Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search brings up links to ad sites


  • This topic is locked This topic is locked
17 replies to this topic

#1 Shinigami.

Shinigami.

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 04 February 2009 - 03:18 PM

After doing an online survey, my google searches started showing links to only ad sites, even though it says the link is to a non ad site. Example: If i search wiki, the link would say "Wiki - Wikipedia, the free encyclopedia" while the link is direct to a site "www.centraldesktop.com - 92k -". Ad aware and SpyBot S&D have not been able to fix this problem.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Thuy at 15:08:44.87 on 04/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.511.162 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Thuy\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.msn.ca/?lang=en-CA
uSearch Page = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
mDefault_Search_URL = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
mSearch Page = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://sympatico.ca/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\dapbho.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\docume~1\thuy\locals~1\temp\autorunpro0\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0

\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\ypager.exe" -quiet
uRun: [IDMan] c:\docume~1\thuy\locals~1\temp\autorunpro0\IDMan.exe /onboot
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [cryptoexpert] "c:\program files\cryptoexpert 2007 pro\cexpert.exe" /T
uRun: [SmartRAM] "c:\program files\iobit\advanced windowscare 3 beta\Sup_SmartRAM.exe" /m
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [system32SADU Agent] c:\windows\system32SADU.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WheelMouse] c:\stinger mouse driver\wh_exec.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe reader speed launch.lnk - c:\program files\adobe\acrobat

7.0\reader\reader_sl.exe
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Download All Links with IDM - c:\docume~1\thuy\locals~1\temp\autorunpro0\IEGetAll.htm
IE: Download with IDM - c:\docume~1\thuy\locals~1\temp\autorunpro0\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/229?

497b1459c0a4423a953385239b0045ec
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/230?

497b1459c0a4423a953385239b0045ec
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12

\ONBttnIE.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati

multimedia\tv\EXPLBAR.DLL
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12

\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search &

destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thuy\applic~1\mozilla\firefox\profiles\12fyllqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/?lang=en-CA
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R1 AtipSrv;AtipSrv;c:\windows\system32\drivers\cd2ompen.sys []
S3 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 9344]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2005-

8-18 36960]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-7-25 16269]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-2-3 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-2-3 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\silkroad\bot\ntprocdrv.sys --> c:\program

files\silkroad\bot\NtProcDrv.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-2 91830]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-7-25 104320]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-1-25 6784]
S3 XDva136;XDva136;\??\c:\windows\system32\xdva136.sys --> c:\windows\system32\XDva136.sys [?]

=============== Created Last 30 ================

2009-02-03 23:49 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 23:16 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-03 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-03 23:07 <DIR> --d----- c:\documents and settings\thuy\.SunDownloadManager
2009-01-07 20:12 <DIR> --d----- c:\program files\common files\xing shared
2009-01-07 20:12 <DIR> --d----- c:\program files\common files\Real

==================== Find3M ====================

2009-02-03 19:02 56,066 a------- c:\windows\Sysvxd.exe
2008-12-30 11:58 1,510 a------- c:\windows\Sketchpad Preferences.dat
2008-12-11 15:37 42,320 ac------ c:\windows\system32\xfcodec.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-28 17:23 22,328 ac------ c:\docume~1\thuy\applic~1\PnkBstrK.sys
2008-02-27 20:26 2,354 ac------ c:\docume~1\thuy\applic~1\SAS7_000.DAT
2006-06-25 14:13 66,624 ac------ c:\docume~1\thuy\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 15:10:09.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 11 February 2009 - 04:33 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1,Link 2,Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 12 February 2009 - 03:36 PM

Hey, Thanks so much for the help. To start off, since posting this, I somehow turned on my automatic updates, so some updates were installed, I believe it was just 2 of them which both pertained to security issues. There was also an update for Service Pack 3 which I attempted to install, but it failed. I also installed a game, Golden Eye Source for Valve. Other than that, nothing changed, except yesterday (the day you posted in this thread) my pc started having random failures, where after a few mins after turning on it would stop processing and just idle... then my screen would go into standby mode. I didn't touch it overnight and it seems to be working again. I will attach my GMER Log.

Here is my ComboFix Log:

ComboFix 09-02-12.02 - Thuy 2009-02-12 14:47:17.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.209 [GMT -5:00]
Running from: c:\documents and settings\Thuy\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Other_2\Application Data\rhcjmoj0egbn
c:\documents and settings\Thuy\Application Data\rhcjmoj0egbn
c:\documents and settings\Thuy\Local Settings\Temporary Internet Files\search.html
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Downloaded Program Files\ysbActivex.dll
c:\windows\IE4 Error Log.txt
c:\windows\iexplorer.exe
c:\windows\msauc.exe
c:\windows\system32\_006936_.tmp.dll
c:\windows\system32\_006937_.tmp.dll
c:\windows\system32\_006938_.tmp.dll
c:\windows\system32\_006939_.tmp.dll
c:\windows\system32\_006946_.tmp.dll
c:\windows\system32\_006947_.tmp.dll
c:\windows\system32\_006948_.tmp.dll
c:\windows\system32\_006949_.tmp.dll
c:\windows\system32\_006951_.tmp.dll
c:\windows\system32\_006952_.tmp.dll
c:\windows\system32\_006955_.tmp.dll
c:\windows\system32\_006956_.tmp.dll
c:\windows\system32\_006958_.tmp.dll
c:\windows\system32\_006959_.tmp.dll
c:\windows\system32\_006960_.tmp.dll
c:\windows\system32\_006962_.tmp.dll
c:\windows\system32\_006965_.tmp.dll
c:\windows\system32\_006966_.tmp.dll
c:\windows\system32\_006970_.tmp.dll
c:\windows\system32\_006971_.tmp.dll
c:\windows\system32\_006973_.tmp.dll
c:\windows\system32\_006976_.tmp.dll
c:\windows\system32\_006978_.tmp.dll
c:\windows\system32\_006979_.tmp.dll
c:\windows\system32\_006981_.tmp.dll
c:\windows\system32\_006982_.tmp.dll
c:\windows\system32\_006985_.tmp.dll
c:\windows\system32\_006986_.tmp.dll
c:\windows\system32\_006987_.tmp.dll
c:\windows\system32\_006988_.tmp.dll
c:\windows\system32\_006989_.tmp.dll
c:\windows\system32\_006994_.tmp.dll
c:\windows\system32\_006996_.tmp.dll
c:\windows\system32\aVOf6XMh.exe.a_a
c:\windows\system32\E.tmp
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\wdmaud.sys
c:\windows\system32\wpx11.cpx
c:\windows\system32\wpx12.cpx
c:\windows\system32\wpx20.cpx
c:\windows\wiaservb.log

