Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with windows32 trojan wrm


  • This topic is locked This topic is locked
27 replies to this topic

#1 funky_beats06

funky_beats06

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 13 February 2009 - 10:33 AM

Hi, since the last few days iv been getting avast antivirus warnings about some virus in c:\windows\system\x\[UPX] folder. Also once ,actually twice when i started my pc it just hung up and i had to shut it down manually by pressing the button on the cpu. And after booting up, when i click on the My Computer icon ,i dont c my local drives, instead i c a torch moving left to right, then i hv to wait a while for the icons to show up.my antivirus avast is upto-date.

Heres the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:30 PM, on 2/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
c:\program files\mozilla firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [avast! service GUI component] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all links with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Faiz\Desktop\Exe Files\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O10 - Unknown file in Winsock LSP: prxerdrv.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186238036171
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O17 - HKLM\System\CS2\Services\Tcpip\..\{24DCF250-8DD5-406B-AAC0-497FB10EA533}: NameServer = 25.1.1.1 203.115.71.66
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WMI Servicer (WMISRV) - Unknown owner - C:\WINDOWS\system\wmisvr.exe
O24 - Desktop Component 0: (no name) - http://www.allpspgames.com/img/listado.jpg

--
End of file - 9694 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:29 AM

Posted 25 February 2009 - 06:23 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 28 February 2009 - 12:09 PM

Hi thanks for ur reply, i do understand that u all have lots of other people like me asking for help, so its cool.
i did a full system scan in the meantime with avast, superantispyware and malwarebytes. they found a lot of those baddies and removed them.
but, i still have those pop ups regarding win32 malware,trojans,horses,donkeys,etc!!

Heres the DDS report:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Faiz at 22:38:10.17 on Sat 02/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.95 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090227-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Broadband Pacenet\Pacenet Dialer\PaceDial.exe
C:\Documents and Settings\Faiz\Desktop\Exe Files\IDMan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Faiz\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: IE7Pro BHO: {00011268-e188-40df-a514-835fcd78b1bf} - c:\program files\iepro\iepro.dll
BHO: {0055c089-8582-441b-a0bf-17b458c2a3a8} - IDMIEHlprObj Class
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [avast! service GUI component] c:\program files\alwil software\avast4\ashDisp.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: Download all links with IDM - c:\documents and settings\faiz\desktop\exe files\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\faiz\desktop\exe files\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\faiz\desktop\exe files\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\iepro\iepro.dll
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\iepro.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: PrxerDrv.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186238036171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {24DCF250-8DD5-406B-AAC0-497FB10EA533} = 25.1.1.1 203.115.71.66
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: WB - c:\program files\stardock\object desktop\thememanager\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\faiz\applic~1\mozilla\firefox\profiles\97mxx2t5.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\faiz\application data\mozilla\firefox\profiles\97mxx2t5.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: f:\soft\divx\divx content uploader\npUpload.dll
FF - plugin: f:\soft\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: f:\soft\divx\divx web player\npdivx32.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-8 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-11-8 138680]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-11-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-11-8 352920]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-5-11 29184]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-3 31504]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-11-21 25773]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\drivers\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\drivers\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\drivers\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\drivers\z530obex.sys [2007-10-30 83344]

=============== Created Last 30 ================

2009-02-28 22:34 157,951 a------- c:\windows\system32\x
2009-02-23 19:38 11,656 a------- c:\windows\system32\drivers\sysdrv32.sys
2009-02-19 22:52 26,624 a------- c:\windows\system32\44.scr
2009-02-16 16:43 588,288 a------- c:\windows\system32\qs.exe
2009-02-13 20:38 <DIR> --d----- c:\windows\fix
2009-02-07 12:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-30 14:31 <DIR> --d----- c:\program files\KigoVideoConverter

