Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help : Error Everytime I Load Programs


  • This topic is locked This topic is locked
6 replies to this topic

#1 Dinked

Dinked

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 27 January 2009 - 10:51 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:33 PM, on 1/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\hix\hix\mirc.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\runonce.exe
C:\WINDOWS\system32\regsvr32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPVI~1\fvbho140.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {d39b93a0-dfe7-4c03-8ba1-5026db88b9ff} - C:\WINDOWS\system32\kekasika.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [KPDrv4XP] C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [yolavujitu] Rundll32.exe "C:\WINDOWS\system32\rumikegu.dll",s
O4 - HKLM\..\Run: [0084e325] rundll32.exe "C:\WINDOWS\system32\rolihema.dll",b
O4 - HKLM\..\Run: [CPM03b7d0b9] Rundll32.exe "c:\windows\system32\kewomavo.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [yolavujitu] Rundll32.exe "C:\WINDOWS\system32\rumikegu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yolavujitu] Rundll32.exe "C:\WINDOWS\system32\rumikegu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} (AcceptWM Class) - https://w3s.webmoney.ru/WMAcceptor.dll
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\binahoka.dll avgrsstx.dll c:\windows\system32\remebeyi.dll c:\windows\system32\vorujamo.dll c:\windows\system32\dobafigi.dll c:\windows\system32\govinapi.dll c:\windows\system32\weturiwo.dll C:\WINDOWS\system32\vawinaso.dll c:\windows\system32\kewomavo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kewomavo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kewomavo.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12660 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 06 February 2009 - 03:47 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

Edited by PropagandaPanda, 06 February 2009 - 03:48 PM.


#3 Dinked

Dinked
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 13 February 2009 - 07:07 PM

ComboFix 09-02-12.03 - Compaq_Owner 2009-02-13 0:26:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.817 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\ademoral.ini
c:\windows\system32\aguyinah.ini
c:\windows\system32\amehilor.ini
c:\windows\system32\AutoRun.inf
c:\windows\system32\binahoka.dll
c:\windows\system32\ebikoyoh.ini
c:\windows\system32\ebipidoz.ini
c:\windows\system32\egazihum.ini
c:\windows\system32\ehotoyum.ini
c:\windows\system32\emagayim.ini
c:\windows\system32\emazogow.ini
c:\windows\system32\esakafod.ini
c:\windows\system32\ewulanev.ini
c:\windows\system32\eyujupul.ini
c:\windows\system32\ezepelah.ini
c:\windows\system32\fesusipa.dll
c:\windows\system32\ipegahur.ini
c:\windows\system32\iyepukel.ini
c:\windows\system32\obasenuf.ini
c:\windows\system32\obinebas.ini
c:\windows\system32\odahotan.ini
c:\windows\system32\odunopoj.ini
c:\windows\system32\ofukumak.ini
c:\windows\system32\ogikonuv.ini
c:\windows\system32\ogitukul.ini
c:\windows\system32\ozayeken.ini
c:\windows\system32\ozisurew.ini
c:\windows\system32\pubonepo.dll
c:\windows\system32\sozasalu.dll
c:\windows\system32\tawobobu.dll
c:\windows\system32\towozoha.dll
c:\windows\system32\ufumopes.ini
c:\windows\system32\ugibunum.ini
c:\windows\system32\upahanek.ini
c:\windows\system32\uvubiwog.ini
c:\windows\system32\uyihopog.ini
c:\windows\system32\uyurosuj.ini
c:\windows\system32\uyurutig.ini
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ILVMONEYDRIVER53
-------\Legacy_OREANS32
-------\Service_IlvMoneyDRIVER53
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))
.