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-10 11:13 . 2009-02-10 11:14 <DIR> d-------- c:\program files\CDisplayEx
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\system32\scripting
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\system32\en
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\l2schemas
2009-02-06 18:52 . 2007-10-25 22:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll
2009-02-06 17:36 . 2009-02-06 17:36 197 --a------ c:\windows\system32\MRT.INI
2009-02-04 15:41 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET1CF.tmp
2009-02-04 15:40 . 2008-04-13 19:11 3,066,880 --a------ c:\windows\system32\SET2B4.tmp
2009-02-04 15:39 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET3E8.tmp
2009-02-04 15:23 . 2009-02-08 20:29 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-03 23:49 . 2009-02-03 23:49 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 23:16 . 2009-02-03 23:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-03 23:16 . 2009-02-04 07:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 23:07 . 2009-02-03 23:15 <DIR> d-------- c:\documents and settings\Thuy\.SunDownloadManager
2009-02-01 11:04 . 2009-02-01 11:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\IMVUClient
2009-02-01 11:04 . 2009-02-10 20:55 <DIR> d-------- c:\documents and settings\Guest\Application Data\IMVU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 03:29 --------- d-----w c:\documents and settings\Thuy\Application Data\Azureus
2009-02-10 22:08 --------- d-----w c:\program files\Warcraft III
2009-02-10 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-10 18:02 --------- d-----w c:\program files\Sony
2009-02-08 17:12 --------- d-----w c:\program files\AV Vcs 6.0 DIAMOND
2009-02-04 05:10 --------- d-----w c:\documents and settings\Thuy\Application Data\dvdcss
2009-02-04 00:02 56,066 ----a-w c:\windows\Sysvxd.exe
2009-01-29 04:44 --------- d-----w c:\program files\mIRC
2009-01-27 20:19 --------- d-----w c:\program files\Azureus
2009-01-19 14:37 --------- d-----w c:\program files\eMule
2009-01-18 05:53 --------- d-s---w c:\program files\Xfire
2009-01-12 22:55 --------- d-----w c:\documents and settings\Guest\Application Data\Xfire
2009-01-11 21:15 --------- d-----w c:\documents and settings\Thuy\Application Data\Xfire
2009-01-09 22:16 --------- d-----w c:\documents and settings\Guest\Application Data\teamspeak2
2009-01-09 22:06 --------- d-----w c:\documents and settings\Guest\Application Data\Creative
2009-01-08 01:12 --------- d-----w c:\program files\Common Files\xing shared
2009-01-08 01:12 --------- d-----w c:\program files\Common Files\Real
2009-01-07 22:06 --------- d-----w c:\program files\Fraps
2009-01-07 22:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 18:35 --------- d-----w c:\program files\WC3Banlist
2008-12-30 02:59 --------- d-----w c:\program files\Windows Live Safety Center
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 20:37 42,320 -c--a-w c:\windows\system32\xfcodec.dll
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\dllcache\srv.sys
2008-04-28 22:23 22,328 -c--a-w c:\documents and settings\Thuy\Application Data\PnkBstrK.sys
2008-02-28 01:26 2,354 -c--a-w c:\documents and settings\Thuy\Application Data\SAS7_000.DAT
2006-06-25 19:13 66,624 -c--a-w c:\documents and settings\Thuy\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 17:40 66,624 -c--a-w c:\documents and settings\Other\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ATI Scheduler"="c:\program files\ATI Multimedia\MAIN\ATISched.EXE" [2003-05-14 36942]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-09-14 3084288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"WheelMouse"="c:\stinger mouse driver\wh_exec.exe" [2007-11-10 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Other_2\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll
"aux2"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a--c--- 2003-04-25 12:34 167936 c:\program files\ATI Multimedia\RemCtrl\ATIRW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-08-05 23:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
--a--c--- 2002-03-22 07:41 94208 c:\program files\Microsoft Hardware\Keyboard\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
--a--c--- 2002-10-14 15:09 57344 c:\program files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 05:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-07 20:12 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2005-09-14 11:26 3084288 c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2003-04-24 18:53 54784 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Fraps\\fraps.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vietboi1333\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\the_shankster_\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\the_shankster_\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\List checker\\pickup.listchecker.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\Package1.6.2.no_map\\nuConnector6.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\Rune\\rune\\rune\\System\\Rune.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\insurgency\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\source sdk base 2007\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"6112:TCP"= 6112:TCP:Warcraft3
"6113:TCP"= 6113:TCP:warcraft 3-1
"6114:TCP"= 6114:TCP:warcraft 3-2
"6115:TCP"= 6115:TCP:warcraft 3-3
"6116:TCP"= 6116:TCP:warcraft 3-4
"6117:TCP"= 6117:TCP:warcraft 3-5
"6118:TCP"= 6118:TCP:warcraft 3-6
"6119:TCP"= 6119:TCP:warcraft 3-7
"116:TCP"= 116:TCP:warcraft 3 116
"118:TCP"= 118:TCP:warcraft 3 118
"4672:UDP"= 4672:UDP:Emule
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2005-08-18 36960]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-07-25 16269]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-02-03 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-02-03 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\Silkroad\bot\NtProcDrv.sys --> c:\program files\Silkroad\bot\NtProcDrv.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-02 91830]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-07-25 104320]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-01-25 6784]
S3 XDva136;XDva136;\??\c:\windows\system32\XDva136.sys --> c:\windows\system32\XDva136.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-cryptoexpert - c:\program files\CryptoExpert 2007 Pro\cexpert.exe
HKCU-Run-SmartRAM - c:\program files\IObit\Advanced WindowsCare 3 Beta\Sup_SmartRAM.exe
HKLM-Run-system32SADU Agent - c:\windows\system32SADU.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-OemReset - c:\windows\OPTIONS\OEMRESET.EXE
MSConfigStartUp-SpeedTouch USB Diagnostics - c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/?lang=en-CA
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://sympatico.ca/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Download All Links with IDM - c:\docume~1\Thuy\LOCALS~1\Temp\AutoRunPro0\IEGetAll.htm
IE: Download with IDM - c:\docume~1\Thuy\LOCALS~1\Temp\AutoRunPro0\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?497b1459c0a4423a953385239b0045ec
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?497b1459c0a4423a953385239b0045ec
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Thuy\Application Data\Mozilla\Firefox\Profiles\12fyllqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/?lang=en-CA
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 14:51:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cryptoexpert = "c:\program files\CryptoExpert 2007 Pro\cexpert.exe" /T??%?|t)?????????|????-9?w???wt)?????????w????-9?w???w?????6?w?^?wX??w?R?w????????f^?w}^?wP???????????????i?z?????UV?w????UV?w?^?w????}^?wd??????????????????? ???????????????????????????????????!???????

