Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help I'm infected!


  • This topic is locked This topic is locked
9 replies to this topic

#1 .4ngryToasters

.4ngryToasters

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 21 January 2009 - 01:36 PM

The first thing that happened was all my system restore points were deleted, then Spybot S&D started warning me about registry values being added or deleted. Next my windows automatic update was turned off and can't be turned back on. Now when I restart my computer there is a noticeable stall after windows loads, but before my login screen. I ran Hijackthis today and generated the following report. Please help me out bleeping computer!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:05 PM, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: murpxh.dll nmofye.dll enbrsd.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10675 bytes


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 AM

Posted 29 January 2009 - 05:52 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 .4ngryToasters

.4ngryToasters
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 30 January 2009 - 11:13 PM

Hi Panda. Thanks for helping me out with my problem. As far as changes go, I had someone help me get rid of some of the malware, and was able to get windows automatic update back up, but I still haven't gotten rid of the virus.

I'll post the combofix log, followed by the HijackThis log
Here is my combo fix log

[coe]ComboFix 09-01-21.04 - Greg St.James 2009-01-30 23:01:08.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1950 [GMT -5:00]
Running from: c:\documents and settings\Greg St.James\Desktop\Tool Box\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-29 00:51 . 2009-01-29 00:51 <DIR> d-------- c:\program files\InCode Solutions
2009-01-28 23:02 . 2009-01-28 23:03 <DIR> d-------- c:\windows\ERUNT
2009-01-28 23:02 . 2009-01-28 23:02 <DIR> d-------- c:\documents and settings\Greg St.James\backupreg
2009-01-28 23:01 . 2009-01-28 23:01 <DIR> d-------- c:\documents and settings\Greg St.James\backups
2009-01-28 23:01 . 2004-08-04 07:00 146,432 --a------ c:\documents and settings\Greg St.James\editreg.exe
2009-01-28 23:01 . 2004-08-04 07:00 27,136 --a------ c:\documents and settings\Greg St.James\rtsdnif.exe
2009-01-28 23:01 . 2004-08-04 07:00 11,264 --a------ c:\documents and settings\Greg St.James\attrib.exe
2009-01-28 23:01 . 2004-08-04 07:00 9,216 --a------ c:\documents and settings\Greg St.James\dnif.exe
2009-01-28 22:51 . 2009-01-29 00:28 <DIR> d-------- C:\SDFix
2009-01-28 22:31 . 2009-01-28 22:31 <DIR> d-------- c:\documents and settings\Administrator
2009-01-27 23:26 . 2009-01-29 01:21 35,317 --ahs---- c:\windows\system32\CLkTEfhk.ini2
2009-01-27 23:24 . 2009-01-27 23:24 91 --a------ c:\windows\wininit.ini
2009-01-27 22:16 . 2009-01-27 22:16 129,024 --a------ c:\windows\system32\jthqmx.dll
2009-01-27 22:16 . 2009-01-27 22:16 129,024 --a------ c:\windows\system32\bgemvmwh.dll
2009-01-25 10:54 . 2009-01-25 10:54 129,024 --a------ c:\windows\system32\pmjvap.dll
2009-01-25 10:54 . 2009-01-25 10:54 129,024 --a------ c:\windows\system32\gbsqfdjg.dll
2009-01-23 20:55 . 2009-01-23 20:55 129,024 --a------ c:\windows\system32\qijjrejw.dll
2009-01-23 20:55 . 2009-01-23 20:55 129,024 --a------ c:\windows\system32\jiueem.dll
2009-01-23 00:34 . 2009-01-23 00:34 242,176 --a------ c:\windows\system32\risky.exe
2009-01-22 22:04 . 2009-01-22 22:04 72,704 --a------ c:\windows\system32\piuupswl.dll
2009-01-22 22:01 . 2009-01-22 22:01 129,024 --a------ c:\windows\system32\zsqfmm.dll
2009-01-22 22:01 . 2009-01-22 22:01 129,024 --a------ c:\windows\system32\netoloje.dll
2009-01-21 13:26 . 2009-01-21 13:26 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 13:19 . 2009-01-21 13:19 129,024 --a------ c:\windows\system32\eynqqdvr.dll
2009-01-21 13:19 . 2009-01-21 13:19 129,024 --a------ c:\windows\system32\enbrsd.dll
2009-01-21 13:18 . 2009-01-21 13:18 72,704 --a------ c:\windows\system32\sebxbnft.dll
2009-01-20 22:10 . 2009-01-20 22:10 129,024 --a------ c:\windows\system32\nmofye.dll
2009-01-20 22:10 . 2009-01-20 22:10 129,024 --a------ c:\windows\system32\bqdcdgiv.dll
2009-01-20 22:07 . 2009-01-20 22:07 72,704 --a------ c:\windows\system32\iahuotql.dll
2009-01-19 11:57 . 2009-01-19 11:57 129,024 --a------ c:\windows\system32\murpxh.dll
2009-01-19 11:57 . 2009-01-19 11:57 129,024 --a------ c:\windows\system32\igeakleb.dll
2009-01-19 11:57 . 2009-01-19 11:58 72,704 --a------ c:\windows\system32\vaxmrvbb.dll
2009-01-18 15:00 . 2009-01-18 15:00 129,024 --a------ c:\windows\system32\sctbjwuh.dll
2009-01-18 15:00 . 2009-01-18 15:00 129,024 --a------ c:\windows\system32\eygvpw.dll
2009-01-17 14:58 . 2009-01-17 14:58 129,024 --a------ c:\windows\system32\yiytsoya.dll
2009-01-17 14:58 . 2009-01-17 14:58 129,024 --a------ c:\windows\system32\keclac.dll
2009-01-17 14:55 . 2009-01-17 14:55 72,704 --a------ c:\windows\system32\ooknoymd.dll
2009-01-17 14:31 . 2009-01-29 01:23 35,317 --ahs---- c:\windows\system32\CLkTEfhk.ini
2008-12-26 22:53 . 2008-12-26 22:53 <DIR> d-------- c:\program files\iPod
