 00:52 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-25 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-25 00:06 --------- d--h--w c:\documents and settings\Reeko\Application Data\ijjigame
2009-01-25 00:05 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-01-25 00:01 47,360 ----a-w c:\documents and settings\Reeko\Application Data\pcouffin.sys
2009-01-25 00:01 --------- d-----w c:\documents and settings\Reeko\Application Data\Vso
2009-01-22 00:47 70,048 ----a-w c:\windows\system32\drivers\TPkd.sys
2009-01-22 00:47 679,936 ----a-w c:\windows\system32\ilinet.dll
2009-01-17 12:45 --------- d-----w c:\documents and settings\Reeko\Application Data\Desktopicon
2009-01-17 01:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-17 01:53 --------- d-----w c:\documents and settings\Reeko\Application Data\Malwarebytes
2009-01-17 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 23:45 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\PC Suite
2009-01-16 23:36 --------- d-----w c:\program files\VirtualNetwork
2009-01-16 23:33 --------- d-----w c:\program files\Web Publish
2009-01-14 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\sctemp
2009-01-14 18:57 --------- d-----w c:\program files\Free Hide Folder
2009-01-14 12:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 12:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 11:34 --------- d-----w c:\documents and settings\Reeko\Application Data\DVD Flick
2009-01-08 15:18 14,588 ----a-w c:\windows\inf\yl5vf.zip
2009-01-08 10:13 --------- d-----w c:\program files\HelpWithMath
2009-01-06 10:05 --------- d-----w c:\program files\GetData
2009-01-03 23:15 28,964 ----a-w c:\windows\inf\kl1f7.zip
2009-01-02 17:01 --------- d-----w c:\program files\Internet Download Manager
2008-12-29 09:32 --------- d-----w c:\documents and settings\Reeko\Application Data\Apple Computer
2008-12-29 09:31 --------- d-----w c:\program files\iTunes
2008-12-29 09:31 --------- d-----w c:\program files\iPod
2008-12-29 09:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-29 09:31 --------- d-----w c:\program files\Bonjour
2008-12-29 09:31 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-29 09:31 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-29 09:30 --------- d-----w c:\program files\QuickTime
2008-12-29 09:06 --------- d-----w c:\program files\Apple Software Update
2008-12-29 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-28 12:32 --------- d-----w c:\program files\IrfanView
2008-12-25 14:30 --------- d-----w c:\documents and settings\Reeko\Application Data\PC Suite
2008-12-23 15:46 --------- d-----w c:\documents and settings\Reeko\Application Data\Skype
2008-12-23 12:05 --------- d-----w c:\documents and settings\Reeko\Application Data\skypePM
2008-12-17 15:02 --------- d-----w c:\documents and settings\All Users\Application Data\Launcher
2008-12-17 14:50 --------- d-----w c:\documents and settings\Reeko\Application Data\MozillaControl
2008-12-17 14:50 --------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc
2008-12-17 11:03 206,256 ----a-w c:\windows\system32\idmmbc.dll
2008-12-12 01:54 --------- d-----w c:\program files\Free RM to MP3 Converter
2008-12-12 01:39 --------- d-----w c:\program files\PixiePack Codec Pack
2008-12-12 01:29 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-11 23:35 --------- d-----w c:\documents and settings\Reeko\Application Data\Media Player Classic
2008-12-11 20:57 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-11 20:56 --------- d-----w c:\program files\DirectVobSub
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 09:31 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2008-12-10 17:52 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-10 17:41 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-12-10 15:13 --------- d-----w c:\program files\Rockstar Games
2008-12-10 15:10 --------- d-----w c:\program files\MSBuild
2008-12-10 15:08 --------- d-----w c:\program files\Reference Assemblies
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:12 AM 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM 5724184]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [01/25/2009 08:10 PM 497008]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [01/02/2009 09:01 PM 2745776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM 583048]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [01/25/2009 08:10 PM 970808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:12 AM 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [01/25/2009 08:10 PM 497008]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
05/28/2008 12:32 PM 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Reeko^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Reeko\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 06/12/2008 02:38 AM 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
--a------ 06/23/2005 11:13 AM 61440 c:\windows\VM303_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 04/14/2008 04:12 AM 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 04/01/2008 01:39 PM 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 11/08/2007 11:56 AM 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 01/02/2009 09:01 PM 2745776 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 11/08/2007 11:56 AM 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 07/27/2007 04:00 PM 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 06/24/2008 04:06 PM 1840424 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 09/28/2008 06:58 PM 1168264 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 11/20/2008 01:20 PM 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 08/31/2007 11:13 PM 988584 c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 01/14/2009 04:11 PM 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 10/18/2007 11:34 AM 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 06/08/2008 09:31 AM 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 06/19/2008 09:53 AM 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 03/26/2008 06:41 PM 1232896 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 04/16/2008 12:53 PM 1079808 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 11/08/2007 11:56 AM 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 07/27/2007 04:00 PM 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 07/27/2007 04:00 PM 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 11/04/2008 10:30 AM 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 12/21/2008 10:07 PM 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 09/25/2008 10:56 AM 25565992 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 11/10/2006 12:35 PM 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 06/10/2008 04:27 AM 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 06/27/2008 08:20 AM 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 05/02/2008 08:15 AM 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 08/30/2007 05:43 PM 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 05/03/2005 02:43 PM 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 10/25/2007 07:57 AM 16855552 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 10/11/2007 07:04 AM 1826816 c:\windows\SkyTel.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Reeko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TianCity\\PopKart\\M01\\NMService.exe"=