scanning hidden files ...


c:\windows\system32\drivers\cd2ompen.sys 12288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\AtipSrv]
"ImagePath"="\??\c:\windows\system32\drivers\cd2ompen.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-12 14:55:02
ComboFix-quarantined-files.txt 2009-02-12 19:54:59

Pre-Run: 25,838,972,928 bytes free
Post-Run: 26,676,428,800 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
332 --- E O F --- 2009-02-12 19:44:46

Attached Files


Edited by Shinigami., 12 February 2009 - 03:37 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 12 February 2009 - 03:53 PM

Hello Shinigami.

Let's see what we can do.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/200643/google-search-brings-up-links-to-ad-sites/
    
    File::
    c:\windows\Sysvxd.exe
    
    Suspect::
    c:\windows\system32\XDva136.sys
    c:\windows\system32\drivers\alcan5ln.sys
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=-
    
    Driver::
    AtipSrv
    
    Rootkit::
    C:\WINDOWS\system32\drivers\cd2ompen.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

With Regards,
The Panda

#5 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 12 February 2009 - 04:26 PM

Hey, I don't know anything about this uploading process... I just put the text file into combo fix like you said, the combofix just starting running and doing what it does. I went to get something to eat, then when I came back my computer was restarting, it loaded back up and combofix was preparing the log file, then when it was done, the log file came up. It didn't prompt me to upload anything.
Here's the Updated ComboFix Log:

