Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dopper/eth, zlob, vundo, and more!


  • This topic is locked This topic is locked
16 replies to this topic

#1 Nizel

Nizel

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 03 February 2009 - 09:04 AM

Hello,

It appears that a few dormant viruses just became active. My background has been changed to an anti-virus notification, and a red circle with a white x is in my task bar informing me of multiple infections. I know that this is one of the viruses plaguing my system. I have run spywareblaster, sophos anti-rootkit, malwarebytes, and they all find these infections and claim to quarantine them, but on reboot they keep coming back. Even running the programs in safe mode seems to not make any difference.

These infections are also causing my machine to open up random programs, and shut down on it's own volition.

ntdll64.dll, and especially the userinit.exe located in my temp folder I think are the biggest problems. sophos anti-rootkit detected them both, but I didn't have any option to get rid of them.

Included is my dds hjt log, I have gone as far as I can go on my own, now I seek the help of experts! Thanks in advance!

-----



DDS (Ver_09-02-01.01) - NTFSx86
Run by Root at 6:09:09.21 on Tue 02/03/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.371 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Widestep Software\Elite Antikeylogger\wseaksrv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Widestep Software\Elite Antikeylogger\wseakadm.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Widestep Software\Elite Antikeylogger\wseakadm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
"C:\WINDOWS\system32\svchost.exe" 40706
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Root\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\docume~1\root\locals~1\temp\init.exe
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: Demonoid Toolbar: {35b675b9-7f34-40df-8f49-5fab6b7e4aef} - c:\program files\demonoid\tbDemo.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [PowerStrip] c:\program files\powerstrip\pstrip.exe
mRun: [LUTManager] "c:\program files\lut manager\lutmanager.exe" /pt "c:\documents and settings\root\my documents\downloads\HP_LP2475_UGRA.icc" 0
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Elite] c:\program files\widestep software\elite antikeylogger\wseakadm.exe
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\docume~1\root\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210633283171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows: {004096ce-d7a2-456a-ae04-eb9abf822fe4} - c:\windows\temp\Down(0)ow.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\root\applic~1\mozilla\firefox\profiles\kcshyire.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\root\application data\mozilla\firefox\profiles\kcshyire.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFAlert.dll
FF - plugin: c:\documents and settings\root\application data\mozilla\firefox\profiles\kcshyire.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\root\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 wseak;wseak;c:\windows\system32\drivers\wseak.sys [2006-11-13 40704]
R2 Elite Antikeylogger monitoring service;Elite Antikeylogger monitoring service;c:\program files\widestep software\elite antikeylogger\wseaksrv.exe [2006-10-24 692224]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-31 34064]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-1-30 118784]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R2 sensorsview32;sensorsview32;c:\windows\system32\drivers\sensorsview32.sys [2009-1-7 14416]
R2 softyinforwow;Remote TCP/IPG;c:\windows\system32\svchost.exe -k netsvcs [2002-8-29 31744]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S0 mhmltmt;mhmltmt;c:\windows\system32\drivers\dofpjqbj.sys --> c:\windows\system32\drivers\dofpjqbj.sys [?]
S1 2459eaf6;2459eaf6;c:\windows\system32\drivers\2459eaf6.sys --> c:\windows\system32\drivers\2459eaf6.sys [?]
S2 RPCH;Remote Procedure Call (HPM);c:\program files\netmeeting\Intell.exe [2006-7-11 481792]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3e.tmp --> c:\windows\system32\3E.tmp [?]

=============== Created Last 30 ================

2009-02-03 05:43 1,347 a------- c:\windows\system32\ahtn.htm
2009-02-03 05:43 4,785 a------- c:\windows\system32\warning.gif
2009-02-03 05:42 142,848 a------- c:\windows\system32\ntdll64.exe
2009-02-03 05:42 4 a------- c:\windows\system32\test.ttt
2009-02-03 05:42 1 a------- c:\windows\system32\uniq.tll
2009-02-03 05:42 43,520 a------- c:\windows\system32\frmwrk32.exe
2009-02-03 05:30 <DIR> --d----- c:\program files\XoftSpySE
2009-02-03 05:12 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-03 05:12 <DIR> --d----- c:\program files\SpywareGuard
2009-02-03 05:10 <DIR> --d----- c:\program files\Sophos
2009-02-03 04:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-03 04:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-03 04:43 <DIR> --d----- c:\docume~1\root\applic~1\SUPERAntiSpyware.com
2009-02-03 03:50 <DIR> --d----- c:\program files\Flyos
2009-02-03 03:49 527 a------- c:\windows\system32\win32hlp.cnf
2009-02-03 03:44 <DIR> --d----- c:\program files\Widestep Software
2009-02-03 02:34 <DIR> a-dshr-- C:\cmdcons
2009-02-03 01:33 142,848 ac------ c:\windows\system32\dllcache\userinit.exe
2009-02-03 00:24 <DIR> --d----- c:\docume~1\root\applic~1\Malwarebytes
2009-02-03 00:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-03 00:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 00:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 00:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-03 00:20 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 23:27 5 a------- c:\windows\_id.dat
2009-02-02 23:27 124 a------- c:\windows\adobe.bat
2009-02-02 23:11 0 a------- c:\windows\system32\52.tmp
2009-02-02 13:44 164,100 a------- c:\windows\system32\22.tmp
2009-02-02 11:09 0 a------- c:\windows\system32\21.tmp
2009-02-02 11:00 997,888 ac------ c:\windows\system32\dllcache\kernel32.dll
2009-02-02 11:00 21,504 ac------ c:\windows\system32\dllcache\powrprof.dll
2009-02-02 10:18 23,040 a--sh--- c:\windows\system32\1041w.dll
2009-02-02 10:14 0 a------- c:\windows\mqcd.dbt
2009-02-02 10:13 4,096 a------- c:\windows\d3dx.dat
2009-02-02 10:13 22,016 a------- C:\jlpooc.exe
2009-02-02 10:13 103,424 a------- C:\btuplu.exe
2009-02-02 10:13 32,768 a------- c:\windows\system32\rer.wa
2009-02-02 10:13 28,672 a------- c:\windows\system32\do8d.sr
2009-02-02 10:13 629 a--s---- c:\windows\system32\1816910912.dat
2009-02-02 10:13 32,768 a------- c:\windows\system32\qzhr1.ant
2009-02-02 10:13 77,312 a------- c:\windows\system32\re3d.pf
2009-02-02 10:13 40,448 a------- C:\mlevsfdk.exe
2009-02-02 10:13 28,672 a------- c:\windows\system32\dedwf.lp
2009-02-02 10:12 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-02-02 10:12 2 a------- C:\-598163070
2009-02-02 10:12 132,608 a------- C:\vpausrs.exe
2009-02-02 10:12 <DIR> --d----- c:\program files\OvalOffice
2009-01-30 23:15 <DIR> --d----- c:\program files\PowerStrip
2009-01-30 21:32 16 a------- c:\windows\system32\wpfb.dat
2009-01-30 21:15 614,400 -------- c:\windows\system32\ati2sgag.exe
2009-01-30 21:08 62,009 a------- c:\windows\system32\WPFB.DLL
2009-01-30 21:08 2,304 a------- c:\windows\system32\Machnm32.sys
2009-01-30 21:08 17,465 a------- c:\windows\system32\drivers\pivot.sys
2009-01-30 21:08 11,323 a------- c:\windows\system32\drivers\pivotmou.sys
2009-01-30 21:08 17,064 a------- c:\windows\system32\drivers\PdiPorts.sys
2009-01-30 21:07 <DIR> --d----- c:\program files\Portrait Displays
2009-01-30 21:07 <DIR> --d----- c:\program files\common files\Portrait Displays
2009-01-30 20:36 1,100 a------- c:\windows\system32\d3d8caps.dat
2009-01-30 18:22 <DIR> --d----- c:\docume~1\root\applic~1\DisplayTune
2009-01-30 18:16 62,009 a------- c:\windows\system32\wpfb_ati2dvag.dll
2009-01-30 18:15 1,392,671 a------- c:\windows\msvbvm60.dll
2009-01-30 18:15 487,424 a------- c:\windows\msvcp70.dll
2009-01-30 18:15 344,064 a------- c:\windows\msvcr70.dll
2009-01-30 13:51 <DIR> --d----- C:\Swsetup
2009-01-30 07:16 608,448 a------- c:\windows\system32\comctl32.ocx
2009-01-30 07:16 <DIR> --d----- c:\program files\Total Video Converter
2009-01-30 06:53 <DIR> --d----- c:\program files\Conduit
2009-01-30 06:53 <DIR> --d----- c:\program files\Demonoid
2009-01-29 06:35 <DIR> --d----- c:\program files\Calibrize
2009-01-29 02:58 <DIR> --d----- c:\program files\LUT Manager
2009-01-29 02:17 <DIR> --d----- c:\program files\Pro Imaging Powertoys
2009-01-29 02:17 <DIR> --d----- c:\windows\Downloaded Installations
2009-01-29 00:13 7 a------- c:\windows\INI2=No
2009-01-29 00:13 7 a------- c:\windows\INI1=No
2009-01-29 00:13 <DIR> --d----- c:\program files\Monitor Calibration Wizard
2009-01-27 01:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kalypso
2009-01-27 00:40 <DIR> --d----- c:\docume~1\root\applic~1\Stardock
2009-01-27 00:39 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2009-01-27 00:39 <DIR> --d----- c:\program files\Stardock
2009-01-27 00:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Stardock
2009-01-27 00:38 <DIR> --d----- c:\program files\Kalypso
2009-01-24 03:04 34 a------- c:\documents and settings\root\jagex_runescape_preferences.dat
2009-01-24 03:04 <DIR> --d----- c:\windows\.jagex_cache_32
2009-01-23 15:22 <DIR> --d----- c:\program files\E-Zsoft
2009-01-23 05:00 719,872 a------- c:\windows\system32\devil.dll
2009-01-23 05:00 351,744 a------- c:\windows\system32\avisynth.dll
2009-01-23 05:00 <DIR> --d----- c:\program files\common files\Common Share
2009-01-23 04:59 <DIR> --d----- c:\program files\OJOsoft
2009-01-21 23:33 <DIR> --d----- c:\program files\iPod
2009-01-21 23:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-21 21:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Graboid Inc
2009-01-21 21:56 <DIR> --d----- c:\docume~1\root\applic~1\MozillaControl
2009-01-21 21:54 <DIR> --d----- c:\program files\Graboid
2009-01-16 19:21 86,016 a------- c:\windows\system32\check909_517.dll
2009-01-16 19:21 20 a------- c:\windows\syscheck
2009-01-16 17:22 221,184 a------- c:\windows\system32\wmpns.dll
2009-01-16 17:21 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-01-16 17:20 <DIR> --d----- C:\37f2b36538c3fa0c4930e0834e5f301d
2009-01-15 22:39 <DIR> --d----- c:\program files\America's Army
2009-01-15 19:23 <DIR> --d----- c:\program files\Bonjour
2009-01-15 17:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\America's Army Deploy Client
2009-01-15 14:44 <DIR> --d----- c:\docume~1\root\applic~1\Red Alert 3
2009-01-15 14:09 <DIR> --d----- C:\games
2009-01-13 22:07 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-13 21:46 11,591,680 a------- c:\windows\system32\atioglxx.dll
2009-01-13 20:53 286,720 a------- c:\windows\system32\atiok3x2.dll
2009-01-13 20:49 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2009-01-13 20:36 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-01-13 20:36 151,552 a------- c:\windows\system32\Oemdspif.dll
2009-01-13 20:36 43,520 a------- c:\windows\system32\Ati2mdxx.exe
2009-01-13 20:35 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-01-13 20:35 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-01-13 20:34 618,496 a------- c:\windows\system32\ati2evxx.exe
2009-01-13 20:32 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-01-13 20:05 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2009-01-13 20:05 3,107,788 a------- c:\windows\system32\ativva5x.dat
2009-01-13 20:05 887,724 a------- c:\windows\system32\ativva6x.dat
2009-01-13 20:05 79,008 a------- c:\windows\system32\ativvaxx.cap
2009-01-13 19:50 48,640 a------- c:\windows\system32\amdpcom32.dll
2009-01-13 19:45 401,408 a------- c:\windows\system32\atikvmag.dll
2009-01-13 19:44 110,592 a------- c:\windows\system32\atiadlxx.dll
2009-01-13 19:44 17,408 a------- c:\windows\system32\atitvo32.dll
2009-01-13 19:43 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-01-13 19:37 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-01-09 07:06 25,088 a------- C:\MaximizedWindow.exe
2009-01-07 15:59 <DIR> --d----- c:\docume~1\root\applic~1\FreshDiagnose
2009-01-07 15:04 <DIR> --d----- c:\docume~1\root\applic~1\Auslogics
2009-01-07 15:04 <DIR> --d----- c:\program files\Auslogics
2009-01-07 08:27 14,416 a------- c:\windows\system32\drivers\sensorsview32.sys
2009-01-07 08:27 <DIR> --d----- c:\program files\SensorsViewPro32
2009-01-07 08:26 <DIR> --d----- c:\program files\FreshDevices
2009-01-07 08:11 45 a------- c:\windows\system32\initdebug.nfo
2009-01-07 08:11 <DIR> --d----- c:\program files\SpeedFan
2009-01-05 16:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-01-05 16:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-02-03 01:33 142,848 a------- c:\windows\system32\userinit.exe
2009-02-02 10:12 578,560 a------- c:\windows\system32\user32.DLL
2009-02-02 09:15 138,624 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-02 09:15 222,832 a------- c:\windows\system32\PnkBstrB.exe
2009-01-13 23:14 3,455,488 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-01-13 20:47 323,584 a------- c:\windows\system32\ati2dvag.dll
2009-01-13 20:22 4,009,152 a------- c:\windows\system32\ati3duag.dll
2009-01-13 20:05 2,500,224 a------- c:\windows\system32\ativvaxx.dll
2009-01-13 19:37 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-12 23:28 70,144 a------- c:\windows\ipuninst.exe
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-02 18:12 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-25 14:48 12,408,864 a------- c:\documents and settings\root\WoW-2.4.2.8278-to-0.4.3.8478-enUS-patch.exe
2008-07-18 03:06 0 ---sh--- c:\program files\desktoq.ini
2008-05-27 15:56 22,328 a------- c:\docume~1\root\applic~1\PnkBstrK.sys
2003-09-16 00:19 116,952 a------- c:\windows\inf\virprn.exe
2003-09-16 00:19 18,950 a------- c:\windows\inf\virpntd.dll
2003-09-16 00:19 10,240 a------- c:\windows\inf\virport.dll
2003-09-16 00:19 90,624 a------- c:\windows\inf\prtproc.dll

============= FINISH: 6:09:42.60 ===============

Attached Files


Edited by Nizel, 03 February 2009 - 09:13 AM.


BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 03 February 2009 - 11:24 AM

Hello, Nizel

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I need some time to look over your log, I will post back soon.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Nizel

Nizel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 04 February 2009 - 01:08 PM

Hi Jat,

Any news?

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 04 February 2009 - 03:29 PM

Hello,

As I'm in training I have to prepare what I think is an appropriate "fix" for your machine. This fix has to be supervised by other staff here. Once my fix has been approved, I will post it here. Its never normally long. :thumbup2:
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 05 February 2009 - 11:39 AM

Hello, sorry for the delay.