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2009-01-25 26808]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-05-16 30720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-17 15504]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-01-25 334352]
R4 CSIScanner;CSIScanner;c:\program files\PrevxCSI\prevxcsi.exe [2009-01-25 927288]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-06-29 45848]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-17 170640]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-01-25 181584]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-25 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-25 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-25 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-25 677128]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-25 603904]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2008-06-05 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [2008-06-05 3768]
S3 lredbooo;lredbooo;\??\c:\docume~1\Reeko\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Reeko\LOCALS~1\Temp\lredbooo.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-28 356920]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-12-12 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2008-12-12 3768]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2007-02-15 26624]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-01-30 25216]
S3 XDva207;XDva207;\??\c:\windows\system32\XDva207.sys --> c:\windows\system32\XDva207.sys [?]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de697305-2357-11dd-8b01-001e8cdaf97f}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5c35708-8d98-11dd-8b48-001e8cdaf97f}]
\Shell\AutoRun\command - l:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
\Shell\open\command - l:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbc0c88-5795-11dd-8b2a-001e8cdaf97f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [12/11/2008 09:36 PM]

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM]

2009-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-813497703-725345543-1003.job
- c:\documents and settings\Reeko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [01/18/2009 06:01 PM]

2009-01-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [10/23/2008 06:34 PM]

2009-01-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [10/23/2008 06:34 PM]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
MSConfigStartUp-AcronisTimounterMonitor - c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe
MSConfigStartUp-sysftray2 - c:\windows\bolivar20.exe
MSConfigStartUp-Tester - c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
MSConfigStartUp-TrueImageMonitor - c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
MSConfigStartUp-c0 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.emirates.net.ae:8080
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
FF - ProfilePath - c:\documents and settings\Reeko\Application Data\Mozilla\Firefox\Profiles\ohnjogag.default\
FF - component: c:\documents and settings\Reeko\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Reeko\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 06:18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-813497703-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0e,91,e9,63,b7,fc,c2,2a,3e,6d,fe,cd,0b,88,a3,47,ed,32,05,c1,8f,0c,15,
d0,f9,bb,8f,a0,4c,ab,1e,a3,f6,0b,82,0b,bd,2d,42,f3,7b,81,75,ca,ce,89,27,b7,\
"??"=hex:b6,7a,d0,d9,cf,2f,fb,c2,1d,6b,15,4d,32,4a,57,20