ComboFix 09-02-12.03 - Thuy 2009-02-12 16:05:34.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.230 [GMT -5:00]
Running from: c:\documents and settings\Thuy\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Thuy\My Documents\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Sysvxd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cd2ompen.sys
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-12 16:14 . 54,156 c:\windows\QTFont.qfn
2009-02-12 16:14 . 1,409 c:\windows\QTFont.for
2009-02-12 15:02 . 2009-02-12 15:07 250 --a------ c:\windows\gmer.ini
2009-02-10 11:13 . 2009-02-10 11:14 <DIR> d-------- c:\program files\CDisplayEx
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\system32\scripting
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\system32\en
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\l2schemas
2009-02-06 18:52 . 2007-10-25 22:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll
2009-02-06 17:36 . 2009-02-06 17:36 197 --a------ c:\windows\system32\MRT.INI
2009-02-04 15:41 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET1CF.tmp
2009-02-04 15:40 . 2008-04-13 19:11 3,066,880 --a------ c:\windows\system32\SET2B4.tmp
2009-02-04 15:39 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET3E8.tmp
2009-02-04 15:23 . 2009-02-08 20:29 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-03 23:49 . 2009-02-03 23:49 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 23:16 . 2009-02-03 23:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-03 23:16 . 2009-02-04 07:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 23:07 . 2009-02-03 23:15 <DIR> d-------- c:\documents and settings\Thuy\.SunDownloadManager
2009-02-01 11:04 . 2009-02-01 11:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\IMVUClient
2009-02-01 11:04 . 2009-02-10 20:55 <DIR> d-------- c:\documents and settings\Guest\Application Data\IMVU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 03:29 --------- d-----w c:\documents and settings\Thuy\Application Data\Azureus
2009-02-10 22:08 --------- d-----w c:\program files\Warcraft III
2009-02-10 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-10 18:02 --------- d-----w c:\program files\Sony
2009-02-08 17:12 --------- d-----w c:\program files\AV Vcs 6.0 DIAMOND
2009-02-04 05:10 --------- d-----w c:\documents and settings\Thuy\Application Data\dvdcss
2009-01-29 04:44 --------- d-----w c:\program files\mIRC
2009-01-27 20:19 --------- d-----w c:\program files\Azureus
2009-01-19 14:37 --------- d-----w c:\program files\eMule
2009-01-18 05:53 --------- d-s---w c:\program files\Xfire
2009-01-12 22:55 --------- d-----w c:\documents and settings\Guest\Application Data\Xfire
2009-01-11 21:15 --------- d-----w c:\documents and settings\Thuy\Application Data\Xfire
2009-01-09 22:16 --------- d-----w c:\documents and settings\Guest\Application Data\teamspeak2
2009-01-09 22:06 --------- d-----w c:\documents and settings\Guest\Application Data\Creative
2009-01-08 01:12 --------- d-----w c:\program files\Common Files\xing shared
2009-01-08 01:12 --------- d-----w c:\program files\Common Files\Real
2009-01-07 22:06 --------- d-----w c:\program files\Fraps
2009-01-07 22:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 18:35 --------- d-----w c:\program files\WC3Banlist
2008-12-30 02:59 --------- d-----w c:\program files\Windows Live Safety Center
2008-04-28 22:23 22,328 -c--a-w c:\documents and settings\Thuy\Application Data\PnkBstrK.sys
2008-02-28 01:26 2,354 -c--a-w c:\documents and settings\Thuy\Application Data\SAS7_000.DAT
2006-06-25 19:13 66,624 -c--a-w c:\documents and settings\Thuy\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 17:40 66,624 -c--a-w c:\documents and settings\Other\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-12_14.53.44.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-12 20:02:10 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-02-12 20:02:10 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-02-12 21:13:37 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ATI Scheduler"="c:\program files\ATI Multimedia\MAIN\ATISched.EXE" [2003-05-14 36942]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-09-14 3084288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"WheelMouse"="c:\stinger mouse driver\wh_exec.exe" [2007-11-10 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Other_2\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a--c--- 2003-04-25 12:34 167936 c:\program files\ATI Multimedia\RemCtrl\ATIRW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-08-05 23:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
--a--c--- 2002-03-22 07:41 94208 c:\program files\Microsoft Hardware\Keyboard\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
--a--c--- 2002-10-14 15:09 57344 c:\program files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 05:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-07 20:12 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2005-09-14 11:26 3084288 c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2003-04-24 18:53 54784 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Fraps\\fraps.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vietboi1333\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\the_shankster_\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\the_shankster_\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\List checker\\pickup.listchecker.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\Package1.6.2.no_map\\nuConnector6.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\Rune\\rune\\rune\\System\\Rune.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\insurgency\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\source sdk base 2007\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"6112:TCP"= 6112:TCP:Warcraft3
"6113:TCP"= 6113:TCP:warcraft 3-1
"6114:TCP"= 6114:TCP:warcraft 3-2
"6115:TCP"= 6115:TCP:warcraft 3-3
"6116:TCP"= 6116:TCP:warcraft 3-4
"6117:TCP"= 6117:TCP:warcraft 3-5
"6118:TCP"= 6118:TCP:warcraft 3-6
"6119:TCP"= 6119:TCP:warcraft 3-7
"116:TCP"= 116:TCP:warcraft 3 116
"118:TCP"= 118:TCP:warcraft 3 118
"4672:UDP"= 4672:UDP:Emule
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S1 AtipSrv;AtipSrv;\??\c:\windows\system32\drivers\cd2ompen.sys --> c:\windows\system32\drivers\cd2ompen.sys [?]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2005-08-18 36960]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-07-25 16269]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-02-03 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-02-03 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\Silkroad\bot\NtProcDrv.sys --> c:\program files\Silkroad\bot\NtProcDrv.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-02 91830]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-07-25 104320]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-01-25 6784]
S3 XDva136;XDva136;\??\c:\windows\system32\XDva136.sys --> c:\windows\system32\XDva136.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/?lang=en-CA
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://sympatico.ca/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Download All Links with IDM - c:\docume~1\Thuy\LOCALS~1\Temp\AutoRunPro0\IEGetAll.htm
IE: Download with IDM - c:\docume~1\Thuy\LOCALS~1\Temp\AutoRunPro0\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?497b1459c0a4423a953385239b0045ec
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?497b1459c0a4423a953385239b0045ec
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Thuy\Application Data\Mozilla\Firefox\Profiles\12fyllqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/?lang=en-CA
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 16:13:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-12 16:21:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 21:21:51
ComboFix2.txt 2009-02-12 19:55:04

Pre-Run: 26,654,240,768 bytes free
Post-Run: 26,630,844,416 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
288 --- E O F --- 2009-02-12 19:44:46

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 12 February 2009 - 04:29 PM

Hello.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable SpyBot's TeaTimer:
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
Please run this script with ComboFix like last time:
driver::
AtipSrv

rookit::
c:\windows\system32\drivers\cd2ompen.sys
Post back the ComboFix log.

Take a new scan with GMER too.

With Regards,
The Panda

#7 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 12 February 2009 - 05:16 PM

Ok I finished the two scans, I believe the problem is fixed, my google works fine now. I uploaded the GMER Log like last time.