2009-02-13 00:11 . 2009-02-13 00:11 262,144 --a------ c:\documents and settings\COMPAQ~3
2009-01-31 16:25 . 2009-01-31 16:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2009-01-27 21:08 . 2009-01-27 21:08 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\GlobalSCAPE
2009-01-27 21:08 . 2009-01-27 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-01-27 20:57 . 2009-01-27 20:57 <DIR> d-------- c:\program files\GlobalSCAPE
2009-01-27 20:29 . 2009-01-27 20:29 <DIR> d-------- C:\ERDNT
2009-01-27 19:43 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-27 19:41 . 2009-01-27 19:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-27 17:45 . 2009-01-27 17:51 <DIR> d-------- C:\Invision
2009-01-24 15:32 . 2009-01-24 15:32 <DIR> d-------- c:\program files\Ventrilo
2009-01-24 15:31 . 2009-01-24 15:32 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-15 14:49 . 2009-01-15 15:05 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\SoundSpectrum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 08:24 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2009-02-13 08:20 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-02-13 08:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-11 07:10 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\FrostWire
2009-02-06 23:07 --------- d-----w c:\program files\Steam
2009-01-28 07:37 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Ventrilo
2009-01-28 04:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-28 03:40 --------- d-----w c:\program files\Panda Security
2009-01-24 23:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 06:40 --------- d-----w c:\program files\Warcraft III
2009-01-15 23:01 --------- d-----w c:\program files\SoundSpectrum
2009-01-15 17:46 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-08 03:37 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-01-07 17:51 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-07 17:50 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-06 03:49 --------- d-----w c:\program files\Plustech Inc
2009-01-06 03:47 --------- d-----w c:\program files\IP Changer
2009-01-06 03:46 720,896 ----a-w c:\windows\iun6002.exe
2009-01-04 23:08 --------- d-----w c:\program files\Unity
2008-12-30 11:52 --------- d-----w c:\program files\ACSPMonitor
2008-12-28 00:08 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\EBookSys
2008-12-26 23:28 --------- d-----w c:\program files\AVG
2008-12-26 22:53 --------- d-----w c:\program files\E-Book Systems
2008-12-18 06:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-18 06:09 7,920 ----atw c:\windows\GETBIOS.EXE
2008-12-18 05:45 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2008-12-18 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-15 04:02 22,328 ----a-w c:\documents and settings\Compaq_Owner\Application Data\PnkBstrK.sys
2008-08-18 03:54 390 ----a-w c:\program files\Shortcut to Program Files.lnk
2008-04-18 03:33 1,584 -c--a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2007-04-29 03:29 582,144 -c--a-w c:\documents and settings\borat\snes9x.exe
2005-11-02 22:32 0 -c--a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
2005-11-02 22:24 134 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2004-10-18 18:04 161,280 -c--a-w c:\documents and settings\borat\fmod.dll
2009-01-04 23:34 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-04 23:34 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-04 23:34 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-04 23:34 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-04 23:34 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-25 22:18 65,536 --sha-w c:\windows\system32\lodohepo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"KEMailKb"="c:\progra~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 401408]
"KPDrv4XP"="c:\progra~1\MICROI~1\INTERN~1\KPDrv4XP.EXE" [2005-02-21 40960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1601304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-05-12 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-07 09:51 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YourScreen.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\YourScreen.lnk
backup=c:\windows\pss\YourScreen.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^borat^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\borat\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=c:\windows\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk
backup=c:\windows\pss\LimeWire Turbo Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 22:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2006-05-09 16:24 50760 c:\program files\Common Files\AOL\Launch\aollaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-13 15:09 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlipViewer Library]
--a------ 2007-10-25 17:31 386576 c:\program files\E-Book Systems\FlipViewer\FlipViewerLibrary.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 16:24 50760 c:\program files\Common Files\AOL\1162694959\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2007-03-11 21:34 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a--c--- 2006-02-17 08:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 13:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a--c--- 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a--c--- 2004-10-14 20:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 17:47 8720384 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 19:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-14 16:23 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2008-05-12 07:08 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-28 19:06 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 15:08 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 07:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 17:35 3587120 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 16:10 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 16:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
--a------ 2004-09-24 08:49 49152 c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\hix\\hix\\mirc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162694959\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162694959\\ee\\aim6.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\My Documents\\Unzipped\\(GAME) Age Of Empires 2\\games\\AOE2AOK\\empires2.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\chrisx1x\\counter-strike\\hl.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\sandldan\\counter-strike source\\hl2.exe"=
"c:\\BROOD\\StarCraft.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\sandldan\\source sdk base\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Micro Innovations\\Internet Keyboard Elite\\KPDRV4XP.EXE"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\aAvgApi.exe"=
"c:\\Nexon\\MapleStory\\SydneyMSx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6900:TCP"= 6900:TCP:login-server
"5121:TCP"= 5121:TCP:map-server
"6121:TCP"= 6121:TCP:char-server