[HKEY_USERS\S-1-5-21-343818398-813497703-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:51,d5,fa,29,e8,1f,46,25,95,5d,7e,7a,9a,b0,9c,e7,3e,74,d5,c3,b2,
17,b0,ff,d0,2c,3e,f8,b0,b3,27,be,d1,94,aa,63,25,18,a1,b1,ff,5c,c9,54,03,b2,\
"rkeysecu"=hex:7d,29,dd,06,70,6e,ef,6f,9c,fc,53,59,d6,9f,b5,94

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):fb,c7,92,a7,c2,5f,ce,e1,da,13,0f,99,09,b0,da,74,19,2b,9a,a9,50,
bc,bb,3f,50,87,75,47,25,98,ec,df,ad,cd,88,e8,30,fa,9c,b4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):81,b0,52,c5,32,d5,7c,3a,d0,a1,27,74,7c,5e,2a,c3,5d,25,14,e6,62,
4f,95,3a,3b,73,70,6b,05,c0,8f,9d,1d,53,17,ec,7d,87,de,7f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{dc37da62-e0e1-4ad4-83c9-fc50dbb3d08d}]
@Denied: (Full) (Everyone)
"Model"=dword:000000d7
"Therad"=dword:0000002e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e8a4e929-95a6-4e68-819a-57d3a0aff4ca}]
@Denied: (Full) (Everyone)
"Model"=dword:0000000d
"Therad"=dword:00000008
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b1,65,0f,6c,3c,
45,18,27,04,a3,b7,bd,5b,11,77,40,3f,8b,f1,13,44,83,29,a5,63,85,3c,07,53,11,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 01/27/2009 6:31:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-27 02:30:09

Pre-Run: 51,277,234,176 bytes free
Post-Run: 51,430,080,512 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
437 --- E O F --- 2009-01-14 23:07:30





Hijackthis LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:13 AM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553544400} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 11352 bytes


Startup is a little faster , and so is the computer , please check if theres anything else . Thanks :thumbsup:.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 27 January 2009 - 08:26 AM

Hello Reeko.

Please make sure your protection is disabled.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\kdfapi.dll
    c:\windows\system32\kdfmgr.exe
    c:\windows\system32\kdfvmgr.exe
    c:\windows\system32\Kdfhok.dll
    c:\windows\system32\kdfinj.dll
    c:\windows\inf\yl5vf.zip
    c:\windows\inf\kl1f7.zip
    c:\docume~1\Reeko\LOCALS~1\Temp\lredbooo.sys
    l:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de697305-2357-11dd-8b01-001e8cdaf97f}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5c35708-8d98-11dd-8b48-001e8cdaf97f}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbc0c88-5795-11dd-8b2a-001e8cdaf97f}]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]
    
    Driver::
    lredbooo
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the ComboFix log
-the F-Secure scan log

With Regards,
The Panda

#5 reeko

reeko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 January 2009 - 11:17 AM

F-Secure LOG

Scanning Report
Tuesday, January 27, 2009 19:00:51 - 20:13:58
Computer name: REEKO-C0E3DA2F4
Scanning type: Scan system for malware, rootkits
Target: C:\ J:\