Here's ComboFix Log:

ComboFix 09-02-12.03 - Thuy 2009-02-12 16:36:59.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.212 [GMT -5:00]
Running from: c:\documents and settings\Thuy\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Thuy\My Documents\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATIPSRV
-------\Service_AtipSrv


((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-12 15:02 . 2009-02-12 15:07 250 --a------ c:\windows\gmer.ini
2009-02-10 11:13 . 2009-02-10 11:14 <DIR> d-------- c:\program files\CDisplayEx
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\system32\scripting
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\system32\en
2009-02-06 19:06 . 2009-02-06 19:10 <DIR> d-------- c:\windows\l2schemas
2009-02-06 18:52 . 2007-10-25 22:34 8,460,288 --a------ c:\windows\system32\dllcache\shell32.dll
2009-02-06 17:36 . 2009-02-06 17:36 197 --a------ c:\windows\system32\MRT.INI
2009-02-04 15:41 . 2008-04-13 19:12 8,461,312 --a------ c:\windows\system32\SET1CF.tmp
2009-02-04 15:40 . 2008-04-13 19:11 3,066,880 --a------ c:\windows\system32\SET2B4.tmp
2009-02-04 15:39 . 2008-04-13 19:11 1,267,200 --a------ c:\windows\system32\SET3E8.tmp
2009-02-04 15:23 . 2009-02-08 20:29 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-02-03 23:49 . 2009-02-03 23:49 <DIR> d-------- c:\program files\Trend Micro
2009-02-03 23:16 . 2009-02-03 23:17 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-03 23:16 . 2009-02-04 07:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 23:07 . 2009-02-03 23:15 <DIR> d-------- c:\documents and settings\Thuy\.SunDownloadManager
2009-02-01 11:04 . 2009-02-01 11:56 <DIR> d-------- c:\documents and settings\Guest\Application Data\IMVUClient
2009-02-01 11:04 . 2009-02-10 20:55 <DIR> d-------- c:\documents and settings\Guest\Application Data\IMVU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 03:29 --------- d-----w c:\documents and settings\Thuy\Application Data\Azureus
2009-02-10 22:08 --------- d-----w c:\program files\Warcraft III
2009-02-10 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-10 18:02 --------- d-----w c:\program files\Sony
2009-02-08 17:12 --------- d-----w c:\program files\AV Vcs 6.0 DIAMOND
2009-02-04 05:10 --------- d-----w c:\documents and settings\Thuy\Application Data\dvdcss
2009-01-29 04:44 --------- d-----w c:\program files\mIRC
2009-01-27 20:19 --------- d-----w c:\program files\Azureus
2009-01-19 14:37 --------- d-----w c:\program files\eMule
2009-01-18 05:53 --------- d-s---w c:\program files\Xfire
2009-01-12 22:55 --------- d-----w c:\documents and settings\Guest\Application Data\Xfire
2009-01-11 21:15 --------- d-----w c:\documents and settings\Thuy\Application Data\Xfire
2009-01-09 22:16 --------- d-----w c:\documents and settings\Guest\Application Data\teamspeak2
2009-01-09 22:06 --------- d-----w c:\documents and settings\Guest\Application Data\Creative
2009-01-08 01:12 --------- d-----w c:\program files\Common Files\xing shared
2009-01-08 01:12 --------- d-----w c:\program files\Common Files\Real
2009-01-07 22:06 --------- d-----w c:\program files\Fraps
2009-01-07 22:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-04 18:35 --------- d-----w c:\program files\WC3Banlist
2008-12-30 02:59 --------- d-----w c:\program files\Windows Live Safety Center
2008-04-28 22:23 22,328 -c--a-w c:\documents and settings\Thuy\Application Data\PnkBstrK.sys
2008-02-28 01:26 2,354 -c--a-w c:\documents and settings\Thuy\Application Data\SAS7_000.DAT
2006-06-25 19:13 66,624 -c--a-w c:\documents and settings\Thuy\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 17:40 66,624 -c--a-w c:\documents and settings\Other\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-12_14.53.44.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-12 20:02:10 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-02-12 20:02:10 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-02-12 21:43:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_134.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ATI Scheduler"="c:\program files\ATI Multimedia\MAIN\ATISched.EXE" [2003-05-14 36942]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-09-14 3084288]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"WheelMouse"="c:\stinger mouse driver\wh_exec.exe" [2007-11-10 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Other_2\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YU12"= ATIYUV12.DLL
"vidc.ffds"= ffdshow.ax
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
--a--c--- 2003-04-25 12:34 167936 c:\program files\ATI Multimedia\RemCtrl\ATIRW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-08-05 23:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
--a--c--- 2002-03-22 07:41 94208 c:\program files\Microsoft Hardware\Keyboard\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
--a--c--- 2002-10-14 15:09 57344 c:\program files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-06-03 05:52 36975 c:\program files\Java\jre1.5.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-01-07 20:12 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2005-09-14 11:26 3084288 c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2003-04-24 18:53 54784 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Fraps\\fraps.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\vietboi1333\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\the_shankster_\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\the_shankster_\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\List checker\\pickup.listchecker.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Warcraft III\\pickup.listchecker.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\Package1.6.2.no_map\\nuConnector6.exe"=
"c:\\Documents and Settings\\Thuy\\My Documents\\Rune\\rune\\rune\\System\\Rune.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\insurgency\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\rip_thejacker\\source sdk base 2007\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"6112:TCP"= 6112:TCP:Warcraft3
"6113:TCP"= 6113:TCP:warcraft 3-1
"6114:TCP"= 6114:TCP:warcraft 3-2
"6115:TCP"= 6115:TCP:warcraft 3-3
"6116:TCP"= 6116:TCP:warcraft 3-4
"6117:TCP"= 6117:TCP:warcraft 3-5
"6118:TCP"= 6118:TCP:warcraft 3-6
"6119:TCP"= 6119:TCP:warcraft 3-7
"116:TCP"= 116:TCP:warcraft 3 116
"118:TCP"= 118:TCP:warcraft 3 118
"4672:UDP"= 4672:UDP:Emule
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2005-08-18 36960]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-07-25 16269]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-02-03 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-02-03 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\Silkroad\bot\NtProcDrv.sys --> c:\program files\Silkroad\bot\NtProcDrv.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-02 91830]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-07-25 104320]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-01-25 6784]
S3 XDva136;XDva136;\??\c:\windows\system32\XDva136.sys --> c:\windows\system32\XDva136.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 14:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/?lang=en-CA
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://sympatico.ca/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Download All Links with IDM - c:\docume~1\Thuy\LOCALS~1\Temp\AutoRunPro0\IEGetAll.htm
IE: Download with IDM - c:\docume~1\Thuy\LOCALS~1\Temp\AutoRunPro0\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?497b1459c0a4423a953385239b0045ec
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?497b1459c0a4423a953385239b0045ec
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Thuy\Application Data\Mozilla\Firefox\Profiles\12fyllqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/?lang=en-CA
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 16:43:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-02-12 16:49:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 21:49:08
ComboFix2.txt 2009-02-12 21:21:57
ComboFix3.txt 2009-02-12 19:55:04