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-26 12552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-27 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-26 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-26 107272]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 298264]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-01-10 243584]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;c:\windows\system32\drivers\HIDKbFlt.sys [2005-07-25 23680]
S3 DADriv1;DADriv1;c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\DAK32.sys [2007-08-21 22528]
S3 geebers12;geebers12;\??\c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\nvid888.sys --> c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\nvid888.sys [?]
S3 Ke386IO;Ke386IO;\??\c:\docume~1\COMPAQ~1\LOCALS~1\Temp\WZS4F.tmp\Ke386IO.sys --> c:\docume~1\COMPAQ~1\LOCALS~1\Temp\WZS4F.tmp\Ke386IO.sys [?]
S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [2007-06-01 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]
S3 白目國中生1;白目國中生1;\??\c:\temp\DXWnd\DXWnd\nvid999.sys --> c:\temp\DXWnd\DXWnd\nvid999.sys [?]
S3 PageFau1t;PageFau1t;\??\c:\temp\PageFau1t.sys --> c:\temp\PageFau1t.sys [?]
S3 projectx1;projectx1;c:\documents and settings\Compaq_Owner\My Documents\gb\FelipeZe.sys [2007-12-07 31104]
S3 puma1;puma1;\??\c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\puma.sys --> c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\puma.sys [?]
S3 sys_com001;sys_com001;c:\documents and settings\borat\My Documents\SysComEngine_1059\SysCom.sys [2007-10-08 24576]
S3 XDva068;XDva068;\??\c:\windows\system32\XDva068.sys --> c:\windows\system32\XDva068.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6589359-101e-11dc-8a4e-0011d814fb4e}]
\Shell\AutoRun\command - explorer.exe /n,/e,\
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d39b93a0-dfe7-4c03-8ba1-5026db88b9ff} - c:\windows\system32\kekasika.dll
HKLM-Run-yolavujitu - c:\windows\system32\rumikegu.dll
HKLM-Run-0084e325 - c:\windows\system32\rolihema.dll
HKLM-Run-CPM03b7d0b9 - c:\windows\system32\kewomavo.dll
Notify-AtiExtEvent - (no file)
MSConfigStartUp-0084e325 - c:\windows\system32\muyotohe.dll
MSConfigStartUp-AIMPro - c:\program files\AIM\AIM Pro\aimpro.exe
MSConfigStartUp-alcohol_ - c:\program files\Alcohol Soft\Alcohol 120\alcohol_.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-CPM03b7d0b9 - c:\windows\system32\jizodetu.dll
MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
MSConfigStartUp-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgr.exe
MSConfigStartUp-IncrediMail - c:\program files\IncrediMail\bin\IncMail.exe
MSConfigStartUp-Mediafour XPlay Tray Notification Icon - c:\program files\Mediafour\XPlay\XPTRYICN.EXE
MSConfigStartUp-RegPowerClean - c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
MSConfigStartUp-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
MSConfigStartUp-SandboxieControl - c:\program files\Sandboxie\Control.exe
MSConfigStartUp-Skype - c:\program files\Skype1\Phone\Skype.exe
MSConfigStartUp-TXP - c:\program files\topthemesxp\txp.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-WebcamMaxMoniter - c:\program files\WebcamMax\wcmmon.exe
MSConfigStartUp-yolavujitu - c:\windows\system32\rosotuse.dll
MSConfigStartUp-nwiz - nwiz.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rzl6uxlq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://bulletins.myspace.com/index.cfm?fuseaction=bulletin.read&authorID=3417369&messageID=6245564079&MyToken=ff3c50e7-87a2-48f0-861b-d4e6a4a3a25b
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rzl6uxlq.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rzl6uxlq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Panda Security\NanoScan\Plugins\npnanoscan.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 00:41:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1531689621-1028777617-4167623734-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:47,73,90,9a,94,67,02,ee,b3,68,f1,01,eb,09,bb,d8,6e,b7,fb,15,c1,b9,14,
c4,79,1b,d4,8d,a3,b0,2e,ef,3d,27,05,33,31,03,84,c3,23,fe,74,b6,53,37,46,dc,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\Mozilla Firefox 3 Beta 5\firefox.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-02-13 0:58:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-13 08:56:49