==================== Find3M ====================

2009-02-22 13:51 32,936 a------- c:\docume~1\faiz\applic~1\GDIPFONTCACHEV1.DAT
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-30 16:01 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-01-30 16:01 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-01-15 12:01 165,681 a------- c:\windows\hpoins28.dat
2008-11-06 21:05 18,071 a------- c:\docume~1\faiz\applic~1\cugesyfuhy.vbs
2008-11-06 21:05 17,910 a------- c:\program files\common files\hyfuby.com
2008-11-06 21:05 13,441 a------- c:\program files\common files\igolup.inf
2007-10-17 11:20 3,346,944 a------- c:\program files\VersionTrackerProWindows40cn0074.msi
1994-11-19 11:56 988 a------- c:\documents and settings\faiz\INSTALL.BAT
1993-04-01 02:55 35,762 a------- c:\documents and settings\faiz\LHA.EXE
2008-11-20 22:11 2 a--shrot c:\windows\winstart.bat

============= FINISH: 22:38:38.09 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 28 February 2009 - 03:00 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 07 March 2009 - 04:38 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 09 March 2009 - 02:16 PM

Reopened.

#7 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 10 March 2009 - 02:00 PM

hi Panda, thanks for reopening the topic.
here are the results:

1)Combofix.txt:

ComboFix 09-03-06.02 - Faiz 2009-03-11 0:18:13.16 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.192 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090309-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\sysdrv32.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-09 16:13 . 2009-03-09 16:14 704,000 --a------ c:\windows\system32\mm.exe
2009-03-09 16:11 . 2009-03-09 16:11 704,000 --a------ c:\windows\system32\xj.exe
2009-03-08 21:16 . 2009-03-08 21:16 33,440 --a------ c:\windows\system32\drivers\yrfurtgx.sys
2009-03-07 22:18 . 2009-03-07 22:18 16 --a------ c:\windows\QH32.INI
2009-03-07 22:17 . 2009-03-07 22:17 67,584 ---h----- c:\windows\system32\secupdat.dat
2009-03-07 22:17 . 2009-03-07 22:17 12,800 --ah----- c:\documents and settings\LocalService\cxuoum.exe
2009-03-07 21:30 . 2009-03-07 22:51 <DIR> d-------- c:\documents and settings\Faiz\Application Data\Hamachi
2009-03-07 20:57 . 2009-03-07 21:30 <DIR> d-------- c:\program files\Hamachi
2009-03-06 20:04 . 2009-03-06 20:04 694,272 --a------ c:\windows\system32\ku.exe
2009-03-02 15:36 . 2009-03-02 15:36 <DIR> d-------- c:\documents and settings\Faiz\Application Data\ImTOO Software Studio
2009-03-02 15:28 . 2009-03-02 15:29 544,768 --a------ c:\windows\system32\xk.exe
2009-02-19 22:52 . 2009-02-19 22:52 26,624 --a------ c:\windows\system32\44.scr
2009-02-19 12:10 . 2009-02-19 12:10 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax
2009-02-16 16:43 . 2009-02-16 16:44 588,288 --a------ c:\windows\system32\qs.exe
2009-02-13 20:38 . 2009-02-16 21:02 <DIR> d-------- c:\windows\fix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 18:43 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2009-03-09 14:18 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2009-03-09 09:39 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2009-03-08 15:51 --------- d-----w c:\documents and settings\Faiz\Application Data\HPAppData
2009-03-08 15:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 15:46 --------- d-----w c:\program files\IEPro
2009-03-07 16:00 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-02-22 08:21 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2009-02-22 08:19 --------- d-----w c:\program files\UltraISO
2009-02-17 16:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 14:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-17 14:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 11:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 10:59 --------- d-----w c:\program files\IrfanView
2009-01-30 10:31 409,600 ----a-w c:\windows\system32\wrap_oal.dll
2009-01-30 10:31 114,688 ----a-w c:\windows\system32\OpenAL32.dll
2009-01-30 09:10 --------- d-----w c:\program files\KigoVideoConverter
2009-01-27 08:51 --------- d-----w c:\program files\Leawo
2009-01-27 08:51 --------- d-----w c:\documents and settings\Faiz\Application Data\Leawo
2009-01-27 08:46 --------- d-----w c:\documents and settings\Faiz\Application Data\GSplit
2009-01-27 08:43 --------- d-----w c:\program files\GSplit
2009-01-26 14:51 --------- d-----w c:\program files\Rockstar Games
2009-01-26 12:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-24 06:57 --------- d-----w c:\documents and settings\Faiz\Application Data\HP
2009-01-24 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-01-23 18:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 18:03 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-01-22 09:13 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2009-01-21 14:54 --------- d-----w c:\program files\Google
2009-01-16 15:27 --------- d-----w c:\program files\Yahoo!
2009-01-16 15:26 --------- d-----w c:\program files\XMotorRacingDemo
2009-01-16 15:25 --------- d-----w c:\program files\Telltale Games
2009-01-16 14:26 --------- d-----w c:\documents and settings\Faiz\Application Data\Capcom
2009-01-16 13:50 --------- d-----w c:\program files\GameBoost
2009-01-15 08:35 --------- d-----w c:\program files\HP
2009-01-15 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-15 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-01-15 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-15 06:19 --------- d-----w c:\program files\Common Files\HP
2009-01-15 06:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-15 06:19 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-11 17:43 --------- d-----w c:\program files\Autodesk
2009-01-11 16:02 --------- d-----w c:\program files\MSBuild
2009-01-11 15:57 --------- d-----w c:\program files\Reference Assemblies
2008-11-06 15:35 18,071 ----a-w c:\documents and settings\Faiz\Application Data\cugesyfuhy.vbs
2008-11-06 15:35 17,910 ----a-w c:\program files\Common Files\hyfuby.com
2008-11-06 15:35 13,441 ----a-w c:\program files\Common Files\igolup.inf
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
1994-11-19 06:26 988 ----a-w c:\documents and settings\Faiz\INSTALL.BAT
1993-03-31 21:25 35,762 ----a-w c:\documents and settings\Faiz\LHA.EXE
2008-11-20 16:41 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_20.36.06.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-22 16:30:51 884,736 ----a-w c:\windows\gmer.dll
+ 2009-03-02 15:09:02 565,311 ----a-w c:\windows\gmer.dll
- 2008-04-17 15:43:02 811,008 ----a-w c:\windows\gmer.exe
+ 2006-11-28 09:53:32 573,440 ----a-w c:\windows\gmer.exe
- 2008-11-22 16:30:51 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-03-02 15:09:02 68,961 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-03-10 18:51:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2009-03-10 18:52:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_718.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! service GUI component"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-06 81000]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-14 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yrfurtgx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2009-02-06 02:38 81000 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-11-21 00:22 1805552 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-11-14 13:00 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"Updater"=c:\windows\system32\updater\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"d:\\limewirehere\\LimeWire\\LimeWire.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\WINDOWS\\System32\\ku.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hlds.exe"=
"e:\\Counter Strike\\hltv.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=