--------------------------------------------------------------------------------

Result: 15 malware found
Backdoor.Win32.Bifrose (virus)
System
Backdoor.Win32.Bifrose.abov (virus)
C:\DOCUMENTS AND SETTINGS\REEKO\MY DOCUMENTS\SETUP.EXE
C:\CONFIG.MSI\WIN322.EXE (Renamed & Submitted)
C:\CONFIG.MSI\WIN32_2.EXE (Renamed & Submitted)
IM-Worm.Win32.Kelvir (virus)
System
IM-Worm.Win32.Kelvir.fu (virus)
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\GZBOTPRO2.20\GZBOTPRO2.23\GB.EXE
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Adbrite (spyware)
System
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Webtrends (spyware)
System
Trojan.Win32.ConnectionServices (virus)
System
Trojan.Win32.ConnectionServices.aa (virus)
C:\PROGRAM FILES\VIRTUALNETWORK\VIRTUALNETWORK.DLL
W32/Kut.gen1 (virus)
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\GZBOTPRO2.20\GZBOTPRO2.23\GZBOTPRO.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\GZBOTPRO2.20\GZBOTPRO2.20\GZBOTPRO.EXE (Submitted)
W32/Packed_PeSpin.A (virus)
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\FIREFOX\STYLE XP 3.19\KEYGEN\KEYGEN [ STYLE XP 3.19 ].EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 40981
System: 4918
Not scanned: 7
Actions:
Disinfected: 0
Renamed: 2
Deleted: 0
None: 13
Submitted: 5
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 2.8.8110, 2009-01-27
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure AVP: 7.0.171, 2009-01-26
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

ComboFix LOG
ComboFix 09-01-21.04 - Reeko 01/27/2009 18:28:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1256.1.1033.18.3071.2487 [GMT 4:00]
Running from: c:\documents and settings\Reeko\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Reeko\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\docume~1\Reeko\LOCALS~1\Temp\lredbooo.sys
c:\windows\inf\kl1f7.zip
c:\windows\inf\yl5vf.zip
c:\windows\system32\kdfapi.dll
c:\windows\system32\Kdfhok.dll
c:\windows\system32\kdfinj.dll
c:\windows\system32\kdfmgr.exe
c:\windows\system32\kdfvmgr.exe
l:\system\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\inf\kl1f7.zip
c:\windows\inf\yl5vf.zip
c:\windows\system32\kdfapi.dll
c:\windows\system32\Kdfhok.dll
c:\windows\system32\kdfinj.dll
c:\windows\system32\kdfmgr.exe
c:\windows\system32\kdfvmgr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LREDBOOO
-------\Service_lredbooo