ATF Cleaner

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

ComboFix

Please download ComboFix from one of these locations (if you already have ComboFix, then delete it and download again) :

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. See this topic to find out how to disable your antivirus and firewall (post #1 and #2).
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

NOTE**ComboFix was intended to be used under the supervision of a helper, not for general use. This is a powerful tool which can permanently damage your computer.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Install Antivirus

You are missing one important program on that computer: An antivirus.
I am not surprised you are infected. This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

However, I must warn you that with subsequent CF runs (which is likely) you must disable your antivirus before running CF, many Antivirus's interfere greatly with the cleaning process.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 Nizel

Nizel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 05 February 2009 - 08:58 PM

Hi Jat,

I ran ATF cleaner and Combofix.
I also installed Kaspersky anti-virus.

Here is the log for combofix.

--

ComboFix 09-02-02.04 - Root 2009-02-05 17:30:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.633 [GMT -8:00]
Running from: c:\documents and settings\Root\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\OYHgPqss.ini
c:\windows\system32\OYHgPqss.ini2
c:\windows\system32\ssqPgHYO.dll

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\services.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-05 16:58 . 2003-04-10 17:18 466,944 --a------ c:\windows\system32\SLLights.dll
2009-02-05 16:58 . 2003-04-15 12:41 401,408 --a------ c:\windows\system32\slcpappl.cpl
2009-02-05 16:58 . 2003-04-15 12:35 397,312 --a------ c:\windows\system32\slmh.exe
2009-02-05 16:58 . 2003-04-10 11:29 188,416 --a------ c:\windows\system32\minirec.exe
2009-02-05 16:58 . 2003-04-10 11:30 155,648 --a------ c:\windows\system32\amr_cpl.dll
2009-02-05 16:58 . 2003-04-10 11:54 81,920 --a------ c:\windows\SmCfg.exe
2009-02-05 16:58 . 2001-08-17 13:57 16,128 --a------ c:\windows\system32\drivers\MODEMCSA.sys
2009-02-05 16:58 . 2001-08-17 13:57 16,128 --a--c--- c:\windows\system32\dllcache\modemcsa.sys
2009-02-05 16:58 . 2003-04-10 12:35 14,976 --a------ c:\windows\system32\drivers\winddx.sys
2009-02-05 16:45 . 2009-02-05 16:59 4,904 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-02-05 16:43 . 2009-02-05 16:58 <DIR> d-------- c:\windows\Modio
2009-02-05 16:43 . 2003-04-15 12:35 351,388 --a------ c:\windows\system32\slmh.cab
2009-02-05 16:43 . 2003-02-05 17:16 138,560 --a------ c:\windows\system32\slcpappl.chm
2009-02-05 16:43 . 2003-04-15 12:56 130,188 --a------ c:\windows\sl.lng
2009-02-05 16:43 . 2003-04-09 19:53 65,536 --a------ c:\windows\system32\OLD30.tmp
2009-02-05 16:43 . 2003-04-09 19:38 45,056 --a------ c:\windows\OLD2D.tmp
2009-02-05 16:43 . 2003-04-10 11:15 11,544 --a------ c:\windows\system32\drivers\OLD34.tmp
2009-02-05 16:37 . 2003-04-09 20:00 49,152 --a------ c:\windows\system32\coinst.dll
2009-02-05 15:20 . 2009-02-05 16:49 <DIR> d-------- C:\RECYCLER(2)
2009-02-05 14:02 . 2009-02-05 16:49 <DIR> d-------- c:\program files\RegCure
2009-02-05 13:06 . 2009-02-05 16:49 <DIR> d-------- c:\program files\ShellExView
2009-02-05 11:41 . 2009-02-05 11:41 <DIR> d-------- c:\windows\ERUNT
2009-02-05 11:39 . 2009-02-05 17:24 <DIR> d-------- C:\SDFix
2009-02-05 09:09 . 2009-02-05 09:09 33,920 --a------ c:\windows\system32\drivers\dzcdtqox.sys
2009-02-05 09:09 . 2009-02-05 09:09 11,776 --ah----- c:\documents and settings\Root\sbhv.exe
2009-02-05 09:08 . 2009-02-05 09:08 64,512 --a------ c:\windows\system32\undname.exe
2009-02-05 09:07 . 2009-02-05 09:09 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-05 09:07 . 2009-02-05 09:07 64,512 --a------ c:\windows\system32\deviceemulator.exe
2009-02-05 09:07 . 2009-02-05 09:09 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-05 09:07 . 2009-02-05 09:07 32,768 --ah----- c:\documents and settings\Root\yjkjx.exe
2009-02-05 07:32 . 2009-02-05 07:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-05 07:31 . 2009-02-05 07:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-04 22:27 . 2002-08-28 19:41 39,424 --a------ c:\windows\system32\userinit.exe
2009-02-04 13:14 . 2009-02-04 13:15 <DIR> d-------- c:\program files\ATI Technologies
2009-02-04 13:14 . 2008-12-01 14:35 614,400 --a------ c:\windows\system32\ati2sgag.exe
2009-02-03 19:21 . 2009-02-03 19:21 8,388,608 --a------ C:\software.new
2009-02-03 17:50 . 2009-02-03 19:02 <DIR> d-------- c:\documents and settings\Administrator.ANGST-LT.000
2009-02-03 17:46 . 2009-02-03 17:47 <DIR> d-------- c:\documents and settings\Root.ANGST-LT.000
2009-02-03 17:46 . 2009-02-03 17:46 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY.000
2009-02-03 17:46 . 2009-02-03 17:46 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY.000
2009-02-03 12:08 . 2009-02-03 12:08 4,444 --a------ c:\windows\system32\pid.PNF
2009-02-03 11:54 . 2009-02-03 11:54 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY
2009-02-03 11:50 . 2009-02-03 11:55 <DIR> d-------- c:\documents and settings\Root.ANGST-LT
2009-02-03 11:50 . 2009-02-03 11:50 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY
2009-02-03 11:50 . 2009-02-03 20:53 <DIR> d-------- c:\documents and settings\Administrator.ANGST-LT
2009-02-03 10:55 . 2009-02-03 11:05 <DIR> d-------- C:\d2ed89c7d062634f3dbe50
2009-02-03 10:45 . 2002-08-28 20:00 22,016 --a------ c:\windows\system32\userinit.ex_
2009-02-03 09:26 . 2009-02-03 09:26 <DIR> d--h----- c:\windows\PIF
2009-02-03 09:22 . 2009-02-03 09:24 <DIR> d-------- c:\program files\Unlocker
2009-02-03 09:15 . 2009-02-03 09:15 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-03 06:36 . 2009-02-05 04:30 96,976 --a------ c:\windows\system32\drivers\klin.dat
2009-02-03 06:36 . 2009-02-05 04:30 87,855 --a------ c:\windows\system32\drivers\klick.dat
2009-02-03 06:35 . 2009-02-05 17:35 2,472,992 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-02-03 06:35 . 2009-02-05 17:35 483,360 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-02-03 06:35 . 2009-02-05 17:35 20,400 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-02-03 06:35 . 2009-02-05 17:35 2,732 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-02-03 06:29 . 2009-02-03 06:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-03 05:13 . 2009-02-03 05:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 05:12 . 2009-02-03 06:47 <DIR> d-------- c:\program files\SpywareGuard
2009-02-03 05:10 . 2009-02-03 05:10 <DIR> d-------- c:\program files\Sophos
2009-02-03 04:43 . 2009-02-03 19:36 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-03 04:43 . 2009-02-03 04:43 <DIR> d-------- c:\documents and settings\Root\Application Data\SUPERAntiSpyware.com
2009-02-03 04:43 . 2009-02-03 04:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 03:03 . 2009-02-03 03:03 <DIR> d-------- C:\rsit
2009-02-03 00:24 . 2009-02-03 06:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 00:24 . 2009-02-03 00:24 <DIR> d-------- c:\documents and settings\Root\Application Data\Malwarebytes
2009-02-03 00:24 . 2009-02-03 00:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-03 00:24 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 00:24 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-03 00:20 . 2009-02-03 00:20 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 23:27 . 2009-02-03 01:29 124 --a------ c:\windows\adobe.bat
2009-02-02 23:27 . 2009-02-02 23:29 5 --a------ c:\windows\_id.dat
2009-02-02 23:11 . 2009-02-02 23:11 0 --a------ c:\windows\system32\52.tmp
2009-02-02 11:00 . 2009-02-02 11:00 997,888 --a--c--- c:\windows\system32\dllcache\kernel32.dll
2009-02-02 11:00 . 2009-02-02 11:00 21,504 --a--c--- c:\windows\system32\dllcache\powrprof.dll
2009-02-02 10:18 . 2009-02-02 10:18 23,040 --ahs---- c:\windows\system32\1041w.dll
2009-02-02 10:14 . 2009-02-02 10:14 0 --a------ c:\windows\mqcd.dbt
2009-02-02 10:13 . 2009-02-02 10:13 77,312 --a------ c:\windows\system32\re3d.pf
2009-02-02 10:13 . 2009-02-02 10:13 40,448 --a------ C:\mlevsfdk.exe
2009-02-02 10:13 . 2009-02-02 10:13 32,768 --a------ c:\windows\system32\rer.wa
2009-02-02 10:13 . 2009-02-02 10:13 32,768 --a------ c:\windows\system32\qzhr1.ant
2009-02-02 10:13 . 2009-02-02 10:13 28,672 --a------ c:\windows\system32\do8d.sr
2009-02-02 10:13 . 2009-02-02 10:13 28,672 --a------ c:\windows\system32\dedwf.lp
2009-02-02 10:13 . 2009-02-02 10:13 22,016 --a------ C:\jlpooc.exe
2009-02-02 10:13 . 2009-02-02 10:13 4,096 --a------ c:\windows\d3dx.dat
2009-02-02 10:13 . 2009-02-02 23:35 629 --a-s---- c:\windows\system32\1816910912.dat
2009-02-02 10:12 . 2009-02-02 10:12 <DIR> d-------- c:\program files\OvalOffice
2009-02-02 10:12 . 2009-02-02 10:12 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-30 23:15 . 2009-01-30 23:43 <DIR> d-------- c:\program files\PowerStrip
2009-01-30 21:32 . 2009-02-03 02:19 16 --a------ c:\windows\system32\wpfb.dat
2009-01-30 21:08 . 2007-02-09 12:17 62,009 --a------ c:\windows\system32\WPFB.DLL
2009-01-30 21:08 . 2007-02-09 12:17 17,465 --a------ c:\windows\system32\drivers\pivot.sys
2009-01-30 21:08 . 2008-07-31 11:13 17,064 --a------ c:\windows\system32\drivers\PdiPorts.sys
2009-01-30 21:08 . 2007-02-09 12:17 11,323 --a------ c:\windows\system32\drivers\pivotmou.sys
2009-01-30 21:08 . 2004-11-22 12:07 2,304 --a------ c:\windows\system32\Machnm32.sys
2009-01-30 21:07 . 2009-01-30 21:08 <DIR> d-------- c:\program files\Portrait Displays
2009-01-30 21:07 . 2009-01-30 21:08 <DIR> d-------- c:\program files\Common Files\Portrait Displays
2009-01-30 20:36 . 2009-01-30 21:18 1,100 --a------ c:\windows\system32\d3d8caps.dat
2009-01-30 18:59 . 2009-01-30 18:59 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-30 18:22 . 2009-01-30 21:10 <DIR> d-------- c:\documents and settings\Root\Application Data\DisplayTune
2009-01-30 18:16 . 2009-01-30 21:27 62,009 --a------ c:\windows\system32\wpfb_ati2dvag.dll
2009-01-30 18:15 . 2004-08-04 01:56 1,392,671 --a------ c:\windows\msvbvm60.dll
2009-01-30 18:15 . 2002-01-05 04:40 487,424 --a------ c:\windows\msvcp70.dll
2009-01-30 18:15 . 2002-01-05 04:37 344,064 --a------ c:\windows\msvcr70.dll
2009-01-30 13:51 . 2009-01-30 13:51 <DIR> d-------- C:\Swsetup
2009-01-30 07:16 . 2009-01-30 07:16 <DIR> d-------- c:\program files\Total Video Converter
2009-01-30 07:16 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2009-01-30 06:53 . 2009-02-03 04:47 <DIR> d-------- c:\program files\Demonoid
2009-01-30 06:53 . 2009-01-30 06:53 <DIR> d-------- c:\program files\Conduit
2009-01-30 06:52 . 2009-01-30 06:52 <DIR> d-------- c:\documents and settings\Root\Application Data\Yahoo!
2009-01-29 06:35 . 2009-01-29 06:35 <DIR> d-------- c:\program files\Calibrize
2009-01-29 02:58 . 2009-02-03 06:48 <DIR> d-------- c:\program files\LUT Manager
2009-01-29 02:17 . 2009-01-29 02:17 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-29 02:17 . 2009-01-29 02:17 <DIR> d-------- c:\program files\Pro Imaging Powertoys
2009-01-29 00:13 . 2009-02-05 07:21 <DIR> d-------- c:\program files\Monitor Calibration Wizard
2009-01-29 00:13 . 2009-01-29 00:13 7 --a------ c:\windows\INI2=No
2009-01-29 00:13 . 2009-01-29 00:13 7 --a------ c:\windows\INI1=No
2009-01-27 01:03 . 2009-01-27 01:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kalypso
2009-01-27 00:40 . 2009-01-27 00:40 <DIR> d-------- c:\documents and settings\Root\Application Data\Stardock
2009-01-27 00:39 . 2009-01-27 00:39 <DIR> d-------- c:\program files\Stardock
2009-01-27 00:39 . 2009-01-27 00:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Stardock
2009-01-27 00:39 . 2009-01-27 00:39 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019}
2009-01-27 00:38 . 2009-01-27 00:38 <DIR> d-------- c:\program files\Kalypso
2009-01-24 03:04 . 2009-01-24 03:04 <DIR> d-------- c:\windows\.jagex_cache_32
2009-01-24 03:04 . 2009-01-24 03:17 34 --a------ c:\documents and settings\Root\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-05 12:44 --------- d-----w c:\program files\Steam
2009-02-04 21:07 --------- d-----w c:\documents and settings\Root\Application Data\ATI
2009-02-03 14:47 --------- d-----w c:\program files\Apoint2K
2009-02-03 14:45 86,528 ----a-w c:\windows\notepad.exe
2009-02-03 14:45 301,056 ----a-w c:\windows\winhlp32.exe
2009-02-03 14:45 28,160 ----a-w c:\windows\hh.exe
2009-02-03 14:45 163,840 ----a-w c:\windows\regedit.exe
2009-02-03 14:45 --------- d-----w c:\program files\FlashGet
2009-02-03 14:35 --------- d-----w c:\program files\Kaspersky Lab
2009-02-03 14:30 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-03 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 12:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 07:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 23:27 --------- d-----w c:\program files\PeerGuardian2
2009-02-02 23:27 --------- d-----w c:\documents and settings\Root\Application Data\uTorrent
2009-02-02 17:15 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-31 04:31 --------- d-----w c:\program files\Yahoo!
2009-01-22 07:33 --------- d-----w c:\program files\iTunes
2009-01-22 07:33 --------- d-----w c:\program files\Common Files\Apple
2009-01-19 20:09 --------- d-----w c:\program files\Common Files\Adobe
2009-01-17 01:14 --------- d-----w c:\program files\MobMapUpdater
2009-01-15 22:12 --------- d-----w c:\program files\CCleaner
2009-01-14 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 06:11 --------- d-----w c:\documents and settings\Root\Application Data\GetRightToGo
2008-12-13 07:31 --------- d-----w c:\program files\14 Degrees East
2008-12-13 07:28 70,144 ----a-w c:\windows\ipuninst.exe
2008-12-12 20:08 --------- d-----w c:\program files\Warcraft II BNE
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 09:26 --------- d-----w c:\documents and settings\Root\Application Data\Media Player Classic
2008-12-11 02:30 --------- d-----w c:\program files\GSP
2008-12-11 00:44 --------- d-----w c:\documents and settings\Root\Application Data\Megaupload
2008-12-11 00:36 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-10 23:55 --------- d-----w c:\documents and settings\Root\Application Data\EmailNotifier
2008-12-10 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-12-10 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-07-18 11:06 0 --sh--w c:\program files\desktoq.ini
2008-05-27 23:56 22,328 ----a-w c:\documents and settings\Root\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2004-08-03 23:56 31744 152a6f3088df30b982ba1232d8117a19 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 16:12 31744 09b23caf028135c68e9738dec2c4f3af c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 16:12 31744 06f2afe5c38c3486bc53dbf82c6c9a84 c:\windows\system32\svchost.exe