R0 yrfurtgx;yrfurtgx;c:\windows\system32\drivers\yrfurtgx.sys [2009-03-08 33440]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-08 20560]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-05-11 29184]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-03 31504]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-11-21 25773]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\drivers\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\drivers\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\drivers\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\drivers\z530obex.sys [2007-10-30 83344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a444539-b7ac-11dd-a227-00804840618b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - system.exe
\Shell\Open\command - system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa8bf502-c144-11dd-a257-00804840618b}]
\Shell\AutoRun\command - abk.bat
\Shell\explore\Command - abk.bat
\Shell\open\Command - abk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd8ff266-07c5-11de-a355-00804840618b}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
\Shell\Open\command - regsvr.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]

2009-01-23 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-22 23:47]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-msile


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all links with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll
LSP: PrxerDrv.dll
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: f:\soft\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: f:\soft\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\soft\DivX\DivX Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 00:24:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{97DDDEE0-D344-627D-B413-AD212C9E32EA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E926004A-D040-0207-2B3B-F738CA62248C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fe,25,12,d3,ce,54,19,af,bd,f6,80,0d,61,a2,49,74,d4,cc,b4,2e,e3,10,94,
6d,8f,2b,59,31,8c,35,93,4c,e8,6d,2d,03,5e,b1,24,41,4a,f6,fb,32,9d,8b,e0,82,\
"??"=hex:0f,96,5a,b6,9c,27,42,72,4b,ae,2d,69,7c,1d,1c,2a