Pre-Run: 26,576,928,768 bytes free
Post-Run: 26,437,160,960 bytes free

Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
287 --- E O F --- 2009-02-12 19:44:46

Attached Files

  • Attached File  gmer.log   64.76KB   22 downloads


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 12 February 2009 - 05:59 PM

Hello.

Looks better.

Submit File to Online Scanner
There is a a couple files that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\drivers\alcan5ln.sys
  • c:\windows\system32\XDva136.sys
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS.txt log after.

With Regards,
The Panda

Edited by PropagandaPanda, 12 February 2009 - 05:59 PM.


#9 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 12 February 2009 - 09:15 PM

Hey. When scanning for c:\windows\system32\XDva136.sys, both sites say that the file didn't exist at the locations. I did get the scan for c:\windows\system32\drivers\alcan5ln.sys. And I did the updates, but updating to Service Pack 3 failed half way through, a pop up came up and said "Access Denied" and I'm on administrator account.

Below is my Scan, and DDS Log right after.

VirSCAN.org Scanned Report :
Scanned time : 2009/02/12 19:01:03 (CST)
Scanner results: All Scanners reported not find malware!
File Name : alcan5ln.sys
File Size : 36960 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 7bc75b59e1e8a9cc3c5afb608c152743
SHA1 : 50ee59d18270539889fcb55b12d6d0aed9a9202d
Online report : http://virscan.org/report/9b22efef71225b4d...a338735996.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090209183317 2009-02-09 2.16 -
AhnLab V3 2009.02.12.02 2009.02.12 2009-02-12 1.07 -
AntiVir 7.9.0.76 7.1.2.19 2009-02-12 1.83 -
Antiy 2.0.18 20090212.2181828 2009-02-12 0.12 -
Authentium 5.1.1 200902112225 2009-02-11 1.14 -
AVAST! 3.0.1 090212-0 2009-02-12 0.01 -
AVG 7.5.52.442 270.10.23/1950 2009-02-12 1.90 -
BitDefender 7.81008.2640612 7.23636 2009-02-13 2.47 -
CA (VET) 9.0.0.143 31.6.6353 2009-02-12 3.81 -
ClamAV 0.94.2 8985 2009-02-13 0.01 -
Comodo 3.0 975 2009-02-12 0.93 -
CP Secure 1.1.0.715 2009.02.13 2009-02-13 6.87 -
Dr.Web 4.44.0.9170 2009.02.12 2009-02-12 4.01 -
F-Prot 4.4.4.56 20090211 2009-02-11 1.09 -
F-Secure 5.51.6100 2009.02.12.06 2009-02-12 0.20 -
Fortinet 2.81-3.117 10.31 2009-02-12 0.17 -
GData 19.3040/19.222 20090212 2009-02-12 3.18 -
ViRobot 20090212 2009.02.12 2009-02-12 0.41 -
Ikarus T3.1.01.45 2009.02.12.72293 2009-02-12 3.70 -
JiangMin 11.0.706 2009.02.12 2009-02-12 1.81 -
Kaspersky 5.5.10 2009.02.12 2009-02-12 0.04 -
KingSoft 2008.9.8.18 2009.2.12.23 2009-02-12 1.90 -
McAfee 5.3.00 5524 2009-02-12 3.22 -
Microsoft 1.4306 2009.02.13 2009-02-13 5.52 -
mks_vir 2.01 2009.02.12 2009-02-12 2.71 -
Norman 6.00.02 6.00.00 2009-02-12 6.01 -
Panda 9.05.01 2009.02.12 2009-02-12 1.58 -
Trend Micro 8.700-1004 5.838.06 2009-02-12 0.04 -
Quick Heal 10.00 2009.02.11 2009-02-11 0.90 -
Rising 20.0 21.16.32.00 2009-02-12 1.63 -
Sophos 2.83.3 4.38 2009-02-13 2.42 -
Sunbelt 4809 4809 2009-02-11 0.49 -
Symantec 1.3.0.24 20090212.003 2009-02-12 0.20 -
nProtect 20090212.04 3122511 2009-02-12 7.22 -
The Hacker 6.3.1.85 v00252 2009-02-11 0.57 -
VBA32 3.12.8.12 20090211.1008 2009-02-11 1.65 -
VirusBuster 4.5.11.10 10.101.11/903814 2009-02-12 1.12 -

DDS Log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Thuy at 21:09:27.51 on 12/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.511.101 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Thuy\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.msn.ca/?lang=en-CA
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://sympatico.ca/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\dapbho.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\docume~1\thuy\locals~1\temp\autorunpro0\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\ypager.exe" -quiet
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WheelMouse] c:\stinger mouse driver\wh_exec.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe reader speed launch.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Download All Links with IDM - c:\docume~1\thuy\locals~1\temp\autorunpro0\IEGetAll.htm
IE: Download with IDM - c:\docume~1\thuy\locals~1\temp\autorunpro0\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/229?497b1459c0a4423a953385239b0045ec
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/230?497b1459c0a4423a953385239b0045ec
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thuy\applic~1\mozilla\firefox\profiles\12fyllqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/?lang=en-CA
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

S3 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 9344]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2005-8-18 36960]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-7-25 16269]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-2-3 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-2-3 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\silkroad\bot\ntprocdrv.sys --> c:\program files\silkroad\bot\NtProcDrv.sys [?]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-2 91830]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-7-25 104320]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-1-25 6784]
S3 XDva136;XDva136;\??\c:\windows\system32\xdva136.sys --> c:\windows\system32\XDva136.sys [?]