2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2008-10-01 10:52 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\TCPIP.SYS
2008-10-01 10:52 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\TCPIP.SYS

2004-08-03 23:56 519680 ad2af4b4d5077d111069eb941d91d616 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 16:12 525312 1a2358a22723f9451374d84b020562c5 c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 16:12 525312 04c9e7ae5c53494cc2692765c4660f37 c:\windows\system32\winlogon.exe

2008-04-13 16:12 1051136 27c02de19aefb0b617f387ed0db8da3a c:\windows\explorer.exe
2004-08-03 23:56 1049600 9a273ec764affd44fa658c53c379f284 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 16:12 1051136 dd3791759055a2e6a4077c69a4473217 c:\windows\ServicePackFiles\i386\explorer.exe
2007-06-13 02:23 1050624 85f0e0ab64bceafdaff9a2854031a1be c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2007-06-13 03:26 1050624 f05c641acbb03b4e5d09ab56900623ea c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe

2004-08-03 23:56 125440 6ead1f84f95781efe059c4c96a3cc0a8 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 16:12 125952 ec71002f22bb5afc3749b69bc34be3da c:\windows\ServicePackFiles\i386\services.exe
2008-04-13 16:12 125952 ffde1714398c39f870c82880531de903 c:\windows\system32\services.exe

2004-08-03 23:56 30720 f8c645d4681d2cddbd9848d6a6590063 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 16:12 30720 01159a6389cd8a7c7038f025d6d8d733 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 16:12 30720 a6e2b8555f0db60a15af3d0c103ea709 c:\windows\system32\lsass.exe

2004-08-03 23:56 32768 37031deb481bbcf21ad17eb2048751b5 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 16:12 32768 80b13af56c329e18a1850cad60955a73 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 16:12 32768 3ea686b8ca7c54c7514104a82fd6ebd0 c:\windows\system32\ctfmon.exe

2004-08-03 23:56 75264 8be44ba5156b58da667cd45b0c3241d4 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 16:12 75264 436e471a09bd91415f1ed7283725313c c:\windows\ServicePackFiles\i386\spoolsv.exe
2005-06-10 15:53 75264 3dafe576476fed3c707eab461f5754df c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2005-06-10 16:17 75264 8d243c0cd20ddaba546c11f929c0409c c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2qfe\spoolsv.exe
2008-04-13 16:12 75264 5aa14b277cf4ce6d3ac92d74ddd99d60 c:\windows\system32\spoolsv.exe

2004-08-03 23:56 41984 a4faa106d2e07d01a45b2b4614723adc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 16:12 43520 df22096b8ae1ae59bf0490af32313826 c:\windows\ServicePackFiles\i386\userinit.exe
2002-08-28 19:41 39424 25c028fdaa3deb9c37c8c2704b32242a c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( snapshot_2009-02-05_ 9.10.12.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 23:27:04 184,320 ----a-w c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-02-06 01:04:37 3,436,544 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2009-02-06 01:04:37 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 23:27:04 184,320 ----a-w c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-02-05 19:41:12 3,436,544 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2009-02-05 19:41:12 8,192 ----a-w c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2003-04-15 20:50:38 372,736 ----a-w c:\windows\Modio\SLAMR2KV\Setup.exe
+ 2004-08-04 05:41:39 13,776 ----a-w c:\windows\Modio\SLAMR2KV\SLExtBU\RecAgent.sys
- 2008-04-14 00:12:35 53,346 ------w c:\windows\slrundll.exe
+ 2008-04-14 01:12:36 53,346 ----a-w c:\windows\slrundll.exe
- 2009-02-05 17:05:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-06 01:37:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-05 17:05:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-06 01:37:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-05 17:05:10 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-06 01:37:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 20:41:43 3,235,840 ----a-w c:\windows\system32\config\systemprofile\ntuser.dat
+ 2003-04-10 09:05:24 210,048 -c--a-w c:\windows\system32\dllcache\mtlmnt5.sys
+ 2003-04-10 09:07:24 1,295,272 -c--a-w c:\windows\system32\dllcache\mtlstrm.sys
+ 2003-04-10 08:51:18 162,136 -c--a-w c:\windows\system32\dllcache\ntmtlfax.sys
+ 2004-08-04 06:41:40 13,776 -c--a-w c:\windows\system32\dllcache\recagent.sys
+ 2003-04-10 04:00:58 188,416 -c--a-w c:\windows\system32\dllcache\slextspk.dll
+ 2003-04-10 03:51:42 159,744 -c--a-w c:\windows\system32\dllcache\slgen.dll
+ 2003-04-10 03:19:04 521,808 -c--a-w c:\windows\system32\dllcache\slntamr.sys
+ 2003-04-15 03:34:04 85,968 -c--a-w c:\windows\system32\dllcache\slnthal.sys
+ 2003-04-10 09:03:42 39,348 -c--a-w c:\windows\system32\dllcache\slwdmsup.sys
- 2004-08-04 05:41:38 126,686 ------w c:\windows\system32\drivers\mtlmnt5.sys
+ 2003-04-10 09:05:24 210,048 ----a-w c:\windows\system32\drivers\mtlmnt5.sys
- 2004-08-04 05:41:37 1,309,184 ------w c:\windows\system32\drivers\mtlstrm.sys
+ 2003-04-10 09:07:24 1,295,272 ----a-w c:\windows\system32\drivers\mtlstrm.sys
- 2004-08-04 05:41:39 180,360 ------w c:\windows\system32\drivers\ntmtlfax.sys
+ 2003-04-10 08:51:18 162,136 ----a-w c:\windows\system32\drivers\ntmtlfax.sys
- 2004-08-04 05:41:39 13,776 ------w c:\windows\system32\drivers\recagent.sys
+ 2004-08-04 06:41:40 13,776 ----a-w c:\windows\system32\drivers\recagent.sys
- 2004-08-04 05:41:42 404,990 ------w c:\windows\system32\drivers\slntamr.sys
+ 2003-04-10 03:19:04 521,808 ----a-w c:\windows\system32\drivers\slntamr.sys
- 2004-08-04 05:41:44 95,424 ------w c:\windows\system32\drivers\slnthal.sys
+ 2003-04-15 03:34:04 85,968 ----a-w c:\windows\system32\drivers\slnthal.sys
- 2004-08-04 05:41:45 13,240 ------w c:\windows\system32\drivers\slwdmsup.sys
+ 2003-04-10 09:03:42 39,348 ----a-w c:\windows\system32\drivers\slwdmsup.sys
+ 2008-04-14 00:12:24 30,720 ----a-w c:\windows\system32\lsass(2).exe
- 2009-02-04 18:10:12 72,986 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-06 00:59:50 73,614 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-04 18:10:12 445,464 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-06 00:59:50 446,556 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-06 00:50:42 517,928 ----a-w c:\windows\system32\Restore\rstrlog.dat
- 2008-04-14 00:12:06 286,792 ------w c:\windows\system32\slextspk.dll
+ 2003-04-10 04:00:58 188,416 ----a-w c:\windows\system32\slextspk.dll
- 2008-04-14 00:12:06 188,508 ------w c:\windows\system32\slgen.dll
+ 2003-04-10 03:51:42 159,744 ----a-w c:\windows\system32\SLGen.dll
- 2008-04-14 00:12:35 94,276 ------w c:\windows\system32\slserv.exe
+ 2008-04-14 01:12:36 94,276 ----a-w c:\windows\system32\slserv.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{35B675B9-7F34-40DF-8F49-5FAB6B7E4AEF}"= "c:\program files\Demonoid\tbDemo.dll" [2009-01-20 1881112]

[HKEY_CLASSES_ROOT\clsid\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-11-19 737312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 81920]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-11-11 206088]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dzcdtqox.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Root^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Root\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^root^start menu^programs^startup^shortcut to wincolor.lnk]
path=c:\documents and settings\Root\Start Menu\Programs\Startup\Shortcut to WinColor.lnk
backup=c:\windows\pss\Shortcut to WinColor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2009-02-03 06:47 180224 c:\program files\Apoint2K\apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CalibrizeResume]
--a------ 2007-11-26 16:40 434176 c:\program files\Calibrize\CalibrizeResume.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CGFLoader]
--a------ 2007-11-26 16:39 1982464 c:\program files\Calibrize\CalibrizeLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 04:11 511432 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dt hwp]
--a------ 2008-09-04 16:55 102400 c:\program files\Common Files\Portrait Displays\Shared\DT_Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\google update]
--a----t- 2008-12-02 17:42 133104 c:\documents and settings\Root\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iphonevideoconverter_upgrade]
--a------ 2009-02-04 12:59 514560 c:\program files\E-Zsoft\iPhoneVideoConverter\iPhoneVideoConverter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl]
--a------ 2007-05-03 16:33 2650112 c:\program files\Notebook Hardware Control\nhc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
--a------ 2007-02-09 12:17 694008 c:\program files\Portrait Displays\Pivot Software\wpCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 434176 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-29 17:11 81920 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-04 17:46 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-02 18:13 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-01-15 16:17 1850608 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2008-05-01 20:15 33280 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2001-12-26 13:12 491520 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-11 09:50 38400 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]
--a------ 2000-05-20 16:23 106496 c:\windows\StartupMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 598016 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"PdiService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AVP"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Asset Management Daemon"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\kav\\kis\\setup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\iPhone Tunnel Suite 2.6 BETA\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Root\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\angst138\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\angst138\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\AV-CLS\\WGET.EXE"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1080:TCP"= 1080:TCP:Netshare
"49152:TCP"= 49152:TCP:utorrent
"62078:TCP"= 62078:TCP:UT

R0 dzcdtqox;dzcdtqox;c:\windows\system32\drivers\dzcdtqox.sys [2009-02-05 33920]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-05-31 34064]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]
R2 sensorsview32;sensorsview32;c:\windows\system32\drivers\sensorsview32.sys [2009-01-07 14416]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S0 mhmltmt;mhmltmt;c:\windows\system32\drivers\dofpjqbj.sys --> c:\windows\system32\drivers\dofpjqbj.sys [?]
S1 2459eaf6;2459eaf6;c:\windows\system32\drivers\2459eaf6.sys --> c:\windows\system32\drivers\2459eaf6.sys [?]
S2 softyinforwow;Remote TCP/IPG;c:\windows\System32\svchost.exe -k netsvcs [2002-08-29 31744]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3E.tmp --> c:\windows\system32\3E.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S4 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2009-01-30 118784]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
softyinforwow
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-746137067-682003330-1003.job
- c:\documents and settings\Root\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 17:42]

2009-02-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{0F6D8D3B-1CAF-437D-B355-0FA4644A477D} - c:\windows\system32\ssqPgHYO.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFAlert.dll
FF - plugin: c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Root\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 17:37:38
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D71A8318-1BB3-E684-A72E-3359BEA016F9}\InProcServer32*]
"jaelemliamkdeonaipan"=hex:69,61,6e,62,62,6e,65,66,62,6e,6d,6f,6d,6e,6a,61,6e,
69,00,00
"iaelkljpihejiaefoj"=hex:69,61,6e,62,62,6e,65,66,62,6e,6d,6f,6d,6e,6a,61,6e,69,
00,00

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\ACPI\PNP0F13\4&369939d9&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\HID\Vid_046d&Pid_c051\6&20b7525a&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\Bonjour\mdnsNSP.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-05 17:42:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 01:41:34
ComboFix2.txt 2009-02-05 21:45:05
ComboFix3.txt 2009-02-05 17:12:48
ComboFix4.txt 2009-02-03 10:47:43
ComboFix5.txt 2009-02-06 01:28:14

Pre-Run: 7,107,710,976 bytes free
Post-Run: 7,039,479,808 bytes free

499 --- E O F --- 2009-02-03 11:59:17

#7 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 06 February 2009 - 05:05 PM

Hello,

I'm afraid some legitimate Windows files have been infected. I must warn you that there may be damage done to your computer by malware that may be irreversible. Please do the following:

System File Checker

Protected system files may have been overwritten or modified. I would like you to run the System File Checker. However it may require the Windows Installation cd to correct some files.

To run the File Checker:
  • Go to Start
  • Click Run
  • In the box type sfc /scannow
  • Hit enter and let it check for modified files.
CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
dzcdtqox
mhmltmt
2459eaf6
MEMSWEEP2

File::
c:\windows\sl.lng
c:\windows\system32\OLD30.tmp
c:\windows\system32\drivers\OLD34.tmp
c:\documents and settings\Root\sbhv.exe
c:\windows\system32\secupdat.dat
c:\documents and settings\Root\yjkjx.exe
c:\windows\system32\userinit.ex_
c:\windows\_id.dat
c:\windows\system32\52.tmp
c:\windows\mqcd.dbt
c:\windows\system32\re3d.pf
C:\mlevsfdk.exe
c:\windows\system32\rer.wa
c:\windows\system32\qzhr1.ant
c:\windows\system32\do8d.sr
c:\windows\system32\dedwf.lp
C:\jlpooc.exe
c:\windows\system32\1816910912.dat
c:\windows\system32\drivers\dzcdtqox.sys
c:\windows\system32\drivers\dofpjqbj.sys
c:\windows\system32\drivers\2459eaf6.sys
c:\windows\system32\3E.tmp

Folder::
c:\program files\SpywareGuard
C:\d2ed89c7d062634f3dbe50

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dzcdtqox.sys]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]

Regnull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D71A8318-1BB3-E684-A72E-3359BEA016F9}\InProcServer32*]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#8 Nizel

Nizel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 08 February 2009 - 09:06 PM

Jat,

I am unable to run the scan because my cdrom is apparently refusing to read any disks currently, could this be because of the viruses on the system?

Here is the combofix.txt

--

ComboFix 09-02-05.01 - Root 2009-02-08 11:51:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.633 [GMT -8:00]
Running from: C:\Documents and Settings\Root\Desktop\123.exe
Command switches used :: C:\Documents and Settings\Root\Desktop\cfscript.txt

FILE ::
c:\documents and settings\Root\sbhv.exe
c:\documents and settings\Root\yjkjx.exe
C:\jlpooc.exe
C:\mlevsfdk.exe
c:\windows\_id.dat
c:\windows\mqcd.dbt
c:\windows\sl.lng
c:\windows\system32\1816910912.dat
c:\windows\system32\3E.tmp
c:\windows\system32\52.tmp
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\drivers\2459eaf6.sys
c:\windows\system32\drivers\dofpjqbj.sys
c:\windows\system32\drivers\dzcdtqox.sys
c:\windows\system32\drivers\OLD34.tmp
c:\windows\system32\OLD30.tmp
c:\windows\system32\qzhr1.ant
c:\windows\system32\re3d.pf
c:\windows\system32\rer.wa
c:\windows\system32\secupdat.dat
c:\windows\system32\userinit.ex_
.