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:30,85,82,e4,23,b7,fa,ca,4b,f6,47,3c,3d,05,e7,c6,9b,bb,7e,8e,a5,
8d,cb,2d,e4,66,e6,54,f5,c8,a8,75,26,a4,27,bd,b6,77,4a,4a,9c,17,3f,f1,e2,34,\
"rkeysecu"=hex:73,dd,9e,53,78,ac,dc,d8,6c,85,70,fa,a6,34,88,84

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,a4,f7,b1,89,cf,ad,a2,9b,7d,d9,9a,d8,4c,7e,d6,0b,5b,5a,ec,92,
df,31,f9,bb,04,72,a5,7a,0d,92,d2,dc,83,74,ae,8c,bf,ba,1f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):54,37,7c,dd,77,93,ad,54,19,2a,6e,31,24,ea,f1,2a,80,7e,b5,75,c3,
6b,cf,38,38,f4,78,2a,bc,e3,41,20,c0,a9,d8,fa,3d,1b,3a,46,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ae2345f2-230c-4bb8-bdc8-5aef1cb41404}]
@Denied: (Full) (Everyone)
"Model"=dword:00000064
"Therad"=dword:00000013
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,84,cf,46,0a,21,fa,ec,c6,c8,e5,61,a3,cf,fa,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b90d530c-906e-4baa-9fd4-7adc0fc63088}]
@Denied: (Full) (Everyone)
"Model"=dword:00000143
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BBBD570AEA5626CE0052DEFCA9BE840BA522422E6CF4DCAD1D9EE56C6EB3042B63F114C6A31814262C8309D5336C17998A5C6B98E321D732347A0F11CDD49E4D8C2A38F9863BD10F7CBF20444D837B8CC3AD09DCE538BA4AC9EE6D57B82CD303869C92C0B6047EE7DA35D8C866B34DDD834F6CEC67E60A7AFB3E43DD7A404787C5733B2AB12FDD99EE4CB41971858AD8C39E2EF25BB96AAC6DF300437D0E1F1A13700DAF228F830DDAB0F53844FF44F907730CC31DD5F3DDBFE53ADB45795B779374AFD711480359015E995F44290515E9C7050C3F89CD6AFF24B5FFC4E8049AA079B9DCA8B918FE1C494019F6AE5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555BA7FD869164D6794A2D97226D213B5550B220AF5F08153778C160D74805BBE97B4948327D68176084DE526BC59EFFB6C072F5FE2433569AA1A107F208D32AE2D788506046C2AE58091A974A0D826ACA8A3B7395AA69F15E51FE321013608A22F9985E13EAB95D985CF10AFD237E0DFA2B458E11F725CA5E21B35AC064B0F290DE15BE293FB27446A3921537C175B87A6F5822768221A2D877078DF13BF0A96EEFBA159346A5A572F6440DFBBBE645835857A5B61D49C827368770081AD5181AE79C89745A9BA8C8D4A9F5BA2975DCB0265D7D2294CBBBEF6AB50509BCDD1445A4D9076600C6A20EFC7C64DB82F3D1E75FB89E752F0E041184CF49E23818A7E36D192D1918C9E91772012C2F5390ED12E94CEF7644B8DAA103BAAB74A4D9215B6413908DA469F2474F5B04C49096DAAFA5CBC655A0D54E1CD520BED3BD80FAB093E41FCB0FBCC6271D3A7FD951B8E3361663B9422085B11F1CB06198F6FBD3188CBBE1A7C911517A9A7CC712F8A3738182A897021B1DEA6D0475A945881EE514A5319489A107FD18B434EC2E01CC14A8E0036E62C272E55F5C79EBC9A22078293208AF95C24A468BA5AA99269B21C3FE1A727E78EA6AC911DB43EF54E0BFC79DFE2A0A0871E32F00F883486F95B4A2F69C2156A87925196B9D9F4A5DC965E32DC30BF345474E74914C81546384260F82B588C674BF1A662EF66D6B7A9454CECEC809FB1F0C01D91897E477DBF3989BBE652ECDC7F6F4D37196DC71A86B9782A26AFC818FCBCBAAC62ED9CDF1DB5045E0A006E4CC0DAF79A4367013FBCBDAD3455FE1A6A8DCB3DC3C540379ED253A2893B9216BB1C276ED7302E921F083C4713769348B0AB71354290840F75D54F4AA9D2A143B395698B7BD4835D331745B4983D73D777D5574A59D1AAF09E928A76F05BA6A5C3A35E3D595B88957A8F0EFAD6110C264C7B4B33FB4D88FA5B650D3553977F427C32E40A8721C5C6F689EBB2248A2FDFC5823CBF63F9D7A271217E298BFAEF"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\oodag.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-11 0:26:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-10 18:56:47
ComboFix2.txt 2009-03-02 15:07:26