((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 14:36 --------- d-----w c:\documents and settings\Reeko\Application Data\DMCache
2009-01-27 02:17 --------- d-----w c:\program files\microsoft frontpage
2009-01-27 02:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-27 02:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-26 23:45 --------- d-----w c:\documents and settings\All Users\Application Data\Tiancity
2009-01-26 23:41 --------- d-----w c:\program files\TianCity
2009-01-26 20:16 --------- d-----w c:\program files\TimeAdjuster
2009-01-26 20:08 --------- d-----w c:\program files\SubMagic
2009-01-26 20:04 --------- d-----w c:\program files\URUSoft
2009-01-25 16:40 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-25 16:16 --------- d-----w c:\program files\Trend Micro
2009-01-25 16:10 80,400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-01-25 16:10 50,192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-01-25 16:10 49,680 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-01-25 16:10 334,352 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-01-25 16:10 144,912 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-01-25 16:03 --------- d-----w c:\program files\Symantec
2009-01-25 15:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 15:30 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-25 15:28 --------- d-----w c:\program files\Unlocker
2009-01-25 15:28 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-25 15:25 26,808 ----a-w c:\windows\system32\drivers\pxark.sys
2009-01-25 15:25 --------- d-----w c:\program files\PrevxCSI
2009-01-25 15:10 --------- d-----w c:\documents and settings\Reeko\Application Data\Eltima Software
2009-01-25 01:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 01:04 --------- d-----w c:\program files\Yahoo!
2009-01-25 01:03 --------- d-----w c:\documents and settings\All Users\Application Data\RapidSolution
2009-01-25 00:59 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-01-25 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\Roxio
2009-01-25 00:54 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-01-25 00:54 --------- d-----w c:\documents and settings\Reeko\Application Data\TuneUp Software
2009-01-25 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-01-25 00:52 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-25 00:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-25 00:06 --------- d--h--w c:\documents and settings\Reeko\Application Data\ijjigame
2009-01-25 00:05 --------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-01-25 00:01 47,360 ----a-w c:\documents and settings\Reeko\Application Data\pcouffin.sys
2009-01-25 00:01 --------- d-----w c:\documents and settings\Reeko\Application Data\Vso
2009-01-22 00:47 70,048 ----a-w c:\windows\system32\drivers\TPkd.sys
2009-01-17 12:45 --------- d-----w c:\documents and settings\Reeko\Application Data\Desktopicon
2009-01-17 01:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-17 01:53 --------- d-----w c:\documents and settings\Reeko\Application Data\Malwarebytes
2009-01-17 01:52 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 23:45 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\PC Suite
2009-01-16 23:36 --------- d-----w c:\program files\VirtualNetwork
2009-01-16 23:33 --------- d-----w c:\program files\Web Publish
2009-01-14 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 19:20 --------- d-----w c:\documents and settings\All Users\Application Data\sctemp
2009-01-14 18:57 --------- d-----w c:\program files\Free Hide Folder
2009-01-14 12:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 12:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 11:34 --------- d-----w c:\documents and settings\Reeko\Application Data\DVD Flick
2009-01-08 10:13 --------- d-----w c:\program files\HelpWithMath
2009-01-06 10:05 --------- d-----w c:\program files\GetData
2009-01-02 17:01 --------- d-----w c:\program files\Internet Download Manager
2008-12-29 09:32 --------- d-----w c:\documents and settings\Reeko\Application Data\Apple Computer
2008-12-29 09:31 --------- d-----w c:\program files\iTunes
2008-12-29 09:31 --------- d-----w c:\program files\iPod
2008-12-29 09:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-29 09:31 --------- d-----w c:\program files\Bonjour
2008-12-29 09:31 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-29 09:31 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-29 09:30 --------- d-----w c:\program files\QuickTime
2008-12-29 09:06 --------- d-----w c:\program files\Apple Software Update
2008-12-29 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-28 12:32 --------- d-----w c:\program files\IrfanView
2008-12-25 14:30 --------- d-----w c:\documents and settings\Reeko\Application Data\PC Suite
2008-12-23 15:46 --------- d-----w c:\documents and settings\Reeko\Application Data\Skype
2008-12-23 12:05 --------- d-----w c:\documents and settings\Reeko\Application Data\skypePM
2008-12-17 15:02 --------- d-----w c:\documents and settings\All Users\Application Data\Launcher
2008-12-17 14:50 --------- d-----w c:\documents and settings\Reeko\Application Data\MozillaControl
2008-12-17 14:50 --------- d-----w c:\documents and settings\All Users\Application Data\Graboid Inc
2008-12-12 01:54 --------- d-----w c:\program files\Free RM to MP3 Converter
2008-12-12 01:39 --------- d-----w c:\program files\PixiePack Codec Pack
2008-12-12 01:29 --------- d-----w c:\program files\Common Files\Download Manager
2008-12-11 23:35 --------- d-----w c:\documents and settings\Reeko\Application Data\Media Player Classic
2008-12-11 20:57 --------- d-----w c:\program files\K-Lite Codec Pack
2008-12-11 20:56 --------- d-----w c:\program files\DirectVobSub
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 17:52 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-12-10 15:13 --------- d-----w c:\program files\Rockstar Games
2008-12-10 15:10 --------- d-----w c:\program files\MSBuild
2008-12-10 15:08 --------- d-----w c:\program files\Reference Assemblies
2008-12-10 14:57 3,532 ----a-w C:\drmHeader.bin
2008-12-10 14:51 --------- d-----w c:\program files\DivX
2008-12-09 20:23 --------- d-----w c:\program files\Spyware Doctor
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-28 14:25 --------- d-----w c:\program files\JAM Software
2008-11-28 14:25 --------- d-----w c:\documents and settings\Reeko\Application Data\JAM Software
2008-11-27 01:42 36,368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2008-11-27 01:42 205,328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2008-11-27 01:39 1,195,384 ----a-w c:\windows\system32\drivers\vsapint.sys
2008-06-18 21:10 22,328 ----a-w c:\documents and settings\Reeko\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 04:12 AM 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM 5724184]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [01/25/2009 08:10 PM 497008]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [01/02/2009 09:01 PM 2745776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [01/29/2008 05:38 PM 583048]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [01/25/2009 08:10 PM 970808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [04/14/2008 04:12 AM 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [01/25/2009 08:10 PM 497008]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
05/28/2008 12:32 PM 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Reeko^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Reeko\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 06/12/2008 02:38 AM 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
--a------ 06/23/2005 11:13 AM 61440 c:\windows\VM303_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 04/14/2008 04:12 AM 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 04/01/2008 01:39 PM 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 11/08/2007 11:56 AM 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 01/02/2009 09:01 PM 2745776 c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 11/08/2007 11:56 AM 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 07/27/2007 04:00 PM 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 06/24/2008 04:06 PM 1840424 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 09/28/2008 06:58 PM 1168264 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 11/20/2008 01:20 PM 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
--a------ 08/31/2007 11:13 PM 988584 c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
--a------ 01/14/2009 04:11 PM 399504 c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 10/18/2007 11:34 AM 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 06/08/2008 09:31 AM 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 06/19/2008 09:53 AM 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 03/26/2008 06:41 PM 1232896 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 04/16/2008 12:53 PM 1079808 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
-ra------ 11/08/2007 11:56 AM 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 07/27/2007 04:00 PM 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 07/27/2007 04:00 PM 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 11/04/2008 10:30 AM 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC]
--a------ 12/21/2008 10:07 PM 306088 c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 09/25/2008 10:56 AM 25565992 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 11/10/2006 12:35 PM 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 06/10/2008 04:27 AM 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 06/27/2008 08:20 AM 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 05/02/2008 08:15 AM 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 08/30/2007 05:43 PM 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 05/03/2005 02:43 PM 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 10/25/2007 07:57 AM 16855552 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 10/11/2007 07:04 AM 1826816 c:\windows\SkyTel.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Reeko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Codemasters\\GRID\\GRID.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TianCity\\PopKart\\M01\\NMService.exe"=