Pre-Run: 2,260,054,016 bytes free
Post-Run: 3,300,184,064 bytes free

426 --- E O F --- 2008-12-11 08:10:21





GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-13 16:06:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 8A349E40 ZwAllocateVirtualMemory
SSDT 8A328940 ZwCreateKey
SSDT 8A352490 ZwCreateProcess
SSDT 8A354238 ZwCreateProcessEx
SSDT 8A360BA0 ZwCreateThread
SSDT 8A2D9190 ZwDeleteKey
SSDT 8A3624F0 ZwDeleteValueKey
SSDT spej.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spej.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spej.sys ZwOpenKey [0xB9EAB0C0]
SSDT spej.sys ZwQueryKey [0xB9EC9108]
SSDT spej.sys ZwQueryValueKey [0xB9EC8F88]
SSDT 8A349EB8 ZwQueueApcThread
SSDT 8A349D50 ZwReadVirtualMemory
SSDT 8A2C1140 ZwRenameKey
SSDT 8A349FA8 ZwSetContextThread
SSDT 8A352AF0 ZwSetInformationKey
SSDT 8A34D8C8 ZwSetInformationProcess
SSDT 8A34C190 ZwSetInformationThread
SSDT 8A32A420 ZwSetValueKey
SSDT 8A360C18 ZwSuspendProcess
SSDT 8A349F30 ZwSuspendThread
SSDT 8A2C3328 ZwTerminateProcess
SSDT 8A34C208 ZwTerminateThread
SSDT 8A349DC8 ZwWriteVirtualMemory

INT 0x62 ? 8A2ECBF8
INT 0x82 ? 8A2ECBF8
INT 0x83 ? 8A2ECBF8
INT 0x84 ? 8A10DF00
INT 0x94 ? 8A10DF00
INT 0xA4 ? 8A10DF00
INT 0xB4 ? 8A10DF00

---- Kernel code sections - GMER 1.0.14 ----

? spej.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B89D862C 5 Bytes JMP 8A10D4E0
.text a6xrx8gq.SYS B8825384 1 Byte [ 20 ]
.text a6xrx8gq.SYS B8825386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text a6xrx8gq.SYS B88253AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text a6xrx8gq.SYS B88253C4 3 Bytes [ 00, 00, 00 ]
.text a6xrx8gq.SYS B88253C9 1 Byte [ 00 ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[388] kernel32.dll!WriteFile 7C810D87 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1476] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ F7, FB, C3, 83 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spej.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spej.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spej.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spej.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spej.sys
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\a6xrx8gq.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8A349CD8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8A349BE0

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1476] @ C:\WINDOWS\system32\wininet.dll [KERNEL32.dll!QueueUserWorkItem] [004503A4] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (Spy Sweeper Engine/Webroot Software, Inc.)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A3581F8

AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))

Device \FileSystem\Fastfat \FatCdrom 89BC81F8
Device \Driver\sptd \Device\2867776446 spej.sys
Device \Driver\Tcpip \Device\Ip 89F6FFA8
Device \Driver\Tcpip \Device\Ip 8A01AB38
Device \Driver\Tcpip \Device\Ip 89D27B20
Device \Driver\Tcpip \Device\Ip 8A13A860