Thanks for your help.

#9 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 09 February 2009 - 10:38 AM

Hello,

this log looks incomplete, could you find the latest log in the Combofix folder and paste the entire contents please, thanks.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#10 Nizel

Nizel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 09 February 2009 - 01:01 PM

ComboFix 09-02-05.01 - Root 2009-02-09 8:55:23.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.748 [GMT -8:00]
Running from: c:\documents and settings\Root\Desktop\123.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\Administrator\svchost.exe
c:\documents and settings\LocalService\svchost.exe
c:\documents and settings\Root\Start Menu\Programs\Startup\userinit.exe
c:\documents and settings\Root\svchost.exe
c:\program files\system\smss.exe
c:\program files\system\smss.exe.assembly
C:\userinit.exe
c:\windows\services.exe
c:\windows\system32\_hsfd83jfdg.dll
c:\windows\system32\5.tmp
c:\windows\system32\7.tmp
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\D.tmp
c:\windows\system32\drivers\nfr.sys
c:\windows\system32\drivers\protect.sys
c:\windows\system32\drivers\services.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACoxjxfumq.sys
c:\windows\system32\E.tmp
c:\windows\system32\F.tmp
c:\windows\system32\idaw64.exe
c:\windows\system32\ndetect.exe
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
c:\windows\system32\UACabwwuhfm.dat
c:\windows\system32\UACbakydvpd.log
c:\windows\system32\UACllkmxyqr.dll
c:\windows\system32\UACqrqbonon.log
c:\windows\system32\UACsipxetlw.dll
c:\windows\system32\UACttmxmtxn.dll
c:\windows\system32\UACtvetljkd.log
c:\windows\system32\UACyvybvmlq.dll
.
---- Previous Run -------
.
C:\d2ed89c7d062634f3dbe50
c:\d2ed89c7d062634f3dbe50\baseline.dat
c:\d2ed89c7d062634f3dbe50\deffactory.dat
c:\d2ed89c7d062634f3dbe50\DeleteTemp.exe
c:\d2ed89c7d062634f3dbe50\dlmgr.dll
c:\d2ed89c7d062634f3dbe50\DW20.EXE
c:\d2ed89c7d062634f3dbe50\DWINTL20.DLL
c:\d2ed89c7d062634f3dbe50\eula.1025.rtf
c:\d2ed89c7d062634f3dbe50\eula.1028.rtf
c:\d2ed89c7d062634f3dbe50\eula.1029.rtf
c:\d2ed89c7d062634f3dbe50\eula.1030.rtf
c:\d2ed89c7d062634f3dbe50\eula.1031.rtf
c:\d2ed89c7d062634f3dbe50\eula.1032.rtf
c:\d2ed89c7d062634f3dbe50\eula.1033.rtf
c:\d2ed89c7d062634f3dbe50\eula.1035.rtf
c:\d2ed89c7d062634f3dbe50\eula.1036.rtf
c:\d2ed89c7d062634f3dbe50\eula.1037.rtf
c:\d2ed89c7d062634f3dbe50\eula.1038.rtf
c:\d2ed89c7d062634f3dbe50\eula.1040.rtf
c:\d2ed89c7d062634f3dbe50\eula.1041.rtf
c:\d2ed89c7d062634f3dbe50\eula.1042.rtf
c:\d2ed89c7d062634f3dbe50\eula.1043.rtf
c:\d2ed89c7d062634f3dbe50\eula.1044.rtf
c:\d2ed89c7d062634f3dbe50\eula.1045.rtf
c:\d2ed89c7d062634f3dbe50\eula.1046.rtf
c:\d2ed89c7d062634f3dbe50\eula.1049.rtf
c:\d2ed89c7d062634f3dbe50\eula.1053.rtf
c:\d2ed89c7d062634f3dbe50\eula.1055.rtf
c:\d2ed89c7d062634f3dbe50\eula.2052.rtf
c:\d2ed89c7d062634f3dbe50\eula.2070.rtf
c:\d2ed89c7d062634f3dbe50\eula.3082.rtf
c:\d2ed89c7d062634f3dbe50\gencomp.dll
c:\d2ed89c7d062634f3dbe50\HtmlLite.dll
c:\d2ed89c7d062634f3dbe50\locdata.1025.ini
c:\d2ed89c7d062634f3dbe50\locdata.1028.ini
c:\d2ed89c7d062634f3dbe50\locdata.1029.ini
c:\d2ed89c7d062634f3dbe50\locdata.1030.ini
c:\d2ed89c7d062634f3dbe50\locdata.1031.ini
c:\d2ed89c7d062634f3dbe50\locdata.1032.ini
c:\d2ed89c7d062634f3dbe50\locdata.1035.ini
c:\d2ed89c7d062634f3dbe50\locdata.1036.ini
c:\d2ed89c7d062634f3dbe50\locdata.1037.ini
c:\d2ed89c7d062634f3dbe50\locdata.1038.ini
c:\d2ed89c7d062634f3dbe50\locdata.1040.ini
c:\d2ed89c7d062634f3dbe50\locdata.1041.ini
c:\d2ed89c7d062634f3dbe50\locdata.1042.ini
c:\d2ed89c7d062634f3dbe50\locdata.1043.ini
c:\d2ed89c7d062634f3dbe50\locdata.1044.ini
c:\d2ed89c7d062634f3dbe50\locdata.1045.ini
c:\d2ed89c7d062634f3dbe50\locdata.1046.ini
c:\d2ed89c7d062634f3dbe50\locdata.1049.ini
c:\d2ed89c7d062634f3dbe50\locdata.1053.ini
c:\d2ed89c7d062634f3dbe50\locdata.1055.ini
c:\d2ed89c7d062634f3dbe50\locdata.2052.ini
c:\d2ed89c7d062634f3dbe50\locdata.2070.ini
c:\d2ed89c7d062634f3dbe50\locdata.3082.ini
c:\d2ed89c7d062634f3dbe50\locdata.ini
c:\d2ed89c7d062634f3dbe50\logo.bmp
c:\d2ed89c7d062634f3dbe50\setup.exe
c:\d2ed89c7d062634f3dbe50\setup.sdb
c:\d2ed89c7d062634f3dbe50\setupres.1025.dll
c:\d2ed89c7d062634f3dbe50\setupres.1028.dll
c:\d2ed89c7d062634f3dbe50\setupres.1029.dll
c:\d2ed89c7d062634f3dbe50\setupres.1030.dll
c:\d2ed89c7d062634f3dbe50\setupres.1031.dll
c:\d2ed89c7d062634f3dbe50\setupres.1032.dll
c:\d2ed89c7d062634f3dbe50\setupres.1035.dll
c:\d2ed89c7d062634f3dbe50\setupres.1036.dll
c:\d2ed89c7d062634f3dbe50\setupres.1037.dll
c:\d2ed89c7d062634f3dbe50\setupres.1038.dll
c:\d2ed89c7d062634f3dbe50\setupres.1040.dll
c:\d2ed89c7d062634f3dbe50\setupres.1041.dll
c:\d2ed89c7d062634f3dbe50\setupres.1042.dll
c:\d2ed89c7d062634f3dbe50\setupres.1043.dll
c:\d2ed89c7d062634f3dbe50\setupres.1044.dll
c:\d2ed89c7d062634f3dbe50\setupres.1045.dll
c:\d2ed89c7d062634f3dbe50\setupres.1046.dll
c:\d2ed89c7d062634f3dbe50\setupres.1049.dll
c:\d2ed89c7d062634f3dbe50\setupres.1053.dll
c:\d2ed89c7d062634f3dbe50\setupres.1055.dll
c:\d2ed89c7d062634f3dbe50\setupres.2052.dll
c:\d2ed89c7d062634f3dbe50\setupres.2070.dll
c:\d2ed89c7d062634f3dbe50\setupres.3082.dll
c:\d2ed89c7d062634f3dbe50\setupres.dll
c:\d2ed89c7d062634f3dbe50\SITSetup.dll
c:\d2ed89c7d062634f3dbe50\vs_setup.dll
c:\d2ed89c7d062634f3dbe50\vs_setup.MS_
c:\d2ed89c7d062634f3dbe50\vs_setup.pdi
c:\d2ed89c7d062634f3dbe50\vs70uimgr.dll
c:\d2ed89c7d062634f3dbe50\vsbasereqs.dll
c:\d2ed89c7d062634f3dbe50\vsscenario.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1025.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1028.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1029.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1030.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1031.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1032.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1035.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1036.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1037.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1038.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1040.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1041.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1042.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1043.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1044.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1045.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1046.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1049.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1053.dll
c:\d2ed89c7d062634f3dbe50\WapRes.1055.dll
c:\d2ed89c7d062634f3dbe50\WapRes.2052.dll
c:\d2ed89c7d062634f3dbe50\WapRes.2070.dll
c:\d2ed89c7d062634f3dbe50\WapRes.3082.dll
c:\d2ed89c7d062634f3dbe50\WapRes.dll
c:\d2ed89c7d062634f3dbe50\WapUI.dll
C:\jlpooc.exe
C:\mlevsfdk.exe
c:\program files\SpywareGuard
c:\program files\SpywareGuard\dlbdata1backup.dtb
c:\program files\SpywareGuard\dlbdata2backup.dtb
c:\program files\SpywareGuard\dlprotect.dll
c:\program files\SpywareGuard\sglog.txt
c:\program files\SpywareGuard\spywareguard.dll
c:\windows\_id.dat
c:\windows\mqcd.dbt
c:\windows\sl.lng
c:\windows\system32\1816910912.dat
c:\windows\system32\3.tmp
c:\windows\system32\5.tmp
c:\windows\system32\52.tmp
c:\windows\system32\7.tmp
c:\windows\system32\8.tmp
c:\windows\system32\c++.exe
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\drivers\OLD34.tmp
c:\windows\system32\drivers\protect.sys
c:\windows\system32\OLD30.tmp
c:\windows\system32\qzhr1.ant
c:\windows\system32\re3d.pf
c:\windows\system32\rer.wa
c:\windows\system32\secupdat.dat
L:\explorer.exe

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\services.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\lsass.exe . . . is infected!!

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\system32\services.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DZCDTQOX
-------\Legacy_MEMSWEEP2
-------\Legacy_PROTECT
-------\Service_2459eaf6
-------\Service_MEMSWEEP2
-------\Service_mhmltmt
-------\Service_Passthru
-------\Service_protect
-------\Legacy_LOGICAL_DISK_MANAGER_(NDIS)
-------\Legacy_NFR.SYS
-------\Legacy_PROTECT
-------\Legacy_SYNSEND
-------\Service_Logical Disk Manager (NDIS)
-------\Service_nfr.sys
-------\Service_Passthru
-------\Service_protect
-------\Service_synsend