R0 pxark;pxark;c:\windows\system32\drivers\pxark.sys [2009-01-25 26808]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-05-16 30720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-17 15504]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-01-25 334352]
R4 CSIScanner;CSIScanner;c:\program files\PrevxCSI\prevxcsi.exe [2009-01-25 927288]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-06-29 45848]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-17 170640]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-01-25 181584]
R4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-25 49680]
R4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-25 492888]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-25 36368]
R4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-25 677128]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-25 603904]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2008-06-05 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [2008-06-05 3768]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-28 356920]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2008-12-12 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2008-12-12 3768]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2007-02-15 26624]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-01-30 25216]
S3 XDva207;XDva207;\??\c:\windows\system32\XDva207.sys --> c:\windows\system32\XDva207.sys [?]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [12/11/2008 09:36 PM]

2009-01-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM]

2009-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-813497703-725345543-1003.job
- c:\documents and settings\Reeko\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [01/18/2009 06:01 PM]

2009-01-27 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [10/23/2008 06:34 PM]

2009-01-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [10/23/2008 06:34 PM]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy1.emirates.net.ae:8080
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
FF - ProfilePath - c:\documents and settings\Reeko\Application Data\Mozilla\Firefox\Profiles\ohnjogag.default\
FF - component: c:\documents and settings\Reeko\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFTMUFEHelper.dll
FF - component: c:\program files\Trend Micro\TrendSecure\TISProToolbar\FirefoxExtension\components\FFToolbarComm.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Reeko\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks -
FF - user.js: network.proxy.socks_port - 0
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 18:36:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-813497703-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0e,91,e9,63,b7,fc,c2,2a,3e,6d,fe,cd,0b,88,a3,47,ed,32,05,c1,8f,0c,15,
d0,f9,bb,8f,a0,4c,ab,1e,a3,f6,0b,82,0b,bd,2d,42,f3,7b,81,75,ca,ce,89,27,b7,\
"??"=hex:b6,7a,d0,d9,cf,2f,fb,c2,1d,6b,15,4d,32,4a,57,20