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbohci \Device\USBPDO-0 8A109500
Device \Driver\usbohci \Device\USBPDO-1 8A109500
Device \Driver\usbohci \Device\USBPDO-2 8A109500
Device \Driver\usbehci \Device\USBPDO-3 8A14D1F8
Device \Driver\Tcpip \Device\Tcp 89F6FFA8
Device \Driver\Tcpip \Device\Tcp 8A01AB38
Device \Driver\Tcpip \Device\Tcp 89D27B20
Device \Driver\Tcpip \Device\Tcp 8A13A860

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A35A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A35A1F8
Device \Driver\Cdrom \Device\CdRom0 8A1181F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A2EC1F8
Device \Driver\atapi \Device\Ide\IdePort0 8A2EC1F8
Device \Driver\atapi \Device\Ide\IdePort1 8A2EC1F8
Device \Driver\atapi \Device\Ide\IdePort2 8A2EC1F8
Device \Driver\atapi \Device\Ide\IdePort3 8A2EC1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 8A2EC1F8
Device \Driver\USBSTOR \Device\00000080 89CC01F8
Device \Driver\USBSTOR \Device\00000081 89CC01F8
Device \Driver\USBSTOR \Device\00000082 89CC01F8
Device \Driver\USBSTOR \Device\00000083 89CC01F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89CF81F8
Device \Driver\NetBT \Device\NetbiosSmb 89CF81F8
Device \Driver\PCI_PNP1446 \Device\0000005b spej.sys
Device \Driver\Tcpip \Device\Udp 89F6FFA8
Device \Driver\Tcpip \Device\Udp 8A01AB38
Device \Driver\Tcpip \Device\Udp 89D27B20
Device \Driver\Tcpip \Device\Udp 8A13A860

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\Tcpip \Device\RawIp 89F6FFA8
Device \Driver\Tcpip \Device\RawIp 8A01AB38
Device \Driver\Tcpip \Device\RawIp 89D27B20
Device \Driver\Tcpip \Device\RawIp 8A13A860

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbohci \Device\USBFDO-0 8A109500
Device \Driver\usbohci \Device\USBFDO-1 8A109500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89CE0500
Device \Driver\Tcpip \Device\IPMULTICAST 89F6FFA8
Device \Driver\Tcpip \Device\IPMULTICAST 8A01AB38
Device \Driver\Tcpip \Device\IPMULTICAST 89D27B20
Device \Driver\Tcpip \Device\IPMULTICAST 8A13A860
Device \Driver\usbohci \Device\USBFDO-2 8A109500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89CE0500
Device \Driver\usbehci \Device\USBFDO-3 8A14D1F8
Device \Driver\Ftdisk \Device\FtControl 8A35A1F8
Device \Driver\USBSTOR \Device\0000007e 89CC01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2815B443-8E0C-4D75-94E8-0F2E10633C12} 89CF81F8
Device \Driver\a6xrx8gq \Device\Scsi\a6xrx8gq1 8A0C71F8
Device \FileSystem\Fastfat \Fat 89BC81F8

AttachedDevice \FileSystem\Fastfat \Fat SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A0AD1F8
Device \FileSystem\Cdfs \Cdfs B4B2FBCE

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1033612804
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 258554787
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6C 0xB3 0x6C 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x59 0x81 0x89 0x6B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x3C 0xF6 0x9E 0xB9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x9C 0x78 0x41 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE2 0xEE 0x40 0x81 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x98 0x66 0x5B 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC5 0x31 0xE1 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x5E 0xD2 0x64 0xAB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6C 0xB3 0x6C 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x59 0x81 0x89 0x6B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x3C 0xF6 0x9E 0xB9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x9C 0x78 0x41 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE2 0xEE 0x40 0x81 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x98 0x66 0x5B 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC5 0x31 0xE1 0xC2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x5E 0xD2 0x64 0xAB ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\Temp\6d80a1a7-0684-4df4-8496-0dd3b56389f2.tmp 0 bytes
File C:\WINDOWS\Temp\2729171b-90df-4a63-8849-290ad4636503.tmp 0 bytes
File C:\WINDOWS\Temp\86116f86-1a81-4476-aed8-579905ddf016.tmp 0 bytes
File C:\WINDOWS\Temp\87275412-b623-4f73-af23-7bca8932b913.tmp 0 bytes
File C:\WINDOWS\Temp\8b06e11a-02bf-4f6b-b305-fd0025584c77.tmp 0 bytes

---- EOF - GMER 1.0.14 ----

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 13 February 2009 - 09:01 PM

Hello.