2008-12-26 22:52 . 2008-12-26 22:53 <DIR> d-------- c:\program files\iTunes
2008-12-26 22:52 . 2008-12-26 22:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-26 22:51 . 2008-12-26 22:51 <DIR> d-------- c:\program files\QuickTime
2008-12-26 22:50 . 2008-12-26 22:52 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-26 22:50 . 2008-12-26 22:50 <DIR> d-------- c:\program files\Apple Software Update
2008-12-26 22:50 . 2008-12-26 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-26 22:50 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-24 00:57 . 2008-12-24 00:57 754 --a------ c:\windows\WORDPAD.INI
2008-12-22 01:24 . 2008-12-22 01:24 <DIR> d-------- c:\documents and settings\Greg St.James\Application Data\webex
2008-12-10 02:07 . 2008-12-10 02:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 06:10 --------- d-----w c:\program files\DNA
2009-01-29 05:55 --------- d-----w c:\documents and settings\Greg St.James\Application Data\DNA
2009-01-28 03:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 00:09 --------- d-----w c:\program files\CCleaner
2009-01-22 13:37 --------- d-----w c:\documents and settings\Greg St.James\Application Data\BitTorrent
2009-01-22 03:04 --------- d-----w c:\program files\Bit Che
2008-12-29 20:12 --------- d-----w c:\documents and settings\Greg St.James\Application Data\Apple Computer
2008-12-27 03:52 --------- d-----w c:\program files\Bonjour
2008-12-27 03:51 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-21 19:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 05:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:20 667,648 ----a-w c:\windows\system32\wininet.dll
2008-10-16 10:20 1,499,136 ----a-w c:\windows\system32\shdocvw(2).dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-02-04 22:01 1,297,850 ----a-w c:\program files\bit_che_1_0_59.exe
2008-02-04 21:51 878,192 ----a-w c:\program files\BitTorrent-6.0.exe
2006-11-07 20:06 147 -c--a-w c:\program files\_DEISREG.ISR
1998-08-24 16:09 10,000 ----a-w c:\windows\inf\unregpn.exe
1997-04-23 06:16 40,960 ----a-w c:\program files\_ISREG32.DLL
2008-12-22 06:24 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-22 06:24 126,360 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-22 06:24 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-12-22 06:24 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-12-19 05:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 05:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 05:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 05:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 05:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-18_ 0.26.21.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-01-29 04:03:37 15,495,168 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-01-29 04:03:37 159,744 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04 163,328 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-01-29 04:03:12 15,495,168 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-01-29 04:03:12 159,744 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-12-27 03:53:46 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2008-12-27 03:50:55 27,136 ----a-r c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-12-27 03:52:13 86,016 ----a-r c:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2006-02-28 16:41:34 61,440 ----a-w c:\windows\system32\dns-sd.exe
+ 2008-08-29 15:18:58 87,336 ----a-w c:\windows\system32\dns-sd.exe
- 2006-02-28 16:41:22 53,248 ----a-w c:\windows\system32\dnssd.dll
+ 2008-08-29 14:53:50 61,440 ----a-w c:\windows\system32\dnssd.dll
- 2004-09-14 19:38:26 13,872 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2008-04-17 18:12:54 15,464 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2008-04-17 18:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 18:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 19:23:30 32,000 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
- 2008-11-11 16:31:14 1,596,992 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-20 04:45:50 1,597,048 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-09-14 19:38:26 78,896 ----a-w c:\windows\system32\GEARAspi.dll
+ 2008-04-17 18:12:54 107,368 ----a-w c:\windows\system32\GEARAspi.dll
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-12-18 04:04:18 6,234,656 -c--a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-01-17 18:50:27 9,820 -c--a-w c:\windows\system32\Restore\rstrlog.dat
- 2007-07-27 14:41:40 16,760 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2006-01-09 14:36:06 40,960 ----a-w c:\windows\system32\swsc.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-07 3032576]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe" [2006-12-01 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Greg St.James\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-01-02 184320]
HP Digital Imaging Monitor.lnk.disabled [2006-11-04 1808]
HP Image Zone Fast Start.lnk.disabled [2006-11-04 798]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-12-03 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G G G G G