Pre-Run: 2,610,618,368 bytes free
Post-Run: 2,596,057,088 bytes free

352

2)GMER scan log:
Attached

Attached Files

  • Attached File  GMER.zip   247.51KB   8 downloads

Edited by funky_beats06, 10 March 2009 - 02:04 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 10 March 2009 - 02:59 PM

Hello.

Let's finish that off.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    
    File::
    c:\windows\system32\mm.exe
    c:\windows\system32\xj.exe
    c:\windows\system32\drivers\yrfurtgx.sys
    c:\windows\system32\secupdat.dat
    c:\documents and settings\LocalService\cxuoum.exe
    c:\windows\system32\ku.exe
    c:\windows\system32\xk.exe
    c:\windows\system32\44.scr
    c:\windows\system32\qs.exe
    c:\documents and settings\Faiz\Application Data\cugesyfuhy.vbs
    c:\program files\Common Files\hyfuby.com
    c:\program files\Common Files\igolup.inf
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yrfurtgx.sys]
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Updater"=c:\windows\system32\updater\explorer.exe
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\dxdiag.exe"=-
    "c:\\WINDOWS\\System32\\ku.exe"=-
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a444539-b7ac-11dd-a227-00804840618b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa8bf502-c144-11dd-a257-00804840618b}]
    
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd8ff266-07c5-11de-a355-00804840618b}]
    
    FOLDER::
    c:\windows\system32\updater
    
    Driver::
    yrfurtgx
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

#9 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 14 March 2009 - 08:42 AM

hi Panda,
That seems to take care of it!, i hvnt got any popups till now. thanx :thumbup2:

note: the malwarebytes' scan says "no action taken",bcoz i saved the log before removing the detected items :)
here are the results:

1)Combofix.txt:

ComboFix 09-03-06.02 - Faiz 2009-03-11 21:10:17.17 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.186 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090310-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Faiz\Application Data\cugesyfuhy.vbs
c:\documents and settings\LocalService\cxuoum.exe
c:\program files\Common Files\hyfuby.com
c:\program files\Common Files\igolup.inf
c:\windows\system32\44.scr
c:\windows\system32\drivers\yrfurtgx.sys
c:\windows\system32\ku.exe
c:\windows\system32\mm.exe
c:\windows\system32\qs.exe
c:\windows\system32\secupdat.dat
c:\windows\system32\xj.exe
c:\windows\system32\xk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Faiz\Application Data\cugesyfuhy.vbs
c:\documents and settings\LocalService\cxuoum.exe
c:\program files\Common Files\hyfuby.com
c:\program files\Common Files\igolup.inf
c:\windows\system32\44.scr
c:\windows\system32\drivers\yrfurtgx.sys
c:\windows\system32\ku.exe
c:\windows\system32\mm.exe
c:\windows\system32\qs.exe
c:\windows\system32\secupdat.dat
c:\windows\system32\updater
c:\windows\system32\updater\explorer.exe
c:\windows\system32\xj.exe
c:\windows\system32\xk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YRFURTGX
-------\Service_yrfurtgx