Let's see what we can do. There are many suspicious files. I will have ComboFix upload them to be examined.

The removal process may take several rounds.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/198684/help-error-everytime-i-load-programs/
    File::
    c:\windows\GETBIOS.EXE
    c:\documents and settings\borat\fmod.dll
    c:\windows\system32\lodohepo.dll
    c:\documents and settings\borat\My Documents\SysComEngine_1059\SysCom.sys
    
    Dirlook::
    c:\program files\IP Changer
    c:\program files\Plustech Inc
    
    Suspect::[59]
    c:\windows\iun6002.exe
    c:\windows\system32\drivers\CamthWDM.sys
    c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\DAK32.sys
    c:\windows\system32\drivers\LxrSG20d.sys
    c:\documents and settings\Compaq_Owner\My Documents\gb\FelipeZe.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    "UpdatesDisableNotify"=-
    "AntiVirusOverride"=-
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6589359-101e-11dc-8a4e-0011d814fb4e}]
    
    Driver::
    Ke386IO
    PageFau1t
    sys_com001
    
    Rootkit::
    c:\temp\PageFau1t.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

With Regards,
The Panda

#5 Dinked

Dinked
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 14 February 2009 - 05:11 PM

ComboFix 09-02-12.03 - Compaq_Owner 2009-02-14 13:48:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.965 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\borat\fmod.dll
c:\documents and settings\borat\My Documents\SysComEngine_1059\SysCom.sys
c:\windows\GETBIOS.EXE
c:\windows\system32\lodohepo.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\borat\fmod.dll
c:\documents and settings\borat\My Documents\SysComEngine_1059\SysCom.sys
c:\windows\GETBIOS.EXE
c:\windows\system32\lodohepo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KE386IO
-------\Legacy_PAGEFAU1T
-------\Legacy_SYS_COM001
-------\Service_Ke386IO
-------\Service_PageFau1t
-------\Service_sys_com001


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-14 01:46 . 2009-02-14 01:46 <DIR> d-------- c:\windows\ie8updates
2009-02-13 01:00 . 2009-02-13 14:56 250 --a------ c:\windows\gmer.ini
2009-02-13 00:11 . 2009-02-13 00:11 262,144 --a------ c:\documents and settings\COMPAQ~3
2009-01-31 16:25 . 2009-01-31 16:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\NVIDIA
2009-01-27 21:08 . 2009-01-27 21:08 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\GlobalSCAPE
2009-01-27 21:08 . 2009-01-27 21:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\GlobalSCAPE
2009-01-27 20:57 . 2009-01-27 20:57 <DIR> d-------- c:\program files\GlobalSCAPE
2009-01-27 20:29 . 2009-01-27 20:29 <DIR> d-------- C:\ERDNT
2009-01-27 19:43 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-27 19:41 . 2009-01-27 19:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-27 17:45 . 2009-01-27 17:51 <DIR> d-------- C:\Invision
2009-01-24 15:32 . 2009-01-24 15:32 <DIR> d-------- c:\program files\Ventrilo
2009-01-24 15:31 . 2009-01-24 15:32 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-15 14:49 . 2009-01-15 15:05 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\SoundSpectrum