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap c:\windows\system32\khfETkLC

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\network associates\\common framework\\FrameworkService.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\day of defeat\\hl.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\source 2007 dedicated server\\srcds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8081 tcp
"8081:UDP"= 8081:UDP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8081 udp
"8082:TCP"= 8082:TCP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8082 tcp
"8082:UDP"= 8082:UDP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8082 udp
"35766:TCP"= 35766:TCP:utorrent

R4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4E664C73-FBF3-49FD-9372-5CE0321012B5} - (no file)
BHO-{51DCA3F0-6E54-4199-9AEB-90B3C1C5EA37} - (no file)
BHO-{7BDF8AEF-CE67-453B-8600-2C1C6E015A9C} - (no file)
BHO-{8A9B79A7-EB54-4D9E-B5CB-2D5350973CBF} - (no file)
BHO-{D67E82DE-61D1-4963-9210-0EF4C19CDBD9} - (no file)
BHO-{E462A9D9-84D9-431C-8C5A-A100FE27A90E} - (no file)
BHO-{F1186894-1520-437E-AE58-F47326A3132A} - c:\windows\system32\khfETkLC.dll
Notify-hgGwUlkk - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: foone.org
FF - ProfilePath - c:\documents and settings\Greg St.James\Application Data\Mozilla\Firefox\Profiles\6vfnsp7p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 23:01:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?8?3?-??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-73586283-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)
c:\windows\system32\murpxh.dll
c:\windows\system32\nmofye.dll
c:\windows\system32\enbrsd.dll
c:\windows\system32\jiueem.dll
c:\windows\system32\jthqmx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1260)
c:\windows\system32\murpxh.dll
c:\windows\system32\nmofye.dll
c:\windows\system32\enbrsd.dll
c:\windows\system32\jiueem.dll
c:\windows\system32\jthqmx.dll
c:\windows\system32\relog_ap.dll
.
Completion time: 2009-01-30 23:05:08
ComboFix-quarantined-files.txt 2009-01-31 04:04:09
ComboFix2.txt 2009-01-18 01:17:33
ComboFix3.txt 2009-01-18 01:07:14
ComboFix4.txt 2008-12-18 05:26:58
ComboFix5.txt 2009-01-31 04:00:23

Pre-Run: 7,948,111,872 bytes free
Post-Run: 7,935,160,320 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
309 --- E O F --- 2009-01-14 07:57:01[/code]


HijackThis

[code=auto:0]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10:17, on 1/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Qliner Hotkeys\HotKeys.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00Hotkeys] "C:\Program Files\Qliner Hotkeys\HotKeys.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: G G G G G
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11091 bytes[/coe]

Edited by PropagandaPanda, 31 January 2009 - 10:14 AM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 AM

Posted 31 January 2009 - 10:20 AM

Hello.

Let's see what we can do.

Please disable teatimer.