((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-09 08:35 . 2009-02-09 08:35 0 --a------ c:\windows\system32\61.tmp
2009-02-09 08:27 . 2009-02-09 08:27 25,601 --a------ c:\windows\system32\5F.tmp
2009-02-09 08:27 . 2009-02-09 08:35 23,133 --a------ c:\windows\system32\60.tmp
2009-02-09 08:27 . 2009-02-09 08:27 168 --a------ c:\windows\system32\59.tmp
2009-02-09 08:21 . 2009-02-09 08:21 0 --a------ c:\windows\system32\5E.tmp
2009-02-09 08:20 . 2009-02-09 08:21 67,585 --a------ c:\windows\system32\5B.tmp
2009-02-09 08:14 . 2009-02-09 08:20 163,780 --a------ c:\windows\system32\5A.tmp
2009-02-09 08:14 . 2009-02-09 08:14 168 --a------ c:\windows\system32\58.tmp
2009-02-09 08:14 . 2009-02-09 08:14 0 --a------ c:\windows\_id.dat
2009-02-09 08:12 . 2009-02-09 08:12 67,585 --a------ c:\windows\system32\5C.tmp
2009-02-09 08:12 . 2009-02-09 08:12 3,584 --a------ c:\windows\phkvkxca.exe
2009-02-09 08:12 . 2009-02-09 08:12 0 --a------ c:\windows\system32\5D.tmp
2009-02-09 08:04 . 2009-02-09 08:12 163,780 --a------ c:\windows\system32\57.tmp
2009-02-09 08:04 . 2009-02-09 08:04 24,577 --a------ c:\windows\system32\56.tmp
2009-02-09 08:04 . 2009-02-09 08:04 168 --a------ c:\windows\system32\55.tmp
2009-02-09 08:02 . 2009-02-09 08:02 24,577 --a------ c:\windows\system32\53.tmp
2009-02-09 08:02 . 2009-02-09 08:02 14,373 --a------ c:\windows\system32\54.tmp
2009-02-09 08:02 . 2009-02-09 08:02 168 --a------ c:\windows\system32\52.tmp
2009-02-09 07:44 . 2009-02-09 07:44 162,756 --a------ c:\windows\system32\50.tmp
2009-02-09 07:44 . 2009-02-09 07:44 67,585 --a------ c:\windows\system32\51.tmp
2009-02-09 07:44 . 2009-02-09 07:44 32,768 --ah----- c:\documents and settings\Root\ibxe.exe
2009-02-09 07:44 . 2009-02-09 07:44 24,577 --a------ c:\windows\system32\4F.tmp
2009-02-09 07:44 . 2009-02-09 07:44 168 --a------ c:\windows\system32\4C.tmp
2009-02-09 07:42 . 2009-02-09 07:42 27,209 ---h----- c:\documents and settings\LocalService\.exe
2009-02-09 07:40 . 2009-02-09 07:40 3,584 --a------ c:\windows\bnsctmsk.exe
2009-02-09 07:40 . 2009-02-09 07:40 0 --a------ c:\windows\system32\7E.tmp
2009-02-09 07:40 . 2009-02-09 07:40 0 --a------ c:\windows\system32\7D.tmp
2009-02-09 07:32 . 2009-02-09 08:56 <DIR> d-------- c:\program files\system
2009-02-09 07:32 . 2009-02-09 08:07 62,976 --a------ C:\xtnln.exe
2009-02-09 07:32 . 2009-02-09 08:07 62,976 --a------ c:\windows\Xcecohugewuxi.dll
2009-02-09 07:32 . 2009-02-09 08:07 44,032 --a------ C:\yvnlp.exe
2009-02-09 07:32 . 2009-02-09 08:07 40,448 --a------ C:\oxrdoksm.exe
2009-02-09 07:32 . 2009-02-09 08:07 22,016 --a------ C:\knrnnku.exe
2009-02-09 07:32 . 2009-02-09 08:07 2 --a------ C:\-598163070
2009-02-09 07:28 . 2009-02-09 07:40 162,756 --a------ c:\windows\system32\45.tmp
2009-02-09 07:28 . 2009-02-09 07:28 24,577 --a------ c:\windows\system32\44.tmp
2009-02-09 07:28 . 2009-02-09 07:28 168 --a------ c:\windows\system32\41.tmp
2009-02-09 05:34 . 2009-02-09 05:34 67,585 --a------ c:\windows\system32\4D.tmp
2009-02-09 05:34 . 2009-02-09 05:34 39,150 --a------ c:\windows\system32\4E.tmp
2009-02-09 05:34 . 2009-02-09 05:34 3,584 --a------ c:\windows\phgaunrh.exe
2009-02-09 05:31 . 2009-02-09 05:34 163,364 --a------ c:\windows\system32\4B.tmp
2009-02-09 05:31 . 2009-02-09 05:31 168 --a------ c:\windows\system32\46.tmp
2009-02-09 05:26 . 2009-02-09 05:26 67,585 --a------ c:\windows\system32\42.tmp
2009-02-09 05:26 . 2009-02-09 05:26 168 --a------ c:\windows\system32\40.tmp
2009-02-09 05:26 . 2009-02-09 05:26 0 --a------ c:\windows\system32\43.tmp
2009-02-09 01:52 . 2009-02-09 01:52 36,230 --a------ c:\windows\system32\3F.tmp
2009-02-09 01:52 . 2009-02-09 01:52 3,584 --a------ c:\windows\xlmjesbv.exe
2009-02-09 01:50 . 2009-02-09 01:52 163,652 --a------ c:\windows\system32\3D.tmp
2009-02-09 01:50 . 2009-02-09 01:50 67,585 --a------ c:\windows\system32\3C.tmp
2009-02-09 01:50 . 2009-02-09 07:44 64,512 --a------ c:\windows\system32\pdbcopy.exe
2009-02-09 01:50 . 2009-02-09 01:50 23,553 --a------ c:\windows\system32\3B.tmp
2009-02-09 01:50 . 2009-02-09 01:50 168 --a------ c:\windows\system32\3A.tmp
2009-02-08 22:20 . 2009-02-08 22:20 23,553 --a------ c:\windows\system32\36.tmp
2009-02-08 22:20 . 2009-02-08 22:20 3,584 --a------ c:\windows\rvhffjyo.exe
2009-02-08 22:17 . 2009-02-08 22:20 162,756 --a------ c:\windows\system32\35.tmp
2009-02-08 22:17 . 2009-02-08 22:17 67,585 --a------ c:\windows\system32\34.tmp
2009-02-08 22:17 . 2009-02-08 22:17 168 --a------ c:\windows\system32\33.tmp
2009-02-08 20:46 . 2009-02-08 20:46 23,553 --a------ c:\windows\system32\3E.tmp
2009-02-08 20:43 . 2009-02-08 20:46 162,980 --a------ c:\windows\system32\39.tmp
2009-02-08 20:43 . 2009-02-08 20:43 67,585 --a------ c:\windows\system32\38.tmp
2009-02-08 20:43 . 2009-02-08 20:43 168 --a------ c:\windows\system32\37.tmp
2009-02-08 20:30 . 2009-02-08 20:30 162,980 --a------ c:\windows\system32\31.tmp
2009-02-08 20:30 . 2009-02-08 20:30 67,585 --a------ c:\windows\system32\30.tmp
2009-02-08 20:30 . 2009-02-08 20:30 64,512 --a------ c:\windows\system32\vmware-ufad.exe
2009-02-08 20:30 . 2009-02-08 20:30 23,553 --a------ c:\windows\system32\32.tmp
2009-02-08 20:30 . 2009-02-08 20:30 168 --a------ c:\windows\system32\2A.tmp
2009-02-08 20:27 . 2009-02-08 20:27 68,350 --a------ c:\windows\system32\2F.tmp
2009-02-08 20:26 . 2009-02-08 20:27 23,553 --a------ c:\windows\system32\2E.tmp
2009-02-08 20:26 . 2009-02-08 20:26 3,584 --a------ c:\windows\tjbqyuvw.exe
2009-02-08 20:24 . 2009-02-08 20:26 162,980 --a------ c:\windows\system32\29.tmp
2009-02-08 20:24 . 2009-02-08 20:24 138,473 --a------ c:\windows\system32\2D.tmp
2009-02-08 20:24 . 2009-02-08 20:24 67,585 --a------ c:\windows\system32\2C.tmp
2009-02-08 20:24 . 2009-02-08 20:24 67,585 --a------ c:\windows\system32\28.tmp
2009-02-08 20:24 . 2009-02-08 22:17 64,512 --a------ c:\windows\system32\7z.exe
2009-02-08 20:24 . 2009-02-08 20:24 168 --a------ c:\windows\system32\2B.tmp
2009-02-08 20:24 . 2009-02-08 20:24 168 --a------ c:\windows\system32\27.tmp
2009-02-08 19:56 . 2009-02-08 19:56 23,553 --a------ c:\windows\system32\26.tmp
2009-02-08 19:53 . 2009-02-08 19:56 163,364 --a------ c:\windows\system32\25.tmp
2009-02-08 19:53 . 2009-02-08 19:53 67,585 --a------ c:\windows\system32\18.tmp
2009-02-08 19:53 . 2009-02-08 19:53 168 --a------ c:\windows\system32\17.tmp
2009-02-08 19:51 . 2009-02-08 19:51 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2009-02-08 19:49 . 2009-02-08 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-08 19:49 . 2009-02-08 19:49 <DIR> dr-h----- C:\AHCache
2009-02-08 19:41 . 2009-02-08 19:50 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-02-08 19:38 . 2009-02-08 19:39 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
2009-02-08 19:35 . 2009-02-08 19:49 <DIR> d-------- c:\program files\Uniblue
2009-02-08 19:35 . 2009-02-08 19:35 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-02-08 19:17 . 2009-02-08 19:17 163,364 --a------ c:\windows\system32\22.tmp
2009-02-08 19:17 . 2009-02-08 19:17 67,585 --a------ c:\windows\system32\1E.tmp
2009-02-08 19:17 . 2009-02-08 19:17 23,553 --a------ c:\windows\system32\24.tmp
2009-02-08 19:17 . 2009-02-08 19:17 168 --a------ c:\windows\system32\1D.tmp
2009-02-08 19:15 . 2009-02-09 08:21 64,512 --a------ c:\windows\system32\deviceemulator.exe
2009-02-08 19:15 . 2009-02-08 19:15 23,553 --a------ c:\windows\system32\12.tmp
2009-02-08 19:15 . 2009-02-08 19:15 168 --a------ c:\windows\system32\B.tmp
2009-02-08 19:13 . 2009-02-08 19:13 23,553 --a------ c:\windows\system32\23.tmp
2009-02-08 19:13 . 2009-02-08 19:13 3,584 --a------ c:\windows\ntmbtqvz.exe
2009-02-08 19:10 . 2009-02-08 19:13 163,364 --a------ c:\windows\system32\21.tmp
2009-02-08 19:10 . 2009-02-08 19:10 67,585 --a------ c:\windows\system32\20.tmp
2009-02-08 19:10 . 2009-02-08 19:53 64,512 --a------ c:\windows\system32\regwiz.exe
2009-02-08 19:10 . 2009-02-08 19:10 168 --a------ c:\windows\system32\1F.tmp
2009-02-08 19:04 . 2009-02-08 19:49 <DIR> d-------- c:\documents and settings\Root\Application Data\Uniblue
2009-02-08 18:56 . 2009-02-08 18:56 64,512 --a------ c:\windows\system32\hhupd.exe
2009-02-08 18:56 . 2009-02-08 18:56 168 --a------ c:\windows\system32\8.tmp
2009-02-08 18:50 . 2009-02-08 18:50 3,584 --a------ c:\windows\rvjtmbrx.exe
2009-02-08 18:47 . 2009-02-08 18:50 163,716 --a------ c:\windows\system32\11.tmp
2009-02-08 18:47 . 2009-02-08 18:47 168 --a------ c:\windows\system32\C.tmp
2009-02-08 17:36 . 2009-02-08 17:37 <DIR> d-------- C:\multiboot
2009-02-08 17:07 . 2009-02-08 17:07 23,553 --a------ c:\windows\system32\4A.tmp
2009-02-08 17:07 . 2009-02-08 17:07 3,584 --a------ c:\windows\vxyadfgp.exe
2009-02-08 17:04 . 2009-02-08 17:07 163,364 --a------ c:\windows\system32\49.tmp
2009-02-08 17:04 . 2009-02-08 17:04 67,585 --a------ c:\windows\system32\48.tmp
2009-02-08 17:04 . 2009-02-08 20:43 64,512 --a------ c:\windows\system32\gcc.exe
2009-02-08 17:04 . 2009-02-08 17:04 168 --a------ c:\windows\system32\47.tmp
2009-02-08 16:19 . 2009-02-08 16:19 164,708 --a------ c:\windows\system32\1B.tmp
2009-02-08 16:19 . 2009-02-08 16:19 67,585 --a------ c:\windows\system32\1A.tmp
2009-02-08 16:19 . 2009-02-08 16:19 32,768 --ah----- c:\documents and settings\Administrator\gosj.exe
2009-02-08 16:19 . 2009-02-08 16:19 23,553 --a------ c:\windows\system32\1C.tmp
2009-02-08 16:19 . 2009-02-08 16:19 168 --a------ c:\windows\system32\19.tmp
2009-02-08 16:15 . 2009-02-08 16:15 23,553 --a------ c:\windows\system32\16.tmp
2009-02-08 16:15 . 2009-02-08 16:15 11,776 --ah----- c:\documents and settings\Administrator\lgwfg.exe
2009-02-08 16:14 . 2009-02-08 16:15 164,708 --a------ c:\windows\system32\15.tmp
2009-02-08 16:14 . 2009-02-08 16:14 67,585 --a------ c:\windows\system32\14.tmp
2009-02-08 16:14 . 2009-02-09 07:44 66,560 ---h----- c:\windows\system32\secupdat.dat
2009-02-08 16:14 . 2009-02-08 19:17 64,512 --a------ c:\windows\system32\makehm.exe
2009-02-08 16:14 . 2009-02-08 16:14 32,768 --ah----- c:\documents and settings\Administrator\hfx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 15:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 15:31 --------- d-----w c:\program files\PeerGuardian2
2009-02-09 15:31 --------- d-----w c:\documents and settings\Root\Application Data\uTorrent
2009-02-09 03:12 --------- d-----w c:\program files\Steam
2009-02-08 23:14 146,432 ----a-w c:\windows\regedit.exe
2009-02-08 20:19 283,648 ----a-w c:\windows\winhlp32.exe
2009-02-08 20:05 769,024 ----a-w c:\windows\PCHealth\HelpCtr\Binaries\helpctr.exe
2009-02-08 20:03 69,120 ----a-w c:\windows\notepad.exe
2009-02-08 20:03 306,688 ----a-w c:\windows\IsUninst.exe
2009-02-08 20:01 577,536 ----a-w c:\windows\soundman.exe
2009-02-08 20:00 10,752 ----a-w c:\windows\hh.exe
2009-02-08 19:03 --------- d-----w c:\program files\DAEMON Tools Toolbar
2009-02-08 16:10 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-06 06:47 --------- d-----w c:\program files\MSBuild
2009-02-06 06:04 --------- d-----w c:\program files\Java
2009-02-04 21:07 --------- d-----w c:\documents and settings\Root\Application Data\ATI
2009-02-03 14:47 --------- d-----w c:\program files\Apoint2K
2009-02-03 14:46 187,392 ----a-w c:\windows\PCHealth\HelpCtr\Binaries\msconfig.exe
2009-02-03 14:45 --------- d-----w c:\program files\FlashGet
2009-02-03 14:35 --------- d-----w c:\program files\Kaspersky Lab
2009-02-03 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 07:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 17:15 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-31 04:31 --------- d-----w c:\program files\Yahoo!
2009-01-22 07:33 --------- d-----w c:\program files\iTunes
2009-01-22 07:33 --------- d-----w c:\program files\Common Files\Apple
2009-01-19 20:09 --------- d-----w c:\program files\Common Files\Adobe
2009-01-17 01:14 --------- d-----w c:\program files\MobMapUpdater
2009-01-15 22:12 --------- d-----w c:\program files\CCleaner
2009-01-14 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-01-14 06:11 --------- d-----w c:\documents and settings\Root\Application Data\GetRightToGo
2009-01-08 00:09 --------- d-----w c:\documents and settings\Root\Application Data\FreshDiagnose
2009-01-07 23:04 --------- d-----w c:\program files\Auslogics
2009-01-07 23:04 --------- d-----w c:\documents and settings\Root\Application Data\Auslogics
2009-01-07 22:33 --------- d-----w c:\program files\SpeedFan
2009-01-07 16:27 --------- d-----w c:\program files\SensorsViewPro32
2009-01-07 16:26 --------- d-----w c:\program files\FreshDevices
2008-12-13 07:31 --------- d-----w c:\program files\14 Degrees East
2008-12-13 07:28 70,144 ----a-w c:\windows\ipuninst.exe
2008-12-12 20:08 --------- d-----w c:\program files\Warcraft II BNE
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 09:26 --------- d-----w c:\documents and settings\Root\Application Data\Media Player Classic
2008-12-11 02:30 --------- d-----w c:\program files\GSP
2008-12-11 00:44 --------- d-----w c:\documents and settings\Root\Application Data\Megaupload
2008-12-11 00:36 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-10 23:55 --------- d-----w c:\documents and settings\Root\Application Data\EmailNotifier
2008-12-10 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-12-10 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-07-18 11:06 0 --sh--w c:\program files\desktoq.ini
2008-05-27 23:56 22,328 ----a-w c:\documents and settings\Root\Application Data\PnkBstrK.sys
2003-09-16 08:19 90,624 ----a-w c:\windows\inf\prtproc.dll
2003-09-16 08:19 18,950 ----a-w c:\windows\inf\virpntd.dll
2003-09-16 08:19 10,240 ----a-w c:\windows\inf\virport.dll
.