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 21:45 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-02-13 08:24 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2009-02-13 08:12 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-11 07:10 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\FrostWire
2009-02-06 23:07 --------- d-----w c:\program files\Steam
2009-01-28 07:37 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Ventrilo
2009-01-28 04:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-28 03:40 --------- d-----w c:\program files\Panda Security
2009-01-24 23:27 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 06:40 --------- d-----w c:\program files\Warcraft III
2009-01-15 23:01 --------- d-----w c:\program files\SoundSpectrum
2009-01-15 17:46 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-08 03:37 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR
2009-01-07 17:51 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-07 17:50 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-06 03:49 --------- d-----w c:\program files\Plustech Inc
2009-01-06 03:47 --------- d-----w c:\program files\IP Changer
2009-01-06 03:46 720,896 ----a-w c:\windows\iun6002.exe
2009-01-04 23:08 --------- d-----w c:\program files\Unity
2008-12-30 11:52 --------- d-----w c:\program files\ACSPMonitor
2008-12-28 00:08 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\EBookSys
2008-12-26 23:28 --------- d-----w c:\program files\AVG
2008-12-26 22:53 --------- d-----w c:\program files\E-Book Systems
2008-12-18 06:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-18 05:45 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2008-12-18 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-15 04:02 22,328 ----a-w c:\documents and settings\Compaq_Owner\Application Data\PnkBstrK.sys
2008-08-18 03:54 390 ----a-w c:\program files\Shortcut to Program Files.lnk
2008-04-18 03:33 1,584 -c--a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2007-04-29 03:29 582,144 -c--a-w c:\documents and settings\borat\snes9x.exe
2005-11-02 22:32 0 -c--a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
2005-11-02 22:24 134 -c--a-w c:\documents and settings\Administrator\Application Data\wklnhst.dat
2009-01-04 23:34 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-04 23:34 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-04 23:34 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-04 23:34 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-04 23:34 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\IP Changer ----

2007-08-14 18:43 1886641 --a------ c:\program files\IP Changer\setup.exe

---- Directory of c:\program files\Plustech Inc ----

2009-01-05 19:49 5670 --a------ c:\program files\Plustech Inc\IP Changer 2.0\Uninst.isu
2001-10-11 13:41 671744 --a------ c:\program files\Plustech Inc\IP Changer 2.0\IPChanger.exe
2001-08-27 15:16 40960 --a------ c:\program files\Plustech Inc\IP Changer 2.0\IPCFilter.exe
2001-08-01 10:25 229376 --a------ c:\program files\Plustech Inc\IP Changer 2.0\IPInfoGrab.exe
2001-08-01 10:25 176128 --a------ c:\program files\Plustech Inc\IP Changer 2.0\IPCupdate.exe
2001-05-06 01:40 311539 --a------ c:\program files\Plustech Inc\IP Changer 2.0\IPChangerHelp.chm


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"KEMailKb"="c:\progra~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 401408]
"KPDrv4XP"="c:\progra~1\MICROI~1\INTERN~1\KPDrv4XP.EXE" [2005-02-21 40960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-07 1601304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-09 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-05-12 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-07 09:51 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YourScreen.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\YourScreen.lnk
backup=c:\windows\pss\YourScreen.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^borat^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\borat\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Compaq Organize.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Compaq Organize.lnk
backup=c:\windows\pss\Compaq Organize.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^LimeWire Turbo Accelerator.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\LimeWire Turbo Accelerator.lnk
backup=c:\windows\pss\LimeWire Turbo Accelerator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a--c--- 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 22:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2006-05-09 16:24 50760 c:\program files\Common Files\AOL\Launch\aollaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-02-13 15:09 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlipViewer Library]
--a------ 2007-10-25 17:31 386576 c:\program files\E-Book Systems\FlipViewer\FlipViewerLibrary.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 16:24 50760 c:\program files\Common Files\AOL\1162694959\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2007-03-11 21:34 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a--c--- 2006-02-17 08:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 13:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a--c--- 2005-02-02 15:44 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
--a--c--- 2004-10-14 20:54 253952 c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-12-18 17:47 8720384 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 19:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-14 16:23 1410296 c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2008-05-12 07:08 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-28 19:06 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-09 15:08 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a--c--- 2003-08-19 07:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-04-01 17:35 3587120 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 16:10 4662776 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 16:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a--c--- 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
--a------ 2004-09-24 08:49 49152 c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MySQL"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\hix\\hix\\mirc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162694959\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1162694959\\ee\\aim6.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\My Documents\\Unzipped\\(GAME) Age Of Empires 2\\games\\AOE2AOK\\empires2.EXE"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\chrisx1x\\counter-strike\\hl.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\sandldan\\counter-strike source\\hl2.exe"=
"c:\\BROOD\\StarCraft.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\sandldan\\source sdk base\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Micro Innovations\\Internet Keyboard Elite\\KPDRV4XP.EXE"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox 3 Beta 5\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AVG\\AVG8\\aAvgApi.exe"=
"c:\\Nexon\\MapleStory\\SydneyMSx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6900:TCP"= 6900:TCP:login-server
"5121:TCP"= 5121:TCP:map-server
"6121:TCP"= 6121:TCP:char-server