((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 00:33 . 2009-03-11 00:34 253,452 --a------ C:\GMER.zip
2009-03-11 00:32 . 2009-03-11 00:32 202,323 --a------ C:\GMER.rar
2009-03-07 22:18 . 2009-03-07 22:18 16 --a------ c:\windows\QH32.INI
2009-03-07 21:30 . 2009-03-07 22:51 <DIR> d-------- c:\documents and settings\Faiz\Application Data\Hamachi
2009-03-07 20:57 . 2009-03-07 21:30 <DIR> d-------- c:\program files\Hamachi
2009-03-02 15:36 . 2009-03-02 15:36 <DIR> d-------- c:\documents and settings\Faiz\Application Data\ImTOO Software Studio
2009-02-19 12:10 . 2009-02-19 12:10 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax
2009-02-13 20:38 . 2009-02-16 21:02 <DIR> d-------- c:\windows\fix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 19:35 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2009-03-09 14:18 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2009-03-09 09:39 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2009-03-08 15:51 --------- d-----w c:\documents and settings\Faiz\Application Data\HPAppData
2009-03-08 15:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 15:46 --------- d-----w c:\program files\IEPro
2009-03-07 16:00 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-02-22 08:21 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2009-02-22 08:19 --------- d-----w c:\program files\UltraISO
2009-02-17 16:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 14:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-17 14:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 11:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 10:59 --------- d-----w c:\program files\IrfanView
2009-01-30 10:31 409,600 ----a-w c:\windows\system32\wrap_oal.dll
2009-01-30 10:31 114,688 ----a-w c:\windows\system32\OpenAL32.dll
2009-01-30 09:10 --------- d-----w c:\program files\KigoVideoConverter
2009-01-27 08:51 --------- d-----w c:\program files\Leawo
2009-01-27 08:51 --------- d-----w c:\documents and settings\Faiz\Application Data\Leawo
2009-01-27 08:46 --------- d-----w c:\documents and settings\Faiz\Application Data\GSplit
2009-01-27 08:43 --------- d-----w c:\program files\GSplit
2009-01-26 14:51 --------- d-----w c:\program files\Rockstar Games
2009-01-26 12:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-24 06:57 --------- d-----w c:\documents and settings\Faiz\Application Data\HP
2009-01-24 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-01-23 18:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 18:03 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-01-22 09:13 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2009-01-21 14:54 --------- d-----w c:\program files\Google
2009-01-16 15:27 --------- d-----w c:\program files\Yahoo!
2009-01-16 15:26 --------- d-----w c:\program files\XMotorRacingDemo
2009-01-16 15:25 --------- d-----w c:\program files\Telltale Games
2009-01-16 14:26 --------- d-----w c:\documents and settings\Faiz\Application Data\Capcom
2009-01-16 13:50 --------- d-----w c:\program files\GameBoost
2009-01-15 08:35 --------- d-----w c:\program files\HP
2009-01-15 06:54 --------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-15 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-01-15 06:30 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-15 06:19 --------- d-----w c:\program files\Common Files\HP
2009-01-15 06:19 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-01-15 06:19 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-11 17:43 --------- d-----w c:\program files\Autodesk
2009-01-11 16:02 --------- d-----w c:\program files\MSBuild
2009-01-11 15:57 --------- d-----w c:\program files\Reference Assemblies
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
1994-11-19 06:26 988 ----a-w c:\documents and settings\Faiz\INSTALL.BAT
1993-03-31 21:25 35,762 ----a-w c:\documents and settings\Faiz\LHA.EXE
2008-11-20 16:41 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-02_20.36.06.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-22 16:30:51 884,736 ----a-w c:\windows\gmer.dll
+ 2009-03-02 15:09:02 565,311 ----a-w c:\windows\gmer.dll
- 2008-04-17 15:43:02 811,008 ----a-w c:\windows\gmer.exe
+ 2006-11-28 09:53:32 573,440 ----a-w c:\windows\gmer.exe
- 2008-11-22 16:30:51 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-03-02 15:09:02 68,961 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-03-11 15:44:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d8.dat
+ 2009-03-11 15:43:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! service GUI component"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-06 81000]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-14 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2009-02-06 02:38 81000 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-11-21 00:22 1805552 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-11-14 13:00 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"Updater"=c:\windows\system32\updater\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"d:\\limewirehere\\LimeWire\\LimeWire.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hlds.exe"=
"e:\\Counter Strike\\hltv.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-08 20560]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-05-11 29184]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-03 31504]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-11-21 25773]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\drivers\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\drivers\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\drivers\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\drivers\z530obex.sys [2007-10-30 83344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]