------- Sigcheck -------

2004-08-03 23:56 31744 152a6f3088df30b982ba1232d8117a19 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 16:12 31744 09b23caf028135c68e9738dec2c4f3af c:\windows\ServicePackFiles\i386\svchost.exe
2001-08-17 14:36 30208 f4f6ad82adbbbc976deaa41442e6d576 c:\windows\system32\svchost.exe

2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2008-10-01 10:52 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\TCPIP.SYS
2008-10-01 10:52 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\TCPIP.SYS

2004-08-03 23:56 519680 ad2af4b4d5077d111069eb941d91d616 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 16:12 525312 1a2358a22723f9451374d84b020562c5 c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-13 16:12 525312 04c9e7ae5c53494cc2692765c4660f37 c:\windows\system32\winlogon.exe

2009-02-08 12:09 1033728 56696acc95844099698faaa7a8dc5689 c:\windows\explorer.exe
2004-08-03 23:56 1049600 9a273ec764affd44fa658c53c379f284 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 16:12 1051136 dd3791759055a2e6a4077c69a4473217 c:\windows\ServicePackFiles\i386\explorer.exe
2007-06-13 02:23 1050624 85f0e0ab64bceafdaff9a2854031a1be c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2007-06-13 03:26 1050624 f05c641acbb03b4e5d09ab56900623ea c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe

2004-08-03 23:56 125440 6ead1f84f95781efe059c4c96a3cc0a8 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 16:12 125952 ec71002f22bb5afc3749b69bc34be3da c:\windows\ServicePackFiles\i386\services.exe
2008-04-13 16:12 125952 ffde1714398c39f870c82880531de903 c:\windows\system32\services.exe

2004-08-03 23:56 30720 f8c645d4681d2cddbd9848d6a6590063 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 16:12 30720 01159a6389cd8a7c7038f025d6d8d733 c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-13 16:12 30720 a6e2b8555f0db60a15af3d0c103ea709 c:\windows\system32\lsass.exe

2004-08-03 23:56 32768 37031deb481bbcf21ad17eb2048751b5 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 16:12 32768 80b13af56c329e18a1850cad60955a73 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-02-08 12:02 15360 e385c2260a2a3f605f4f621d9f179544 c:\windows\system32\ctfmon.exe

2004-08-03 23:56 75264 8be44ba5156b58da667cd45b0c3241d4 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 16:12 75264 436e471a09bd91415f1ed7283725313c c:\windows\ServicePackFiles\i386\spoolsv.exe
2005-06-10 15:53 75264 3dafe576476fed3c707eab461f5754df c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2005-06-10 16:17 75264 8d243c0cd20ddaba546c11f929c0409c c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2qfe\spoolsv.exe
2008-04-13 16:12 75264 5aa14b277cf4ce6d3ac92d74ddd99d60 c:\windows\system32\spoolsv.exe

2004-08-03 23:56 41984 a4faa106d2e07d01a45b2b4614723adc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 16:12 43520 df22096b8ae1ae59bf0490af32313826 c:\windows\ServicePackFiles\i386\userinit.exe
2002-08-28 19:41 39424 09af82fe772985320c8f34a4ccaaf590 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{35B675B9-7F34-40DF-8F49-5FAB6B7E4AEF}"= "c:\program files\Demonoid\tbDemo.dll" [2009-01-20 1881112]

[HKEY_CLASSES_ROOT\clsid\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-02-08 15360]
"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-11-19 737312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"Jqipuv"="c:\windows\Xcecohugewuxi.dll" [2009-02-09 62976]
"SoundMan"="SOUNDMAN.EXE" [2009-02-08 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"jrcrwptr.exe"="c:\windows\jrcrwptr.exe" [2009-02-08 3584]
"vxyadfgp.exe"="c:\windows\vxyadfgp.exe" [2009-02-08 3584]
"rvjtmbrx.exe"="c:\windows\rvjtmbrx.exe" [2009-02-08 3584]
"ntmbtqvz.exe"="c:\windows\ntmbtqvz.exe" [2009-02-08 3584]
"tjbqyuvw.exe"="c:\windows\tjbqyuvw.exe" [2009-02-08 3584]
"rvhffjyo.exe"="c:\windows\rvhffjyo.exe" [2009-02-08 3584]
"xlmjesbv.exe"="c:\windows\xlmjesbv.exe" [2009-02-09 3584]
"phgaunrh.exe"="c:\windows\phgaunrh.exe" [2009-02-09 3584]
"bnsctmsk.exe"="c:\windows\bnsctmsk.exe" [2009-02-09 3584]
"phkvkxca.exe"="c:\windows\phkvkxca.exe" [2009-02-09 3584]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\laqeuvdu.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Root^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^root^start menu^programs^startup^shortcut to wincolor.lnk]
backup=c:\windows\pss\Shortcut to WinColor.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iphonevideoconverter_upgrade
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2009-02-08 14:41 159744 c:\program files\Apoint2K\apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CalibrizeResume]
--a------ 2009-02-08 14:41 434176 c:\program files\Calibrize\CalibrizeResume.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CGFLoader]
--a------ 2009-02-08 14:41 1982464 c:\program files\Calibrize\CalibrizeLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dt hwp]
--a------ 2008-09-04 16:55 102400 c:\program files\Common Files\Portrait Displays\Shared\DT_Startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-02 17:42 133104 c:\documents and settings\Root\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl]
--a------ 2009-02-08 12:03 2629632 c:\program files\Notebook Hardware Control\nhc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
--a------ 2007-02-09 12:17 694008 c:\program files\Portrait Displays\Pivot Software\wpCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 434176 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-04 17:46 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-05 22:02 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 08:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2009-02-08 12:03 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2001-12-26 13:12 491520 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-11 09:50 38400 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]
--a------ 2000-05-20 16:23 106496 c:\windows\StartupMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"PdiService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AVP"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Asset Management Daemon"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\kav\\kis\\setup.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\iPhone Tunnel Suite 2.6 BETA\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Root\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\angst138\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\angst138\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\AV-CLS\\WGET.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1080:TCP"= 1080:TCP:Netshare
"49152:TCP"= 49152:TCP:utorrent
"62078:TCP"= 62078:TCP:UT

R0 laqeuvdu;laqeuvdu;c:\windows\system32\drivers\laqeuvdu.sys [2009-02-06 33920]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-05 28544]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-05-31 34064]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]
R2 sensorsview32;sensorsview32;c:\windows\system32\drivers\sensorsview32.sys [2009-01-07 14416]
R2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [2008-09-10 229648]
S1 ethazxon;ethazxon;c:\windows\system32\drivers\ethazxon.sys [2009-02-05 137408]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 softyinforwow;Remote TCP/IPG;c:\windows\System32\svchost.exe -k netsvcs [2009-02-06 30208]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S4 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe --> c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
softyinforwow
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-746137067-682003330-1003.job
- c:\documents and settings\Root\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 17:42]

2009-02-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-02-09 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 07:22]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-McAfeeUpdaterUI - c:\program files\McAfee\Common Framework\UdaterUI.exe
HKU-Default-Run-[system] - c:\windows\system32\drivers\services.exe
HKU-Default-Run-winlogon - c:\documents and settings\LocalService\svchost.exe
HKU-Default-Run-services - c:\windows\services.exe
HKLM-Explorer_Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyServer = http=localhost:7070
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7070
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFAlert.dll
FF - plugin: c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Root\Local Settings\Application Data\Google\Update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 09:06:03
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\str.sys 0 bytes
c:\windows\system32\drivers\nrbcxhejlp.sys 30848 bytes executable


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\xghbvtmhicsjzs]
"ImagePath"="\??\c:\windows\system32\drivers\nrbcxhejlp.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\ACPI\PNP0F13\4&369939d9&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\HID\Vid_046d&Pid_c051\6&20b7525a&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\imapi.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-09 9:12:18 - machine was rebooted [Root]
ComboFix-quarantined-files.txt 2009-02-09 17:11:00
ComboFix2.txt 2009-02-06 01:42:54
ComboFix3.txt 2009-02-05 21:45:05
ComboFix4.txt 2009-02-05 17:12:48
ComboFix5.txt 2009-02-08 19:50:23

Pre-Run: 4,579,495,936 bytes free
Post-Run: 5,176,020,992 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
670 --- E O F --- 2009-02-03 11:59:17

#11 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 09 February 2009 - 11:11 PM

:thumbup2: Backdoor Threat

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#12 Nizel

Nizel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 10 February 2009 - 02:17 AM

Jat,

I changed my passwords when I found out that I was infected using a secure machine.
The main problem I am having seems to be with win32/virut.

It continually reinstalls a random eight character file that replicates as a .sys driver file, and can also be found in the system root folder and the registry.
I have repeatedly tried to remove the driver using several methods such as, killbox.exe but it doesn't want to go peacefully. I am hoping to be able to locate the dropper and kill it.

I was able to remove protect.sys from the non plug and play drivers successfully.
The virus is spreading to all of my .exe files, I have attempted to replace winlogon.exe, explorer.exe, userinit.exe, svchost.exe and spoolsv.exe with clean files from a non infected machine using the recovery console and a usb stick but they continue to be reinfected almost immediately.

I have run AVG's Win32/virut removal tool but it doesn't see all of the infected .exe files. It does point to a file in c:\system volume info but I am unable to locate the folder, I suspect that this might be the original file that is allowing the virus to continually inject registry entries on boot.

I have resigned myself to the fact that without a working cd rom drive, and a bios that doesn't support USB boot, a format would leave me with a paper weight for a machine, and that might be inevitable, however I still need to write documents until I can complete my desktop build next month. Any help on containing or ideally eliminating the threats is greatly appreciated.

#13 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 10 February 2009 - 03:24 PM

Hello,

Your PC is severely infected. We cannot promise that we can reverse all damage done by malware, but we shall try our best. Please do the following:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
laqeuvdu
ethazxon
nrbcxhejlp
str

File::
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\nrbcxhejlp.sys
c:\windows\system32\drivers\laqeuvdu.sys
c:\windows\system32\drivers\ethazxon.sys
c:\windows\system32\61.tmp
c:\windows\system32\5F.tmp
c:\windows\system32\60.tmp
c:\windows\system32\59.tmp
c:\windows\system32\5E.tmp
c:\windows\system32\5B.tmp
c:\windows\system32\5A.tmp
c:\windows\system32\58.tmp
c:\windows\_id.dat
c:\windows\system32\5C.tmp
c:\windows\phkvkxca.exe
c:\windows\system32\5D.tmp
c:\windows\system32\57.tmp
c:\windows\system32\56.tmp
c:\windows\system32\55.tmp
c:\windows\system32\53.tmp
c:\windows\system32\54.tmp
c:\windows\system32\52.tmp
c:\windows\system32\50.tmp
c:\windows\system32\51.tmp
c:\documents and settings\Root\ibxe.exe
c:\windows\system32\4F.tmp
c:\windows\system32\4C.tmp
c:\documents and settings\LocalService\.exe
c:\windows\bnsctmsk.exe
c:\windows\system32\7E.tmp
c:\windows\system32\7D.tmp
C:\xtnln.exe
c:\windows\Xcecohugewuxi.dll
C:\yvnlp.exe
C:\oxrdoksm.exe
C:\knrnnku.exe
c:\windows\system32\45.tmp
c:\windows\system32\44.tmp
c:\windows\system32\41.tmp
c:\windows\system32\4D.tmp
c:\windows\system32\4E.tmp
c:\windows\phgaunrh.exe
c:\windows\system32\4B.tmp
c:\windows\system32\46.tmp
c:\windows\system32\42.tmp
c:\windows\system32\40.tmp
c:\windows\system32\43.tmp
c:\windows\system32\3F.tmp
c:\windows\xlmjesbv.exe
c:\windows\system32\3D.tmp
c:\windows\system32\3C.tmp
c:\windows\system32\pdbcopy.exe
c:\windows\system32\3B.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\36.tmp
c:\windows\rvhffjyo.exe
c:\windows\system32\35.tmp
c:\windows\system32\34.tmp
c:\windows\system32\33.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\39.tmp
c:\windows\system32\38.tmp
c:\windows\system32\37.tmp
c:\windows\system32\31.tmp
c:\windows\system32\30.tmp
c:\windows\system32\32.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\2E.tmp
c:\windows\tjbqyuvw.exe
c:\windows\system32\29.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\28.tmp
c:\windows\system32\7z.exe
c:\windows\system32\2B.tmp
c:\windows\system32\27.tmp
c:\windows\system32\26.tmp
c:\windows\system32\25.tmp
c:\windows\system32\18.tmp
c:\windows\system32\17.tmp
c:\windows\system32\22.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\24.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\12.tmp
c:\windows\system32\B.tmp
c:\windows\system32\23.tmp
c:\windows\ntmbtqvz.exe
c:\windows\system32\21.tmp
c:\windows\system32\20.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\hhupd.exe
c:\windows\system32\8.tmp
c:\windows\rvjtmbrx.exe
c:\windows\system32\11.tmp
c:\windows\system32\C.tmp
c:\windows\system32\4A.tmp
c:\windows\vxyadfgp.exe
c:\windows\system32\49.tmp
c:\windows\system32\48.tmp
c:\windows\system32\gcc.exe
c:\windows\system32\47.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\1A.tmp
c:\documents and settings\Administrator\gosj.exe
c:\windows\system32\1C.tmp
c:\windows\system32\19.tmp
c:\windows\system32\16.tmp
c:\documents and settings\Administrator\lgwfg.exe
c:\windows\system32\15.tmp
c:\windows\system32\14.tmp
c:\windows\system32\secupdat.dat
c:\windows\system32\makehm.exe
c:\documents and settings\Administrator\hfx.exe
c:\program files\desktoq.ini

Folder::
c:\program files\system
c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
C:\-598163070

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"jrcrwptr.exe"=-
"vxyadfgp.exe"=-
"rvjtmbrx.exe"=-
"ntmbtqvz.exe"=-
"tjbqyuvw.exe"=-
"rvhffjyo.exe"=-
"xlmjesbv.exe"=-
"phgaunrh.exe"=-
"bnsctmsk.exe"=-
"phkvkxca.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\xghbvtmhicsjzs]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ATF Cleaner

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


In your next reply, please post:
  • ComboFix log
  • MBAM log

Edited by Jat90, 10 February 2009 - 03:25 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#14 Nizel

Nizel
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 10 February 2009 - 07:06 PM

Jat,

Here is the log files for combofix and mbam. Thanks again, seems to be running faster now.