To disable SpyBot's TeaTimer:
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    File::
    c:\windows\system32\CLkTEfhk.ini2
    c:\windows\system32\jthqmx.dll
    c:\windows\system32\bgemvmwh.dll
    c:\windows\system32\pmjvap.dll
    c:\windows\system32\gbsqfdjg.dll
    c:\windows\system32\qijjrejw.dll
    c:\windows\system32\jiueem.dll
    c:\windows\system32\risky.exe
    c:\windows\system32\piuupswl.dll
    c:\windows\system32\zsqfmm.dll
    c:\windows\system32\netoloje.dll
    c:\windows\system32\eynqqdvr.dll
    c:\windows\system32\enbrsd.dll
    c:\windows\system32\sebxbnft.dll
    c:\windows\system32\nmofye.dll
    c:\windows\system32\bqdcdgiv.dll
    c:\windows\system32\iahuotql.dll
    c:\windows\system32\murpxh.dll
    c:\windows\system32\igeakleb.dll
    c:\windows\system32\vaxmrvbb.dll
    c:\windows\system32\sctbjwuh.dll
    c:\windows\system32\eygvpw.dll
    c:\windows\system32\yiytsoya.dll
    c:\windows\system32\keclac.dll
    c:\windows\system32\ooknoymd.dll
    c:\windows\system32\CLkTEfhk.ini
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6D,73,76,31,5F,30,20,72,65,6C,6F,67,5F,61,\
      70,00,00
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

Edited by PropagandaPanda, 31 January 2009 - 10:24 AM.


#5 .4ngryToasters

.4ngryToasters
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 31 January 2009 - 01:12 PM

Sorry about the tea timer, totally forgot I had that running. After running combo fix with the script, the command prompts, that were popping up when my desktop loaded stopped, but now I'm getting errors (see attached screenshot). Also when I minimize programs, they don't show up on my start menu bar. Ok now for the logs. First is combofix, followed by GMER.


Combofix

[coe]ComboFix 09-01-21.04 - Greg St.James 2009-01-31 11:10:14.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.2052 [GMT -5:00]
Running from: c:\documents and settings\Greg St.James\Desktop\Tool Box\ComboFix.exe
Command switches used :: c:\documents and settings\Greg St.James\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
* Resident AV is active

.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\system32\bgemvmwh.dll
c:\windows\system32\bqdcdgiv.dll
c:\windows\system32\CLkTEfhk.ini
c:\windows\system32\CLkTEfhk.ini2
c:\windows\system32\enbrsd.dll
c:\windows\system32\eygvpw.dll
c:\windows\system32\eynqqdvr.dll
c:\windows\system32\gbsqfdjg.dll
c:\windows\system32\iahuotql.dll
c:\windows\system32\igeakleb.dll
c:\windows\system32\jiueem.dll
c:\windows\system32\jthqmx.dll
c:\windows\system32\keclac.dll
c:\windows\system32\murpxh.dll
c:\windows\system32\netoloje.dll
c:\windows\system32\nmofye.dll
c:\windows\system32\ooknoymd.dll
c:\windows\system32\piuupswl.dll
c:\windows\system32\pmjvap.dll
c:\windows\system32\qijjrejw.dll
c:\windows\system32\risky.exe
c:\windows\system32\sctbjwuh.dll
c:\windows\system32\sebxbnft.dll
c:\windows\system32\vaxmrvbb.dll
c:\windows\system32\yiytsoya.dll
c:\windows\system32\zsqfmm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bgemvmwh.dll
c:\windows\system32\bqdcdgiv.dll
c:\windows\system32\CLkTEfhk.ini
c:\windows\system32\CLkTEfhk.ini2
c:\windows\system32\enbrsd.dll
c:\windows\system32\eygvpw.dll
c:\windows\system32\eynqqdvr.dll
c:\windows\system32\gbsqfdjg.dll
c:\windows\system32\iahuotql.dll
c:\windows\system32\igeakleb.dll
c:\windows\system32\jiueem.dll
c:\windows\system32\jthqmx.dll
c:\windows\system32\keclac.dll
c:\windows\system32\murpxh.dll
c:\windows\system32\netoloje.dll
c:\windows\system32\nmofye.dll
c:\windows\system32\ooknoymd.dll
c:\windows\system32\piuupswl.dll
c:\windows\system32\pmjvap.dll
c:\windows\system32\qijjrejw.dll
c:\windows\system32\risky.exe
c:\windows\system32\sctbjwuh.dll
c:\windows\system32\sebxbnft.dll
c:\windows\system32\vaxmrvbb.dll
c:\windows\system32\yiytsoya.dll
c:\windows\system32\zsqfmm.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
.