2009-01-23 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-22 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all links with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} - c:\program files\IEPro\iepro.dll
LSP: PrxerDrv.dll
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: f:\soft\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: f:\soft\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\soft\DivX\DivX Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 21:16:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{97DDDEE0-D344-627D-B413-AD212C9E32EA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E926004A-D040-0207-2B3B-F738CA62248C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fe,25,12,d3,ce,54,19,af,bd,f6,80,0d,61,a2,49,74,d4,cc,b4,2e,e3,10,94,
6d,8f,2b,59,31,8c,35,93,4c,e8,6d,2d,03,5e,b1,24,41,4a,f6,fb,32,9d,8b,e0,82,\
"??"=hex:0f,96,5a,b6,9c,27,42,72,4b,ae,2d,69,7c,1d,1c,2a

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:30,85,82,e4,23,b7,fa,ca,4b,f6,47,3c,3d,05,e7,c6,9b,bb,7e,8e,a5,
8d,cb,2d,e4,66,e6,54,f5,c8,a8,75,26,a4,27,bd,b6,77,4a,4a,9c,17,3f,f1,e2,34,\
"rkeysecu"=hex:73,dd,9e,53,78,ac,dc,d8,6c,85,70,fa,a6,34,88,84

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,a4,f7,b1,89,cf,ad,a2,9b,7d,d9,9a,d8,4c,7e,d6,0b,5b,5a,ec,92,
df,31,f9,bb,04,72,a5,7a,0d,92,d2,dc,83,74,ae,8c,bf,ba,1f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):54,37,7c,dd,77,93,ad,54,19,2a,6e,31,24,ea,f1,2a,80,7e,b5,75,c3,
6b,cf,38,38,f4,78,2a,bc,e3,41,20,c0,a9,d8,fa,3d,1b,3a,46,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ae2345f2-230c-4bb8-bdc8-5aef1cb41404}]
@Denied: (Full) (Everyone)
"Model"=dword:00000064
"Therad"=dword:00000013
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,84,cf,46,0a,21,fa,ec,c6,c8,e5,61,a3,cf,fa,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b90d530c-906e-4baa-9fd4-7adc0fc63088}]
@Denied: (Full) (Everyone)
"Model"=dword:00000143
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BBBD570AEA5626CE0052DEFCA9BE840BA522422E6CF4DCAD1D9EE56C6EB3042B63F114C6A31814262C8309D5336C17998A5C6B98E321D732347A0F11CDD49E4D8C2A38F9863BD10F7CBF20444D837B8CC3AD09DCE538BA4AC9EE6D57B82CD303869C92C0B6047EE7DA35D8C866B34DDD834F6CEC67E60A7AFB3E43DD7A404787C5733B2AB12FDD99EE4CB41971858AD8C39E2EF25BB96AAC6DF300437D0E1F1A13700DAF228F830DDAB0F53844FF44F907730CC31DD5F3DDBFE53ADB45795B779374AFD711480359015E995F44290515E9C7050C3F89CD6AFF24B5FFC4E8049AA079B9DCA8B918FE1C494019F6AE5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555BA7FD869164D6794A2D97226D213B5550B220AF5F08153778C160D74805BBE97B4948327D68176084DE526BC59EFFB6C072F5FE2433569AA1A107F208D32AE2D788506046C2AE58091A974A0D826ACA8A3B7395AA69F15E51FE321013608A22F9985E13EAB95D985CF10AFD237E0DFA2B458E11F725CA5E21B35AC064B0F290DE15BE293FB27446A3921537C175B87A6F5822768221A2D877078DF13BF0A96EEFBA159346A5A572F6440DFBBBE645835857A5B61D49C827368770081AD5181AE79C89745A9BA8C8D4A9F5BA2975DCB0265D7D2294CBBBEF6AB50509BCDD1445A4D9076600C6A20EFC7C64DB82F3D1E75FB89E752F0E041184CF49E23818A7E36D192D1918C9E91772012C2F5390ED12E94CEF7644B8DAA103BAAB74A4D9215B6413908DA469F2474F5B04C49096DAAFA5CBC655A0D54E1CD520BED3BD80FAB093E41FCB0FBCC6271D3A7FD951B8E3361663B9422085B11F1CB06198F6FBD3188CBBE1A7C911517A9A7CC712F8A3738182A897021B1DEA6D0475A945881EE514A5319489A107FD18B434EC2E01CC14A8E0036E62C272E55F5C79EBC9A22078293208AF95C24A468BA5AA99269B21C3FE1A727E78EA6AC911DB43EF54E0BFC79DFE2A0A0871E32F00F883486F95B4A2F69C2156A87925196B9D9F4A5DC965E32DC30BF345474E74914C81546384260F82B588C674BF1A662EF66D6B7A9454CECEC809FB1F0C01D91897E477DBF3989BBE652ECDC7F6F4D37196DC71A86B9782A26AFC818FCBCBAAC62ED9CDF1DB5045E0A006E4CC0DAF79A4367013FBCBDAD3455FE1A6A8DCB3DC3C540379ED253A2893B9216BB1C276ED7302E921F083C4713769348B0AB71354290840F75D54F4AA9D2A143B395698B7BD4835D331745B4983D73D777D5574A59D1AAF09E928A76F05BA6A5C3A35E3D595B88957A8F0EFAD6110C264C7B4B33FB4D88FA5B650D3553977F427C32E40A8721C5C6F689EBB2248A2FDFC5823CBF63F9D7A271217E298BFAEF"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\oodag.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-11 21:18:40 - machine was rebooted [Faiz]
ComboFix-quarantined-files.txt 2009-03-11 15:48:36
ComboFix2.txt 2009-03-10 18:56:53
ComboFix3.txt 2009-03-02 15:07:26