[HKEY_USERS\S-1-5-21-343818398-813497703-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:51,d5,fa,29,e8,1f,46,25,95,5d,7e,7a,9a,b0,9c,e7,3e,74,d5,c3,b2,
17,b0,ff,d0,2c,3e,f8,b0,b3,27,be,d1,94,aa,63,25,18,a1,b1,ff,5c,c9,54,03,b2,\
"rkeysecu"=hex:7d,29,dd,06,70,6e,ef,6f,9c,fc,53,59,d6,9f,b5,94

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):fb,c7,92,a7,c2,5f,ce,e1,da,13,0f,99,09,b0,da,74,19,2b,9a,a9,50,
bc,bb,3f,50,87,75,47,25,98,ec,df,ad,cd,88,e8,30,fa,9c,b4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):81,b0,52,c5,32,d5,7c,3a,d0,a1,27,74,7c,5e,2a,c3,5d,25,14,e6,62,
4f,95,3a,3b,73,70,6b,05,c0,8f,9d,1d,53,17,ec,7d,87,de,7f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{dc37da62-e0e1-4ad4-83c9-fc50dbb3d08d}]
@Denied: (Full) (Everyone)
"Model"=dword:000000d7
"Therad"=dword:0000002e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{e8a4e929-95a6-4e68-819a-57d3a0aff4ca}]
@Denied: (Full) (Everyone)
"Model"=dword:0000000d
"Therad"=dword:00000008
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b1,65,0f,6c,3c,
45,18,27,04,a3,b7,bd,5b,11,77,40,3f,8b,f1,13,44,83,29,a5,63,85,3c,07,53,11,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trend Micro\TrendSecure\TSCFCommander.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\platformdependent\ProToolbarComm.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
.
**************************************************************************
.
Completion time: 01/27/2009 18:46:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-27 14:45:38
ComboFix2.txt 2009-01-27 02:31:33

Pre-Run: 51,403,554,816 bytes free
Post-Run: 51,384,176,640 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
420 --- E O F --- 2009-01-14 23:07:30


Is it Clean? thanks

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 27 January 2009 - 11:51 AM

Hello.

Looks clean expect those keygens you have. Those are bundled with infections more often than not. I would delete them:
C:\DOCUMENTS AND SETTINGS\REEKO\MY DOCUMENTS\SETUP.EXE
C:\CONFIG.MSI\WIN322.EXE
C:\CONFIG.MSI\WIN32_2.EXE
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\GZBOTPRO2.20\GZBOTPRO2.23\GB.EXE
C:\PROGRAM FILES\VIRTUALNETWORK\VIRTUALNETWORK.DLL
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\GZBOTPRO2.20\GZBOTPRO2.23\GZBOTPRO.EXE
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\GZBOTPRO2.20\GZBOTPRO2.20\GZBOTPRO.EXE
C:\DOCUMENTS AND SETTINGS\REEKO\DESKTOP\FIREFOX\STYLE XP 3.19\KEYGEN\KEYGEN [ STYLE XP 3.19 ].EXE

Let's update your Java and you are good to go.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Reset clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear the System Restore cache and create new a restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#7 reeko

reeko
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 27 January 2009 - 01:20 PM

Thank you sooo much , my computer runs aloooot faster now
But I can't find
C:\DOCUMENTS AND SETTINGS\REEKO\MY DOCUMENTS\SETUP.EXE
I looked but it wasn't there and I have deleted everything else you told me to delete.

Updated java already and uninstalled Combofix :thumbsup:

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 27 January 2009 - 04:56 PM

Hello.

But I can't find
C:\DOCUMENTS AND SETTINGS\REEKO\MY DOCUMENTS\SETUP.EXE
I looked but it wasn't there and I have deleted everything else you told me to delete.

No problem. F-Secure probably removed it already.

Looks like you are good to go.

With Regards,
The Panda

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:21 AM

Posted 07 February 2009 - 10:38 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users