2009-01-29 00:51 . 2009-01-29 00:51 <DIR> d-------- c:\program files\InCode Solutions
2009-01-28 23:02 . 2009-01-28 23:03 <DIR> d-------- c:\windows\ERUNT
2009-01-28 23:02 . 2009-01-28 23:02 <DIR> d-------- c:\documents and settings\Greg St.James\backupreg
2009-01-28 23:01 . 2009-01-28 23:01 <DIR> d-------- c:\documents and settings\Greg St.James\backups
2009-01-28 23:01 . 2004-08-04 07:00 146,432 --a------ c:\documents and settings\Greg St.James\editreg.exe
2009-01-28 23:01 . 2004-08-04 07:00 27,136 --a------ c:\documents and settings\Greg St.James\rtsdnif.exe
2009-01-28 23:01 . 2004-08-04 07:00 11,264 --a------ c:\documents and settings\Greg St.James\attrib.exe
2009-01-28 23:01 . 2004-08-04 07:00 9,216 --a------ c:\documents and settings\Greg St.James\dnif.exe
2009-01-28 22:51 . 2009-01-29 00:28 <DIR> d-------- C:\SDFix
2009-01-28 22:31 . 2009-01-28 22:31 <DIR> d-------- c:\documents and settings\Administrator
2009-01-27 23:24 . 2009-01-27 23:24 91 --a------ c:\windows\wininit.ini
2009-01-21 13:26 . 2009-01-21 13:26 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 22:53 . 2008-12-26 22:53 <DIR> d-------- c:\program files\iPod
2008-12-26 22:52 . 2008-12-26 22:53 <DIR> d-------- c:\program files\iTunes
2008-12-26 22:52 . 2008-12-26 22:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-26 22:51 . 2008-12-26 22:51 <DIR> d-------- c:\program files\QuickTime
2008-12-26 22:50 . 2008-12-26 22:52 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-26 22:50 . 2008-12-26 22:50 <DIR> d-------- c:\program files\Apple Software Update
2008-12-26 22:50 . 2008-12-26 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-12-26 22:50 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2008-12-24 00:57 . 2008-12-24 00:57 754 --a------ c:\windows\WORDPAD.INI
2008-12-22 01:24 . 2008-12-22 01:24 <DIR> d-------- c:\documents and settings\Greg St.James\Application Data\webex
2008-12-10 02:07 . 2008-12-10 02:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\2DBoy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 06:10 --------- d-----w c:\program files\DNA
2009-01-29 05:55 --------- d-----w c:\documents and settings\Greg St.James\Application Data\DNA
2009-01-28 03:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 00:09 --------- d-----w c:\program files\CCleaner
2009-01-22 13:37 --------- d-----w c:\documents and settings\Greg St.James\Application Data\BitTorrent
2009-01-22 03:04 --------- d-----w c:\program files\Bit Che
2008-12-29 20:12 --------- d-----w c:\documents and settings\Greg St.James\Application Data\Apple Computer
2008-12-27 03:52 --------- d-----w c:\program files\Bonjour
2008-12-27 03:51 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-21 19:28 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-18 05:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-02-04 22:01 1,297,850 ----a-w c:\program files\bit_che_1_0_59.exe
2008-02-04 21:51 878,192 ----a-w c:\program files\BitTorrent-6.0.exe
2006-11-07 20:06 147 -c--a-w c:\program files\_DEISREG.ISR
1998-08-24 16:09 10,000 ----a-w c:\windows\inf\unregpn.exe
1997-04-23 06:16 40,960 ----a-w c:\program files\_ISREG32.DLL
2008-12-22 06:24 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-12-22 06:24 126,360 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-22 06:24 46,408 ----a-w c:\program files\mozilla firefox\plugins\atmccli.dll
2008-12-22 06:24 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-12-19 05:36 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 05:36 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 05:36 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 05:36 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 05:36 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe
2004-08-04 07:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\dllcache\svchost.exe

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 07:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\system32\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\system32\dllcache\user32.dll

2008-04-13 19:12 82432 2ccc474eb85ceaa3e1fa1726580a3e5a c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\ws2_32.dll
2004-08-04 07:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\system32\dllcache\ws2_32.dll