combofix -

ComboFix 09-02-10.01 - Root 2009-02-10 13:16:50.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.591 [GMT -8:00]
Running from: c:\documents and settings\Root\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Root\Desktop\cfscript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Administrator\gosj.exe
c:\documents and settings\Administrator\hfx.exe
c:\documents and settings\Administrator\lgwfg.exe
c:\documents and settings\LocalService\.exe
c:\documents and settings\Root\ibxe.exe
C:\knrnnku.exe
C:\oxrdoksm.exe
c:\program files\desktoq.ini
c:\windows\_id.dat
c:\windows\bnsctmsk.exe
c:\windows\ntmbtqvz.exe
c:\windows\phgaunrh.exe
c:\windows\phkvkxca.exe
c:\windows\rvhffjyo.exe
c:\windows\rvjtmbrx.exe
c:\windows\system32\11.tmp
c:\windows\system32\12.tmp
c:\windows\system32\14.tmp
c:\windows\system32\15.tmp
c:\windows\system32\16.tmp
c:\windows\system32\16A.tmp
c:\windows\system32\17.tmp
c:\windows\system32\18.tmp
c:\windows\system32\19.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\20.tmp
c:\windows\system32\21.tmp
c:\windows\system32\22.tmp
c:\windows\system32\23.tmp
c:\windows\system32\236.tmp
c:\windows\system32\24.tmp
c:\windows\system32\25.tmp
c:\windows\system32\26.tmp
c:\windows\system32\27.tmp
c:\windows\system32\28.tmp
c:\windows\system32\29.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\2B.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\2E.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\30.tmp
c:\windows\system32\31.tmp
c:\windows\system32\32.tmp
c:\windows\system32\33.tmp
c:\windows\system32\34.tmp
c:\windows\system32\35.tmp
c:\windows\system32\36.tmp
c:\windows\system32\37.tmp
c:\windows\system32\38.tmp
c:\windows\system32\39.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\3B.tmp
c:\windows\system32\3C.tmp
c:\windows\system32\3D.tmp
c:\windows\system32\3E.tmp
c:\windows\system32\3F.tmp
c:\windows\system32\40.tmp
c:\windows\system32\41.tmp
c:\windows\system32\42.tmp
c:\windows\system32\43.tmp
c:\windows\system32\44.tmp
c:\windows\system32\45.tmp
c:\windows\system32\46.tmp
c:\windows\system32\47.tmp
c:\windows\system32\48.tmp
c:\windows\system32\49.tmp
c:\windows\system32\4A.tmp
c:\windows\system32\4B.tmp
c:\windows\system32\4C.tmp
c:\windows\system32\4D.tmp
c:\windows\system32\4E.tmp
c:\windows\system32\4F.tmp
c:\windows\system32\50.tmp
c:\windows\system32\51.tmp
c:\windows\system32\52.tmp
c:\windows\system32\53.tmp
c:\windows\system32\54.tmp
c:\windows\system32\55.tmp
c:\windows\system32\56.tmp
c:\windows\system32\57.tmp
c:\windows\system32\58.tmp
c:\windows\system32\59.tmp
c:\windows\system32\5A.tmp
c:\windows\system32\5B.tmp
c:\windows\system32\5C.tmp
c:\windows\system32\5D.tmp
c:\windows\system32\5E.tmp
c:\windows\system32\5F.tmp
c:\windows\system32\60.tmp
c:\windows\system32\61.tmp
c:\windows\system32\7D.tmp
c:\windows\system32\7E.tmp
c:\windows\system32\7z.exe
c:\windows\system32\8.tmp
c:\windows\system32\B.tmp
c:\windows\system32\C.tmp
c:\windows\system32\drivers\ethazxon.sys
c:\windows\system32\drivers\laqeuvdu.sys
c:\windows\system32\drivers\nrbcxhejlp.sys
c:\windows\system32\drivers\sdhbwzm.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\UACdpxwqlmh.sys
c:\windows\system32\drivers\yoqzcgrv.sys
c:\windows\system32\gcc.exe
c:\windows\system32\hhupd.exe
c:\windows\system32\makehm.exe
c:\windows\system32\pdbcopy.exe
c:\windows\system32\secupdat.dat
c:\windows\tjbqyuvw.exe
c:\windows\vxyadfgp.exe
c:\windows\Xcecohugewuxi.dll
c:\windows\xlmjesbv.exe
C:\xtnln.exe
C:\yvnlp.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\-598163070\
c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\{66E2F539-12B6-4870-A500-7689CDE75C5E}
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\1B226F95\1A9B0B16\ProxySettingsView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\1BB9B162\8F9F9DCD\DriverScannerCommon.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\224783AD\E8DE91C8\QtGui4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\22B3D1EB\8F9F9DCD\difxapi.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\2439B37E\8F9F9DCD\Model.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\296E106F\E8DE91C8\QtXml4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\2AC187FE\8F9F9DCD\unrar.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\2C7BD434\E8DE91C8\QtDesignerComponents4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\2C9F73B6\8F9F9DCD\PresenterCommon.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\3FBA627D\1A9B0B16\ScanPluginView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\4B257860\8F9F9DCD\IsLicense30.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\4D290516\E8DE91C8\QtCore4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\65B78854\1A9B0B16\SerialView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\6FDDF195\8F9F9DCD\DriverPresenter.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\7306E53D\8F9F9DCD\ViewPluginLoader.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\73656A05\1A9B0B16\UpdatePluginView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\83AD0D7\8F9F9DCD\UniblueCommon.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\88873419\1A9B0B16\BackupView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\8B955EE1\1A9B0B16\UniblueComponents.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\908170D7\8F9F9DCD\ScannerAdaptor.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\90E3D279\E8DE91C8\QtDesigner4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\A909892F\BC3FE200\qjpeg4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\B5B3987C\BC3FE200\qgif4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\BED01DD8\1A9B0B16\SettingsPluginView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\C1D95179\1A9B0B16\MessageWindowPlugin.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\C9C361F7\8F9F9DCD\LicenseCommon.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\CD104459\8F9F9DCD\LicenseManager.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\D5895295\8F9F9DCD\database.zip
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\DEE1DFE0\8F9F9DCD\DriverScanner.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\E2AC25AF\1A9B0B16\RestoreView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\E6866DFD\8F9F9DCD\XceedZip.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\EA2504B\1A9B0B16\SystemOverview.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\F05C1C0F\E8DE91C8\QtNetwork4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\F2C19C1F\1A9B0B16\MainPluginView.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\F47E0415\E8DE91C8\QtSvg4.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\FA57B377\8F9F9DCD\XceedCry.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\driverscanner\mIDEFunc.dll\mEXEFunc.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.dat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.msi
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.par
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.res
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\instance.dat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\mia.lib
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\OFFLINE\{66E2F539-12B6-4870-A500-7689CDE75C5E}
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\Ansi\ATL80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\ATL80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\mfc80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\mfc80u.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\mfcm80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\mfcm80u.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\msvcm80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\msvcp80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\system32\msvcr80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\53t3z6j5.7ag\ATL80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\5z1v718o.6n8\mfc80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\5z1v718o.6n8\mfc80u.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\5z1v718o.6n8\mfcm80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\5z1v718o.6n8\mfcm80u.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\73t3z6j5.7ag\ATL80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\73t3z6j5.7ag\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\73t3z6j5.7ag\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfc80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfc80u.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfcm80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\mfcm80u.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\7z1v718o.6n8\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\92rg91xw.1p4\msvcm80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\92rg91xw.1p4\msvcp80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\92rg91xw.1p4\msvcr80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcm80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcp80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\j4auwzcy.rsh\8.0.50727.762.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\j4auwzcy.rsh\8.0.50727.762.policy
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Policies\i4auwzcy.rsh\8.0.50727.762.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Policies\i4auwzcy.rsh\8.0.50727.762.policy
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Policies\u1sw1o0k.9hi\8.0.50727.762.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Policies\u1sw1o0k.9hi\8.0.50727.762.policy
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Policies\uxgs54we.kj4\8.0.50727.762.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\Policies\uxgs54we.kj4\8.0.50727.762.policy
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\v1sw1o0k.9hi\8.0.50727.762.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\v1sw1o0k.9hi\8.0.50727.762.policy
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\vxgs54we.kj4\8.0.50727.762.cat
c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\vxgs54we.kj4\8.0.50727.762.policy
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\{0C35EAE4-A535-46B7-B4BF-68952BD94E68}
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\instance.dat
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\mia.lib
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\OFFLINE\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.dat
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.exe
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.msi
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.par
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.res
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\1FDE702B\3826204\UBDiskRescue.exe
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\49994FF1\3826204\UBDiskRescueSrv.exe
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\9C335CDE\3826204\UBResdll.dll
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\B4B74A3\3826204\UBDefrag.DLL
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\C_\build\AutoBuilds\DR\Installer\Raw\UBDiskRescueSrv.exe
c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\UniblueDiskRescue\F02A138C\3826204\update.dll
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\{E63E34A7-E552-412B-9E40-FD6FC5227ABA}
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\instance.dat
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\mia.lib
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\OFFLINE\{92E7A367-8E12-4830-AA70-29C32E331A81}
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\{92E7A367-8E12-4830-AA70-29C32E331A81}
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\2B86F085\6383BC9B\UBVarRB.dll
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\371FE0D1\6383BC9B\IniFile.ini
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\4E45A1A4\6383BC9B\RegistryBooster.dll
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\52CD59C9\6383BC9B\update.dll
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\65B92A91\6383BC9B\KillRBProcess.exe
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7390E4F0\6383BC9B\StartRegistryBooster.exe
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\7CE1607E\6383BC9B\RegistryBooster.exe
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\registrybooster2\AF01B0B\6383BC9B\XceedZip.dll
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.dat
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.exe
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.msi
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.par
c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}\Uniblue RegistryBooster.res
c:\program files\desktoq.ini
c:\program files\system
c:\windows\_id.dat
c:\windows\system32\16A.tmp
c:\windows\system32\236.tmp
c:\windows\system32\drivers\ethazxon.sys
c:\windows\system32\drivers\laqeuvdu.sys
c:\windows\system32\drivers\UACdpxwqlmh.sys
c:\windows\system32\drivers\yoqzcgrv.sys
c:\windows\system32\secupdat.dat

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LAQEUVDU
-------\Legacy_PROTECT
-------\Legacy_YOQZCGRV
-------\Service_ethazxon
-------\Service_laqeuvdu
-------\Service_Passthru