=============== Created Last 30 ================

2009-02-12 20:36 <DIR> --d----- c:\program files\Messenger
2009-02-12 20:26 3,555,328 a------- c:\windows\system32\dllcache\moviemk.exe
2009-02-12 20:25 185,344 a------- c:\windows\system32\dllcache\upnphost.dll
2009-02-12 15:02 250 a------- c:\windows\gmer.ini
2009-02-11 17:53 <DIR> --d----- C:\cmdcons
2009-02-11 17:52 161,792 a------- c:\windows\SWREG.exe
2009-02-11 17:52 98,816 a------- c:\windows\sed.exe
2009-02-10 11:13 <DIR> --d----- c:\program files\CDisplayEx
2009-02-06 19:06 <DIR> --d----- c:\windows\system32\scripting
2009-02-06 19:06 <DIR> --d----- c:\windows\system32\en
2009-02-06 19:06 <DIR> --d----- c:\windows\l2schemas
2009-02-06 18:53 382,464 -------- c:\windows\system32\_004751_.tmp.dll
2009-02-06 18:53 2,897,920 -------- c:\windows\system32\_004750_.tmp.dll
2009-02-06 17:36 197 a------- c:\windows\system32\MRT.INI
2009-02-04 15:41 333,824 a------- c:\windows\system32\SET190.tmp
2009-02-04 15:40 413,696 a------- c:\windows\system32\SET360.tmp
2009-02-04 15:39 824,320 a------- c:\windows\system32\SET3D4.tmp
2009-02-04 15:23 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-02-03 23:49 <DIR> --d----- c:\program files\Trend Micro
2009-02-03 23:16 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-03 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-03 23:07 <DIR> --d----- c:\documents and settings\thuy\.SunDownloadManager

==================== Find3M ====================

2008-12-30 11:58 1,510 a------- c:\windows\Sketchpad Preferences.dat
2008-12-12 12:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 15:37 42,320 ac------ c:\windows\system32\xfcodec.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
2008-04-28 17:23 22,328 ac------ c:\docume~1\thuy\applic~1\PnkBstrK.sys
2008-02-27 20:26 2,354 ac------ c:\docume~1\thuy\applic~1\SAS7_000.DAT
2006-06-25 14:13 66,624 ac------ c:\docume~1\thuy\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 21:10:57.82 ===============

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 13 February 2009 - 09:18 AM

Hello.

Let's get one last scan off.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With regards,
The Panda

#11 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 16 February 2009 - 11:47 AM

I'v done the scan many times, even left it overnight twice. The scan never gets passed 6% which is about 50mins into the scan. It finds 19 infected but when I wake up and realize it's stoped, I press view scan log and nothing pops up.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 16 February 2009 - 02:17 PM

Hello.

Let's try F-Secure. If it does not work, that's not a problem.


This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#13 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 17 February 2009 - 08:03 AM

Here are the results of the report

Scanning Report
Monday, February 16, 2009 22:29:13 - 07:57:00

Computer name: OWNER-K0N3ZT9M2
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 32 malware found
Client-IRC.Win32.mIRC (spyware)

* System

Monitor.Win32.Ardamax (spyware)

* System

Packed.Win32.NSAnti (virus)

* System

Packed.Win32.NSAnti.r (virus)

* C:\WINDOWS\SYSTEM32\FWCICWMI.EXE

TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Adbrite (spyware)

* System

TrackingCookie.Adform (spyware)

* System

TrackingCookie.Adinterax (spyware)

* System

TrackingCookie.Adrevolver (spyware)

* System

TrackingCookie.Adtech (spyware)

* System

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Atwola (spyware)

* System

TrackingCookie.Clickbank (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Imrworldwide (spyware)

* System

TrackingCookie.Instadia (spyware)

* System

TrackingCookie.Mediaplex (spyware)

* System

TrackingCookie.Questionmarket (spyware)

* System

TrackingCookie.Revsci (spyware)

* System

TrackingCookie.Specificclick (spyware)

* System

TrackingCookie.Statcounter (spyware)

* System

TrackingCookie.Tradedoubler (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Xiti (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

TrackingCookie.Zanox (spyware)

* System

TrackingCookie.sitestat (spyware)

* System

Trojan-Downloader.Win32.Firu (virus)

* System

Trojan-Downloader.Win32.Firu.bbn (virus)

* C:\WINDOWS\SYSTEM32\AVOF6XMH.EXE

W32/Packed_Expressor.C (virus)

* C:\DOCUMENTS AND SETTINGS\THUY\MY DOCUMENTS\WORKSPACE_MACRO_PRO_V6.5.2\WORKSPACE MACRO PRO.EXE (Submitted)

W32/Packed_PeSpin.A (virus)

* C:\DOCUMENTS AND SETTINGS\THUY\MY DOCUMENTS\HACKS\HACKS\SA-MP PLACE MANAGER\SAMP_MANAGER.EXE (Submitted)

Statistics
Scanned:

* Files: 56546
* System: 5238
* Not scanned: 9

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 32
* Submitted: 2

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\THUY\LOCAL SETTINGS\TEMP\ETILQS_HFRL9REQHK7DDCXWFJRO

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-16
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure AVP: 7.0.171, 2009-02-16

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 17 February 2009 - 08:19 AM

Hello Shinigami.