2006-06-23 06:25 664576 64ce26db72810b30f7855ea51e1df836 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 03:31 664576 d207370287cf769aebebf03837784963 c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2008-04-21 01:44 666112 2b0c24aa747a93a28987b6d65a4a74bc c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
2008-04-21 01:24 666624 26f240c250e5b4b395cb4b178ba75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
2008-06-23 10:09 666112 f12fbb673de9cc802c5dc518fe99aa2f c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
2008-06-23 09:54 666624 972299b7241ec325d8c7e5638c884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
2008-08-20 00:30 666112 9af5f25124fbdc36e2b510729cba2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
2008-08-19 23:58 666624 94418f53d2612c26dbadc04dafbc197c c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
2008-10-15 20:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
2008-10-15 20:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
2004-08-04 07:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 06:02 658944 2b4db890936430c71419037039502752 c:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 03:39 658944 621af3f6174a3f60677f5230e28bcc07 c:\windows\$NtUninstallKB925454$\wininet.dll
2006-10-23 10:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\$NtUninstallKB928090$\wininet.dll
2007-01-04 09:05 665088 3ffa1573fc274e5aa7467d03941c45ee c:\windows\$NtUninstallKB931768$\wininet.dll
2007-02-20 04:52 665600 b258c922d22deec880b60720531d7627 c:\windows\$NtUninstallKB933566$\wininet.dll
2007-04-18 07:46 665600 4261ba03afd659de04f0a17dfbdd454d c:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 09:35 665600 e1a3dd68b5380b360a7310a64d9bb188 c:\windows\$NtUninstallKB939653$\wininet.dll
2007-08-22 07:55 665600 a1bc17eb3758d73c3938b2318820f5b4 c:\windows\$NtUninstallKB942615$\wininet.dll
2007-10-11 00:57 666112 80d660a49e0d118144423099b2a9f5da c:\windows\$NtUninstallKB944533$\wininet.dll
2007-12-06 19:44 666112 085a7c37f9c6ede1ba870b7dbec06399 c:\windows\$NtUninstallKB947864$\wininet.dll
2008-02-16 04:32 666112 bb1eacd6ab47e78ebca02eb781550d55 c:\windows\$NtUninstallKB950759$\wininet.dll
2008-04-21 01:56 666624 2e7de1bf9418b071799eb53de8cc22f5 c:\windows\$NtUninstallKB953838$\wininet.dll
2008-06-23 11:12 667136 611ace3f4201e9610af8452f7c268995 c:\windows\$NtUninstallKB956390$\wininet.dll
2008-08-20 00:33 667648 c91e3a6ef094202f6b5ca8960dfcf243 c:\windows\$NtUninstallKB958215$\wininet.dll
2008-04-13 19:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wininet.dll
2008-10-16 05:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\system32\wininet.dll
2008-10-16 05:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\system32\dllcache\wininet.dll

2006-04-20 07:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-04 07:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 06:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\system32\drivers\tcpip.sys

2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe
2004-08-04 07:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\dllcache\winlogon.exe

2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2004-08-04 07:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\dllcache\ip6fw.sys
2004-08-04 07:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\system32\drivers\ip6fw.sys

2005-03-01 19:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 11:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 04:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 04:18 2062976 63ec865dff6ccfc7bef94b5c50297cad c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
2008-08-14 04:33 2066048 4ac58f03eb94a72809949d757fc39d80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
2008-08-14 14:39 2066048 a25e9b86effb2af33bf51e676b68bfb0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2004-08-04 07:00 2015232 fb142b7007ca2eea76966c6c5cc12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 19:34 2015232 3cd941e472ddf3534e53038535719771 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 07:55 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 03:38 2015744 a58ac1c6199ef34228abee7fc057ae09 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 04:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-13 13:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntkrnlpa.exe
2008-08-14 04:22 2015744 dc097a896a03b8277457d228fd12d4e6 c:\windows\system32\ntkrnlpa.exe
2008-08-14 04:22 2057728 ba002228743b6824d87f0551dbc86d45 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-01 20:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 11:51 2182016 cef243f6defd20be4adde26c7ecacb54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 04:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 04:57 2185984 ce69dbd54221f2d40e49ff6db77c6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
2008-08-14 05:11 2189184 eeaf32f8e15a24f62becb1bd403bb5c5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
2008-08-14 15:11 2189184 31914172342bff330063f343ac6958fe c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2004-08-04 07:00 2148352 626309040459c3915997ef98ec1c8d40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 19:57 2135552 48b3e89af7074cee0314a3e0c7faffdb c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 09:15 2136064 8318ed54797f3e513fd5817a1d4bbd18 c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 04:08 2136064 1220faf071dea8653ee21de7dcda8bfd c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 05:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-13 14:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
2008-08-14 04:58 2136064 dd31ab4b91c2605601a3c108af57a0c9 c:\windows\system32\ntoskrnl.exe
2008-08-14 05:00 2180352 21c91da9cb53aa8a37041ba9684a8458 c:\windows\system32\dllcache\ntoskrnl.exe