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-10 11:21 . 2007-10-24 00:47 282,112 --a------ c:\windows\system32\mscoree.dll
2009-02-10 10:00 . 2009-02-10 10:56 <DIR> d-------- c:\windows\system32\URTTemp
2009-02-10 09:36 . 2009-02-10 09:36 26,624 --a------ c:\windows\system32\find.exe
2009-02-10 09:19 . 2009-02-10 09:19 33,920 --a------ c:\windows\system32\drivers\sdqhbwzm.sys
2009-02-10 01:09 . 2004-08-03 16:56 73,796 --a------ c:\windows\system32\slserv.exe
2009-02-10 01:07 . 2004-08-03 16:56 502,272 --a------ c:\windows\system32\winlogon.exe
2009-02-10 01:07 . 2002-08-28 19:41 39,424 --a------ c:\windows\system32\userinit.exe
2009-02-10 01:06 . 2005-06-10 07:53 57,856 --a------ c:\windows\system32\spoolsv.exe
2009-02-10 01:05 . 2004-08-03 16:56 108,032 --a------ c:\windows\system32\services.exe
2009-02-10 01:05 . 2004-08-03 16:56 14,336 --a------ c:\windows\system32\svchost.exe
2009-02-10 01:04 . 2004-08-03 16:56 75,264 --a------ c:\windows\system32\locator.exe
2009-02-10 01:04 . 2001-08-22 20:00 28,672 --a------ c:\windows\system32\attrib.exe
2009-02-10 01:04 . 2004-08-03 16:56 13,312 --a------ c:\windows\system32\lsass.exe
2009-02-10 01:03 . 2007-06-12 18:23 1,050,624 --a------ c:\windows\explorer.exe
2009-02-09 20:32 . 2009-02-10 13:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 20:32 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 20:32 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-09 19:34 . 2009-02-09 21:17 <DIR> d-------- C:\!KillBox
2009-02-09 18:46 . 2009-02-09 18:46 <DIR> d-------- c:\documents and settings\Root\Application Data\Desktopicon
2009-02-09 17:50 . 2009-02-09 17:49 537,088 --a------ C:\rmvirut.exe
2009-02-09 17:50 . 2009-02-09 17:22 495,104 --a------ C:\rmvirut.nt
2009-02-09 09:59 . 2009-02-10 09:41 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-09 09:24 . 2009-02-10 09:20 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-09 09:24 . 2009-02-09 09:24 <DIR> d-------- c:\program files\AVG
2009-02-09 09:24 . 2009-02-09 10:09 <DIR> d-------- c:\documents and settings\Root\Application Data\AVGTOOLBAR
2009-02-09 09:24 . 2009-02-10 09:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-09 09:24 . 2009-02-09 12:34 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-09 09:24 . 2009-02-09 12:34 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-09 09:24 . 2009-02-09 12:34 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-02-09 09:24 . 2009-02-09 12:34 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-09 09:04 . 2009-02-09 09:57 16,435 --a------ c:\windows\system32\drivers\str.sys.rmv
2009-02-09 07:32 . 2009-02-09 08:07 2 --a------ C:\-598163070
2009-02-09 05:26 . 2009-02-09 05:26 30,848 --a------ c:\windows\system32\drivers\nrbcxhejlp.sys.rmv
2009-02-08 19:49 . 2009-02-08 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-08 19:49 . 2009-02-08 19:49 <DIR> dr-h----- C:\AHCache
2009-02-08 19:35 . 2009-02-08 19:49 <DIR> d-------- c:\program files\Uniblue
2009-02-08 19:04 . 2009-02-08 19:49 <DIR> d-------- c:\documents and settings\Root\Application Data\Uniblue
2009-02-08 08:47 . 2009-02-08 08:47 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2009-02-08 08:47 . 2009-02-09 07:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-02-08 08:47 . 2006-11-17 03:06 1,495,552 --a------ c:\windows\system32\epoPGPsdk.dll
2009-02-08 08:47 . 2006-11-17 03:06 280 --a------ c:\windows\system32\epoPGPsdk.dll.sig
2009-02-06 13:32 . 2003-08-04 04:14 65,152 -ra------ c:\windows\system32\drivers\Rtlnic51.sys
2009-02-06 12:12 . 2009-02-06 12:12 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY.001
2009-02-06 12:12 . 2009-02-06 12:12 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY.001
2009-02-05 23:54 . 2009-02-08 14:05 593,920 --a------ c:\windows\system32\ati2sgag.exe
2009-02-05 23:39 . 2009-02-10 09:39 <DIR> d-------- c:\program files\Support Tools
2009-02-05 22:47 . 2009-02-05 23:25 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-05 22:25 . 2009-01-13 20:22 4,009,152 --a--c--- c:\windows\system32\dllcache\ati3duag.dll
2009-02-05 22:25 . 2009-01-13 20:22 4,009,152 --a------ c:\windows\system32\ati3duag.dll
2009-02-05 22:25 . 2009-01-13 20:05 2,500,224 --a--c--- c:\windows\system32\dllcache\ativvaxx.dll
2009-02-05 22:25 . 2009-01-13 20:05 2,500,224 --a------ c:\windows\system32\ativvaxx.dll
2009-02-05 22:25 . 2009-01-13 19:37 577,536 --a--c--- c:\windows\system32\dllcache\ati2cqag.dll
2009-02-05 22:25 . 2009-01-13 19:37 577,536 --a------ c:\windows\system32\ati2cqag.dll
2009-02-05 22:17 . 2009-02-05 22:17 <DIR> d-------- C:\ATI
2009-02-05 22:12 . 2009-02-06 00:00 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-05 22:01 . 2009-02-09 16:16 <DIR> d-------- c:\program files\7-Zip
2009-02-05 19:48 . 2009-02-05 19:48 76 --a------ c:\windows\system32\ikhcore.cfg
2009-02-05 19:30 . 2009-02-05 19:31 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-05 18:16 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-02-05 18:15 . 2009-02-09 07:35 <DIR> d-------- c:\program files\Panda Security
2009-02-05 17:54 . 2009-02-05 17:54 <DIR> d-------- C:\VundoFix Backups
2009-02-05 16:58 . 2003-04-10 17:18 466,944 --a------ c:\windows\system32\SLLights.dll
2009-02-05 16:58 . 2003-04-15 12:41 401,408 --a------ c:\windows\system32\slcpappl.cpl
2009-02-05 16:58 . 2003-04-15 12:35 397,312 --a------ c:\windows\system32\slmh.exe
2009-02-05 16:58 . 2003-04-10 11:29 188,416 --a------ c:\windows\system32\minirec.exe
2009-02-05 16:58 . 2003-04-10 11:30 155,648 --a------ c:\windows\system32\amr_cpl.dll
2009-02-05 16:58 . 2001-08-17 13:57 16,128 --a------ c:\windows\system32\drivers\MODEMCSA.sys
2009-02-05 16:58 . 2001-08-17 13:57 16,128 --a--c--- c:\windows\system32\dllcache\modemcsa.sys
2009-02-05 16:58 . 2003-04-10 12:35 14,976 --a------ c:\windows\system32\drivers\winddx.sys
2009-02-05 16:43 . 2009-02-05 16:58 <DIR> d-------- c:\windows\Modio
2009-02-05 16:43 . 2003-04-15 12:35 351,388 --a------ c:\windows\system32\slmh.cab
2009-02-05 16:43 . 2003-02-05 17:16 138,560 --a------ c:\windows\system32\slcpappl.chm
2009-02-05 16:37 . 2003-04-09 20:00 49,152 --a------ c:\windows\system32\coinst.dll
2009-02-05 14:02 . 2009-02-09 10:13 <DIR> d-------- c:\program files\RegCure
2009-02-05 13:06 . 2009-02-05 16:49 <DIR> d-------- c:\program files\ShellExView
2009-02-05 11:41 . 2009-02-05 11:41 <DIR> d-------- c:\windows\ERUNT
2009-02-05 11:39 . 2009-02-09 23:45 <DIR> d-------- C:\SDFix
2009-02-05 09:07 . 2009-02-09 13:33 53,248 --a------ c:\windows\system32\drivers\ndisio.sys
2009-02-05 07:32 . 2009-02-05 07:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-05 07:31 . 2009-02-05 07:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-04 13:14 . 2009-02-05 22:15 <DIR> d-------- c:\program files\ATI Technologies
2009-02-03 19:21 . 2009-02-03 19:21 8,388,608 --a------ C:\software.new
2009-02-03 17:46 . 2009-02-03 17:46 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY.000
2009-02-03 17:46 . 2009-02-03 17:46 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY.000
2009-02-03 12:08 . 2009-02-03 12:08 4,444 --a------ c:\windows\system32\pid.PNF
2009-02-03 11:54 . 2009-02-03 11:54 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY
2009-02-03 11:50 . 2009-02-03 11:50 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY
2009-02-03 09:26 . 2009-02-03 09:26 <DIR> d--h----- c:\windows\PIF
2009-02-03 09:22 . 2009-02-09 23:45 <DIR> d-------- c:\program files\Unlocker
2009-02-03 09:15 . 2009-02-03 09:15 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-03 06:29 . 2009-02-03 06:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-03 05:13 . 2009-02-09 08:19 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 05:10 . 2009-02-03 05:10 <DIR> d-------- c:\program files\Sophos
2009-02-03 04:43 . 2009-02-03 04:43 <DIR> d-------- c:\documents and settings\Root\Application Data\SUPERAntiSpyware.com
2009-02-03 04:43 . 2009-02-03 04:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 03:03 . 2009-02-03 03:03 <DIR> d-------- C:\rsit
2009-02-03 00:24 . 2009-02-03 00:24 <DIR> d-------- c:\documents and settings\Root\Application Data\Malwarebytes
2009-02-03 00:24 . 2009-02-03 00:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 23:27 . 2009-02-09 08:29 128 --a------ c:\windows\adobe.bat
2009-02-02 11:00 . 2009-02-02 11:00 997,888 --a--c--- c:\windows\system32\dllcache\kernel32.dll
2009-02-02 11:00 . 2009-02-02 11:00 21,504 --a--c--- c:\windows\system32\dllcache\powrprof.dll
2009-02-02 10:13 . 2009-02-02 10:13 4,096 --a------ c:\windows\d3dx.dat
2009-02-02 10:12 . 2009-02-09 17:09 <DIR> d-------- c:\program files\OvalOffice
2009-02-02 10:12 . 2009-02-02 10:12 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-30 23:15 . 2009-01-30 23:43 <DIR> d-------- c:\program files\PowerStrip
2009-01-30 21:32 . 2009-02-03 02:19 16 --a------ c:\windows\system32\wpfb.dat
2009-01-30 21:08 . 2007-02-09 12:17 62,009 --a------ c:\windows\system32\WPFB.DLL
2009-01-30 21:08 . 2007-02-09 12:17 17,465 --a------ c:\windows\system32\drivers\pivot.sys
2009-01-30 21:08 . 2008-07-31 11:13 17,064 --a------ c:\windows\system32\drivers\PdiPorts.sys
2009-01-30 21:08 . 2007-02-09 12:17 11,323 --a------ c:\windows\system32\drivers\pivotmou.sys
2009-01-30 21:08 . 2004-11-22 12:07 2,304 --a------ c:\windows\system32\Machnm32.sys
2009-01-30 21:07 . 2009-01-30 21:08 <DIR> d-------- c:\program files\Portrait Displays
2009-01-30 21:07 . 2009-01-30 21:08 <DIR> d-------- c:\program files\Common Files\Portrait Displays
2009-01-30 20:36 . 2009-01-30 21:18 1,100 --a------ c:\windows\system32\d3d8caps.dat
2009-01-30 18:59 . 2009-01-30 18:59 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-30 18:22 . 2009-01-30 21:10 <DIR> d-------- c:\documents and settings\Root\Application Data\DisplayTune
2009-01-30 18:16 . 2009-01-30 21:27 62,009 --a------ c:\windows\system32\wpfb_ati2dvag.dll
2009-01-30 18:15 . 2004-08-04 01:56 1,392,671 --a------ c:\windows\msvbvm60.dll
2009-01-30 18:15 . 2002-01-05 04:40 487,424 --a------ c:\windows\msvcp70.dll
2009-01-30 18:15 . 2002-01-05 04:37 344,064 --a------ c:\windows\msvcr70.dll
2009-01-30 13:51 . 2009-01-30 13:51 <DIR> d-------- C:\Swsetup
2009-01-30 07:16 . 2009-02-09 17:12 <DIR> d-------- c:\program files\Total Video Converter
2009-01-30 07:16 . 2000-05-22 22:58 608,448 --a------ c:\windows\system32\comctl32.ocx
2009-01-30 06:53 . 2009-02-09 10:57 <DIR> d-------- c:\program files\Demonoid
2009-01-30 06:53 . 2009-01-30 06:53 <DIR> d-------- c:\program files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 17:40 --------- d-----w c:\program files\Nmap
2009-02-10 01:14 --------- d-----w c:\program files\winpwn
2009-02-10 01:10 --------- d-----w c:\program files\SpeedFan
2009-02-10 01:10 --------- d-----w c:\program files\SensorsViewPro32
2009-02-10 01:10 --------- d-----w c:\program files\Realtek AC97
2009-02-10 01:09 --------- d-----w c:\program files\Notebook Hardware Control
2009-02-09 23:45 --------- d-----w c:\program files\PeerGuardian2
2009-02-09 23:45 --------- d-----w c:\documents and settings\Root\Application Data\uTorrent
2009-02-09 15:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 03:12 --------- d-----w c:\program files\Steam
2009-02-08 23:14 146,432 ----a-w c:\windows\regedit.exe
2009-02-08 20:19 283,648 ----a-w c:\windows\winhlp32.exe
2009-02-08 20:15 7,176 ----a-w C:\MaximizedWindow.exe
2009-02-08 20:03 69,120 ----a-w c:\windows\notepad.exe
2009-02-08 20:03 306,688 ----a-w c:\windows\IsUninst.exe
2009-02-08 20:01 577,536 ----a-w c:\windows\soundman.exe
2009-02-08 20:00 10,752 ----a-w c:\windows\hh.exe
2009-02-08 19:03 --------- d-----w c:\program files\DAEMON Tools Toolbar
2009-02-08 16:10 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-02-06 06:47 --------- d-----w c:\program files\MSBuild
2009-02-06 06:04 --------- d-----w c:\program files\Java
2009-02-04 21:07 --------- d-----w c:\documents and settings\Root\Application Data\ATI
2009-02-03 14:47 --------- d-----w c:\program files\Apoint2K
2009-02-03 14:45 --------- d-----w c:\program files\FlashGet
2009-02-03 14:35 --------- d-----w c:\program files\Kaspersky Lab
2009-02-03 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 07:53 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 17:15 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-31 04:31 --------- d-----w c:\program files\Yahoo!
2009-01-22 07:33 --------- d-----w c:\program files\iTunes
2009-01-22 07:33 --------- d-----w c:\program files\Common Files\Apple
2009-01-19 20:09 --------- d-----w c:\program files\Common Files\Adobe
2009-01-17 01:14 --------- d-----w c:\program files\MobMapUpdater
2009-01-15 22:12 --------- d-----w c:\program files\CCleaner
2009-01-14 17:47 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 07:14 3,455,488 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-01-14 06:11 --------- d-----w c:\documents and settings\Root\Application Data\GetRightToGo
2009-01-08 00:09 --------- d-----w c:\documents and settings\Root\Application Data\FreshDiagnose
2009-01-07 23:04 --------- d-----w c:\program files\Auslogics
2009-01-07 23:04 --------- d-----w c:\documents and settings\Root\Application Data\Auslogics
2009-01-07 16:26 --------- d-----w c:\program files\FreshDevices
2008-12-13 07:31 --------- d-----w c:\program files\14 Degrees East
2008-12-12 20:08 --------- d-----w c:\program files\Warcraft II BNE
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 09:26 --------- d-----w c:\documents and settings\Root\Application Data\Media Player Classic
2008-12-11 02:30 --------- d-----w c:\program files\GSP
2008-12-11 00:44 --------- d-----w c:\documents and settings\Root\Application Data\Megaupload
2008-12-11 00:36 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-10 23:55 --------- d-----w c:\documents and settings\Root\Application Data\EmailNotifier
2008-12-10 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Megaupload
2008-12-10 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier
2008-05-27 23:56 22,328 ----a-w c:\documents and settings\Root\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2007-10-30 09:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2gdr\tcpip.sys
2007-10-30 08:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\sp2qfe\tcpip.sys
2008-10-01 10:52 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\TCPIP.SYS
2008-10-01 10:52 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\TCPIP.SYS

2007-06-12 18:23 1050624 3960d41552cff450c683463ff7dddc30 c:\windows\explorer.exe
2004-08-03 23:56 1049600 9a273ec764affd44fa658c53c379f284 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 16:12 1051136 dd3791759055a2e6a4077c69a4473217 c:\windows\ServicePackFiles\i386\explorer.exe
2007-06-13 02:23 1050624 85f0e0ab64bceafdaff9a2854031a1be c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
2007-06-13 03:26 1050624 f05c641acbb03b4e5d09ab56900623ea c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe

2004-08-03 23:56 32768 37031deb481bbcf21ad17eb2048751b5 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 16:12 32768 80b13af56c329e18a1850cad60955a73 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-02-08 12:02 15360 e385c2260a2a3f605f4f621d9f179544 c:\windows\system32\ctfmon.exe

2004-08-03 23:56 75264 8be44ba5156b58da667cd45b0c3241d4 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 16:12 75264 436e471a09bd91415f1ed7283725313c c:\windows\ServicePackFiles\i386\spoolsv.exe
2005-06-10 15:53 75264 3dafe576476fed3c707eab461f5754df c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2gdr\spoolsv.exe
2005-06-10 16:17 75264 8d243c0cd20ddaba546c11f929c0409c c:\windows\SoftwareDistribution\Download\0fd33c77398fa2b50df56456525ef5c3\sp2qfe\spoolsv.exe
2005-06-10 07:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\system32\spoolsv.exe

2004-08-03 23:56 41984 a4faa106d2e07d01a45b2b4614723adc c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 16:12 43520 df22096b8ae1ae59bf0490af32313826 c:\windows\ServicePackFiles\i386\userinit.exe
2002-08-28 19:41 39424 259d2f3e02b9fee9374a782f32de9839 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{35B675B9-7F34-40DF-8F49-5FAB6B7E4AEF}"= "c:\program files\Demonoid\tbDemo.dll" [2009-01-20 1881112]

[HKEY_CLASSES_ROOT\clsid\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerStrip"="c:\program files\powerstrip\pstrip.exe" [2008-11-19 737312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-09 1601304]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-02-10 33280]
"SoundMan"="SOUNDMAN.EXE" [2009-02-08 c:\windows\soundman.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-09 12:34 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ rmvirut.nt

[HKLM\~\startupfolder\C:^Documents and Settings^Root^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^root^start menu^programs^startup^shortcut to wincolor.lnk]
backup=c:\windows\pss\Shortcut to WinColor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2009-02-08 14:41 159744 c:\program files\Apoint2K\apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CalibrizeResume]
--a------ 2009-02-08 14:41 434176 c:\program files\Calibrize\CalibrizeResume.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CGFLoader]
--a------ 2009-02-08 14:41 1982464 c:\program files\Calibrize\CalibrizeLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-12-02 17:42 133104 c:\documents and settings\Root\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl]
--a------ 2009-02-08 12:03 2629632 c:\program files\Notebook Hardware Control\nhc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PivotSoftware]
--a------ 2007-02-09 12:17 694008 c:\program files\Portrait Displays\Pivot Software\wpCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-02-10 09:40 434176 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-04 17:46 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-05 22:02 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 08:48 2019624 c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2009-02-10 09:41 33280 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2009-02-09 20:05 491520 c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--a------ 2009-02-09 20:05 38400 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run StartupMonitor]
--a------ 2009-02-09 20:05 106496 c:\windows\StartupMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"PdiService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AVP"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Asset Management Daemon"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iPhone Tunnel Suite 2.6 BETA\\iTunnel\\iTunnel.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Root\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\angst138\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\angst138\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\AV-CLS\\WGET.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1080:TCP"= 1080:TCP:Netshare
"49152:TCP"= 49152:TCP:utorrent
"62078:TCP"= 62078:TCP:UT

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-09 12552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-05 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-09 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-09 107272]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-09 298264]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-05-31 34064]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-07-14 27992]
R2 sensorsview32;sensorsview32;c:\windows\system32\drivers\sensorsview32.sys [2009-01-07 14416]
R2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [2008-09-10 229648]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 softyinforwow;Remote TCP/IPG;c:\windows\System32\svchost.exe -k netsvcs [2009-02-10 14336]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S4 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe --> c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
softyinforwow
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-10 c:\windows\Tasks\At1.job
- c:\docume~1\Root\MYDOCU~1\Look2Me-Destroyer.exe [2009-02-09 19:13]

2009-02-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-746137067-682003330-1003.job
- c:\documents and settings\Root\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 17:42]

2009-02-10 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-02-05 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-02-09 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 07:22]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmjjsexy.sys
SafeBoot-laqeuvdu.sys
SafeBoot-mblqqvyn.sys
SafeBoot-sdqhbwzm.sys
SafeBoot-yoqzcgrv.sys
MSConfigStartUp-AVP - c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
MSConfigStartUp-dt hwp - c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Root\Application Data\Mozilla\Firefox\Profiles\kcshyire.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Root\Local Settings\Application Data\Google\Update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 13:22:31
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\ACPI\PNP0F13\4&369939d9&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\HID\Vid_046d&Pid_c051\6&20b7525a&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\imapi.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\locator.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-02-10 13:27:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-10 21:26:04
ComboFix2.txt 2009-02-09 17:12:20

Pre-Run: 7,457,501,184 bytes free
Post-Run: 7,394,263,040 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
696 --- E O F --- 2009-02-03 11:59:17




mbam -

Malwarebytes' Anti-Malware 1.33
Database version: 1744
Windows 5.1.2600 Service Pack 3

2/10/2009 4:03:54 PM
mbam-log-2009-02-10 (16-03-54).txt

Scan type: Quick Scan
Objects scanned: 64979
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sdqhbwzm (Rootkit.Pakes) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sdqhbwzm (Rootkit.Pakes) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sdqhbwzm (Rootkit.Pakes) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\sdqhbwzm.sys (Rootkit.Pakes) -> Quarantined and deleted successfully.

#15 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:11:32 PM

Posted 12 February 2009 - 07:29 PM

Hello,

Your version of Kaspersky is outdated, please perform an update to ensure you are protected against the latest threats which will dramatically reduce chances of reinfection. Also, I see uTorrent installed with full internet access. P2P programs are a prime source of infection. I would recommend you uninstall it.

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\sdqhbwzm.sys
c:\windows\system32\drivers\nrbcxhejlp.sys.rmv
c:\windows\system32\epoPGPsdk.dll
c:\windows\system32\epoPGPsdk.dll.sig
c:\windows\Tasks\At1.job

Folder::
C:\-598163070


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Kaspersky Scan

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


In your next reply, please post:
  • ComboFix log
  • Gmer log
  • Kaspersky log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users