I see you have downloaded some hacks and cracks for certain programs. Known that many illegal files will contain malware. You AV can't protect you if you intentionally run malware.

Please delete:
C:\WINDOWS\SYSTEM32\AVOF6XMH.EXE
C:\DOCUMENTS AND SETTINGS\THUY\MY DOCUMENTS\WORKSPACE_MACRO_PRO_V6.5.2\WORKSPACE MACRO PRO.EXE
C:\DOCUMENTS AND SETTINGS\THUY\MY DOCUMENTS\HACKS\

Any issues at the moment? Let's have a final DDS.txt log.

With Regards,
The Panda

#15 Shinigami.

Shinigami.
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:00 PM

Posted 19 February 2009 - 05:32 PM

Hey, my pc is running fine now, google and all my other search engines work great. I can't find "C:\WINDOWS\SYSTEM32\AVOF6XMH.EXE " I browsed through system32 folder and couldn't find it, what does the program do?

Here's the DDS:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Thuy at 17:28:30.37 on 19/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.511.148 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Ventrilo\Ventrilo.exe
svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WC3Banlist\WC3Banlist.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Thuy\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://sympatico.msn.ca/?lang=en-CA
mSearch Bar = hxxp://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://sympatico.ca/
uInternet Settings,ProxyOverride = local;*.local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: DAPHelper Class: {0000cc75-acf3-4cac-a0a9-dd3868e06852} - c:\program files\dap\dapbho.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\docume~1\thuy\locals~1\temp\autorunpro0\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [ATI Scheduler] c:\program files\ati multimedia\main\ATISched.EXE
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WheelMouse] c:\stinger mouse driver\wh_exec.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe reader speed launch.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Download All Links with IDM - c:\docume~1\thuy\locals~1\temp\autorunpro0\IEGetAll.htm
IE: Download with IDM - c:\docume~1\thuy\locals~1\temp\autorunpro0\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/229?497b1459c0a4423a953385239b0045ec
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ca\msntabres.dll.mui/230?497b1459c0a4423a953385239b0045ec
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thuy\applic~1\mozilla\firefox\profiles\12fyllqp.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/?lang=en-CA
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2005-10-2 91830]
S3 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 9344]
S3 alcan5ln;Alcatel SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2005-8-18 36960]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2007-7-25 16269]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\thuy\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-2-16 70144]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-2-3 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-2-3 3768]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\program files\silkroad\bot\ntprocdrv.sys --> c:\program files\silkroad\bot\NtProcDrv.sys [?]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2007-7-25 104320]
S3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-1-25 6784]
S3 XDva136;XDva136;\??\c:\windows\system32\xdva136.sys --> c:\windows\system32\XDva136.sys [?]

=============== Created Last 30 ================

2009-02-16 22:25 <DIR> --d----- C:\fsaua.data
2009-02-15 10:49 <DIR> --d----- c:\program files\Photosynth
2009-02-13 18:56 27,136 a------- c:\windows\system32\PCWizard.cpl
2009-02-13 18:56 <DIR> --d----- c:\program files\PC Wizard 2008
2009-02-12 20:36 <DIR> --d----- c:\program files\Messenger
2009-02-12 20:26 3,555,328 a------- c:\windows\system32\dllcache\moviemk.exe
2009-02-12 20:25 185,344 a------- c:\windows\system32\dllcache\upnphost.dll
2009-02-12 15:02 250 a------- c:\windows\gmer.ini
2009-02-11 17:53 <DIR> --d----- C:\cmdcons
2009-02-11 17:52 161,792 a------- c:\windows\SWREG.exe
2009-02-11 17:52 98,816 a------- c:\windows\sed.exe
2009-02-10 11:13 <DIR> --d----- c:\program files\CDisplayEx
2009-02-06 19:06 <DIR> --d----- c:\windows\system32\scripting
2009-02-06 19:06 <DIR> --d----- c:\windows\system32\en
2009-02-06 19:06 <DIR> --d----- c:\windows\l2schemas
2009-02-06 18:53 382,464 -------- c:\windows\system32\_004751_.tmp.dll
2009-02-06 18:53 2,897,920 -------- c:\windows\system32\_004750_.tmp.dll
2009-02-06 17:36 197 a------- c:\windows\system32\MRT.INI
2009-02-04 15:41 333,824 a------- c:\windows\system32\SET190.tmp
2009-02-04 15:40 413,696 a------- c:\windows\system32\SET360.tmp
2009-02-04 15:39 824,320 a------- c:\windows\system32\SET3D4.tmp
2009-02-04 15:23 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-02-03 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-03 23:07 <DIR> --d----- c:\documents and settings\thuy\.SunDownloadManager

==================== Find3M ====================

2008-12-30 11:58 1,510 a------- c:\windows\Sketchpad Preferences.dat
2008-12-12 12:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 15:37 42,320 ac------ c:\windows\system32\xfcodec.dll
2008-12-11 06:57 333,184 a------- c:\windows\system32\dllcache\srv.sys
2008-04-28 17:23 22,328 ac------ c:\docume~1\thuy\applic~1\PnkBstrK.sys
2008-02-27 20:26 2,354 ac------ c:\docume~1\thuy\applic~1\SAS7_000.DAT
2006-06-25 14:13 66,624 ac------ c:\docume~1\thuy\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:29:21.66 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users