2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 07:00 1032192 a0732187050030ae399b241436565e64 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
2007-06-13 05:23 1033216 97bd6515465659ff8f3b7be375b2ea87 c:\windows\system32\dllcache\explorer.exe

2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\services.exe
2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe
2004-08-04 07:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\dllcache\services.exe

2008-04-13 19:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\lsass.exe
2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
2004-08-04 07:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\dllcache\lsass.exe

2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
2004-08-04 07:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\dllcache\ctfmon.exe

2005-06-10 19:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 07:00 57856 7435b108b935e42ea92ca94f59c8e717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 19:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\system32\spoolsv.exe
2005-06-10 18:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\system32\dllcache\spoolsv.exe

2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe
2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\userinit.exe
2004-08-04 07:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\system32\dllcache\userinit.exe

2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\termsrv.dll
2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

2006-07-05 05:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 11:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2004-08-04 07:00 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 05:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 19:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\system32\kernel32.dll
2007-04-16 10:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\system32\dllcache\kernel32.dll

2008-04-13 19:12 17408 50a166237a0fa771261275a405646cc0 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\powrprof.dll
2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\powrprof.dll
2004-08-04 07:00 17408 1b5f6923abb450692e9fe0672c897aed c:\windows\system32\dllcache\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"StrgSync.exe"="c:\program files\StorageSync\StrgSync.exe" [2005-10-07 3032576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-07-25 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-07-04 184320]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe" [2006-12-01 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwUlkk]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"StrgSync.exe"=c:\program files\StorageSync\StrgSync.exe -w

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\network associates\\common framework\\FrameworkService.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\day of defeat\\hl.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\counter-strike\\hl.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\gregeroff\\source 2007 dedicated server\\srcds.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8081:TCP"= 8081:TCP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8081 tcp
"8081:UDP"= 8081:UDP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8081 udp
"8082:TCP"= 8082:TCP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8082 tcp
"8082:UDP"= 8082:UDP:158.136.1.0/255.255.255.0:Enabled:PSUADMN-8082 udp
"35766:TCP"= 35766:TCP:utorrent

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Apple Mobile Device
*Deregistered* - Arp1394
*Deregistered* - Ati HotKey Poller
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - eabfiltr
*Deregistered* - eamon
*Deregistered* - easdrv
*Deregistered* - ekrn
*Deregistered* - epfw
*Deregistered* - Epfwndis
*Deregistered* - epfwtdi
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - FsVga
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PCIIde
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - seclogon
*Deregistered* - Serial
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - Themes
*Deregistered* - tifsfilter
*Deregistered* - timounter
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wuauserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4E664C73-FBF3-49FD-9372-5CE0321012B5} - (no file)
BHO-{51DCA3F0-6E54-4199-9AEB-90B3C1C5EA37} - (no file)
BHO-{7BDF8AEF-CE67-453B-8600-2C1C6E015A9C} - (no file)
BHO-{8A9B79A7-EB54-4D9E-B5CB-2D5350973CBF} - (no file)
BHO-{D67E82DE-61D1-4963-9210-0EF4C19CDBD9} - (no file)
BHO-{E462A9D9-84D9-431C-8C5A-A100FE27A90E} - (no file)
BHO-{F1186894-1520-437E-AE58-F47326A3132A} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: foone.org
FF - ProfilePath - c:\documents and settings\Greg St.James\Application Data\Mozilla\Firefox\Profiles\6vfnsp7p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 11:15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [720] 0x82E4F530
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe [824] 0xFA7E3530
scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?8?3?-??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-73586283-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(720)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\network associates\common framework\Mctray.exe
c:\program files\Logitech\SetPoint\SetPoint.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2009-01-31 11:27:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-31 16:20:07
ComboFix2.txt 2009-01-31 04:05:09
ComboFix3.txt 2009-01-18 01:17:33
ComboFix4.txt 2009-01-18 01:07:14
ComboFix5.txt 2009-01-31 16:09:35

Pre-Run: 7,894,388,736 bytes free
Post-Run: 7,878,438,912 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
470 --- E O F --- 2009-01-14 07:57:01[/code]



Gmer

[code=auto:0]GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-31 12:56:17
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF729D0D0]
SSDT sptd.sys ZwEnumerateKey [0xF72A2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF72A3340]
SSDT sptd.sys ZwOpenKey [0xF729D0B0]
SSDT sptd.sys ZwQueryKey [0xF72A3418]
SSDT sptd.sys ZwQueryValueKey [0xF72A3298]
SSDT sptd.sys ZwSetValueKey [0xF72A34AA]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F63F562C 5 Bytes JMP 8A8FA3A8