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-26 12552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-27 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-26 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-26 107272]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-29 298264]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-01-10 243584]
R2 HIDKbFlt;HIDKbFlt.SvcDesc%;c:\windows\system32\drivers\HIDKbFlt.sys [2005-07-25 23680]
S3 DADriv1;DADriv1;c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\DAK32.sys [2007-08-21 22528]
S3 geebers12;geebers12;\??\c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\nvid888.sys --> c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\nvid888.sys [?]
S3 LxrSG20d;LxrSG20d;c:\windows\system32\drivers\LxrSG20d.sys [2007-06-01 68672]
S3 LxrSG20s;Lexar SG20;LxrSG20s.exe --> LxrSG20s.exe [?]
S3 白目國中生1;白目國中生1;\??\c:\temp\DXWnd\DXWnd\nvid999.sys --> c:\temp\DXWnd\DXWnd\nvid999.sys [?]
S3 projectx1;projectx1;c:\documents and settings\Compaq_Owner\My Documents\gb\FelipeZe.sys [2007-12-07 31104]
S3 puma1;puma1;\??\c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\puma.sys --> c:\documents and settings\borat\My Documents\Unzipped\shadowprotectorv1.5\puma.sys [?]
S3 XDva068;XDva068;\??\c:\windows\system32\XDva068.sys --> c:\windows\system32\XDva068.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-alcohol_ - c:\program files\Alcohol Soft\Alcohol 120\alcohol_.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://myspace.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {463ED66E-431B-11D2-ADB0-0080C83DA4EB} - hxxps://w3s.webmoney.ru/WMAcceptor.dll
DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} - hxxp://cafeimg.hanmail.net/activex/dmcc2.cab?Version=1,0,0,10
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rzl6uxlq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://bulletins.myspace.com/index.cfm?fuseaction=bulletin.read&authorID=3417369&messageID=6245564079&MyToken=ff3c50e7-87a2-48f0-861b-d4e6a4a3a25b
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rzl6uxlq.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\rzl6uxlq.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Panda Security\NanoScan\Plugins\npnanoscan.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 13:58:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1531689621-1028777617-4167623734-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:47,73,90,9a,94,67,02,ee,b3,68,f1,01,eb,09,bb,d8,6e,b7,fb,15,c1,b9,14,
c4,79,1b,d4,8d,a3,b0,2e,ef,3d,27,05,33,31,03,84,c3,23,fe,74,b6,53,37,46,dc,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-02-14 14:09:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-14 22:08:19
ComboFix2.txt 2009-02-13 08:58:13

Pre-Run: 5,647,007,744 bytes free
Post-Run: 5,630,251,008 bytes free

372 --- E O F --- 2009-02-14 09:52:38

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 14 February 2009 - 05:41 PM

Hello.

Looks better.

Do you know what this program is?
c:\program files\Plustech Inc\IP Changer 2.0

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\documents and settings\Compaq_Owner\My Documents\gb\FelipeZe.sys
  • c:\windows\system32\XDva068.sys
  • c:\windows\system32\drivers\LxrSG20d.sys
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 25 February 2009 - 03:38 PM

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users