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F729DAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F729DC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F729DB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F729E748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F729E61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72B329A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AAE91E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Driver\usbuhci \Device\USBPDO-0 8A9095F8
Device \Driver\usbuhci \Device\USBPDO-1 8A9095F8
Device \Driver\usbuhci \Device\USBPDO-2 8A9095F8
Device \Driver\usbuhci \Device\USBPDO-3 8A9095F8
Device \Driver\usbehci \Device\USBPDO-4 8A912790

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AA791E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8AA791E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\Cdrom \Device\CdRom0 8A8651E8
Device \Driver\atapi \Device\Ide\IdePort0 8AAEA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8AAEA1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8AAEA1E8
Device \Driver\USBSTOR \Device\00000091 8A1641E8
Device \Driver\USBSTOR \Device\00000092 8A1641E8

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBFDO-0 8A9095F8
Device \Driver\usbuhci \Device\USBFDO-1 8A9095F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A262790
Device \Driver\usbuhci \Device\USBFDO-2 8A9095F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A262790
Device \Driver\usbuhci \Device\USBFDO-3 8A9095F8
Device \Driver\usbehci \Device\USBFDO-4 8A912790
Device \Driver\Ftdisk \Device\FtControl 8AA791E8
Device \FileSystem\Cdfs \Cdfs 8A583698

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x6A 0x06 0x45 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0x3D 0x5A 0x73 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x6A 0x06 0x45 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0x3D 0x5A 0x73 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x6A 0x06 0x45 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0x3D 0x5A 0x73 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x66 0x6A 0x06 0x45 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x44 0x3D 0x5A 0x73 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe 27136 bytes executable
File C:\WINDOWS\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\Installer.ico 2238 bytes

---- EOF - GMER 1.0.14 ----[/ode]

Edited by PropagandaPanda, 31 January 2009 - 01:59 PM.


#6 .4ngryToasters

.4ngryToasters
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 31 January 2009 - 01:15 PM

screenshot didn't go through, so here it is again:
Posted Image

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 AM

Posted 31 January 2009 - 02:04 PM

Hello .4ngryToasters.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Update Java to Version 6 Update 11
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer for Windows.32, here. Follow the prompts to install and delete the install after use.
Please post back with:
-the MalwareBytes log
-a new HijackThis log

How is your computer running now?

With Regards,
The Panda

#8 .4ngryToasters

.4ngryToasters
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 02 February 2009 - 03:43 PM

Sorry for the delayed response; I tried to remove the older versions of java, but my computer is not allowing me to do so. Instead, I get this error:

The Windows Installer service could not be accessed. This can occur if you are running windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Also I was able to install Malwarebytes, but was not able to run it. I tried running it via a cd, but also got the same error message.

Run-time error '372':

Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application


Also my copy and paste does not work on any programs anymore, and my system clock has gone to 24 hour time. This might have been caused by combofix, as my computer had these problems ever since I ran it.

Lastly, ekrn.exe is using anywhere from 75 - 95% of my cpu usage, making it difficult to use the mouse or any other programs (probably irrelevant, but I thought I would bring it o your attention)

Edited by .4ngryToasters, 02 February 2009 - 03:52 PM.


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 AM

Posted 02 February 2009 - 04:34 PM

Hello .4ngryToasters.

I tried to remove the older versions of java, but my computer is not allowing me to do so. Instead, I get this error:

Click on the Windows Orb, Run, type: services.msc . Double click Windows Installer. Set the startup type to Automatic. Click Apply. Start the service.

Try that again.

Also my copy and paste does not work on any programs anymore, and my system clock has gone to 24 hour time. This might have been caused by combofix, as my computer had these problems ever since I ran it.

The 24 hour clock format is normal. ComboFix needs that to run properly. We will reset that later.

Did the copy/paste start occuring after ComboFix ran?

Lastly, ekrn.exe is using anywhere from 75 - 95% of my cpu usage, making it difficult to use the mouse or any other programs (probably irrelevant, but I thought I would bring it o your attention)

That is part of ESET. I would try uninstalling it. If you do not want to reinstall it, choose a new AV:
After installing, update the database, run a full system scan and remove any items found.
--
Download and Run DDS
DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run DrWebCureIt in Safe Mode
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click OK. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck Heuristic analysis under the Scanning tab, then click OK.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Yes to all if asked to cure or move the file(s) and select Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

With Regards,
The Panda

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 AM

Posted 11 February 2009 - 04:04 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users