Pre-Run: 2,527,326,208 bytes free
Post-Run: 2,520,535,040 bytes free

350

2)Malwarebytes' log
Malwarebytes' Anti-Malware 1.34
Database version: 1836
Windows 5.1.2600 Service Pack 2

3/13/2009 11:11:42 AM
mbam-log-2009-03-13 (11-11-33).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 176267
Time elapsed: 20 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\sysdrv32.sys.vir (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP41\A0037932.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP44\A0044780.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP44\A0047186.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP44\A0047234.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP44\A0046246.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP45\A0048369.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP45\A0049350.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP45\A0050347.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP45\A0050353.sys (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{CD37CBAF-F4A1-40DF-8124-BDC43B0A9A6D}\RP47\A0051573.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> No action taken.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 14 March 2009 - 09:07 AM

Hello.

Please remove all the items that malware bytes found.

Then, scan again with MalwareBytes. Also run ComboFix again by clicking it.

Post back both logs please.

I want to make sure infections aren't returning.

With Regards,
The Panda

#11 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 16 March 2009 - 11:54 AM

hi ,
i scanned with malwarebytes and combofix.

the logs:

1)Mbam log:

Malwarebytes' Anti-Malware 1.34
Database version: 1855
Windows 5.1.2600 Service Pack 2

3/16/2009 10:16:22 PM
mbam-log-2009-03-16 (22-16-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 177223
Time elapsed: 17 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


2)Combofix.txt:


ComboFix 09-03-15.01 - Faiz 2009-03-16 21:46:26.19 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.67 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090316-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-13 12:19 . 2009-03-13 12:19 <DIR> d-------- c:\documents and settings\Faiz\Application Data\FDRLab
2009-03-13 11:24 . 2009-03-15 22:04 1,024 --a------ C:\.rnd
2009-03-12 16:52 . 2009-03-12 16:52 701,440 --a------ c:\windows\system32\yj.exe
2009-03-11 00:33 . 2009-03-11 00:34 253,452 --a------ C:\GMER.zip
2009-03-07 22:18 . 2009-03-07 22:18 16 --a------ c:\windows\QH32.INI
2009-03-07 21:30 . 2009-03-13 11:33 <DIR> d-------- c:\documents and settings\Faiz\Application Data\Hamachi
2009-03-07 20:57 . 2009-03-07 21:30 <DIR> d-------- c:\program files\Hamachi
2009-03-02 15:36 . 2009-03-02 15:36 <DIR> d-------- c:\documents and settings\Faiz\Application Data\ImTOO Software Studio
2009-02-19 12:10 . 2009-02-19 12:10 421,888 --a------ c:\windows\system32\RealMediaSplitter.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 06:49 --------- d-----w c:\program files\FDRLab
2009-03-13 06:02 --------- d-----w c:\program files\Crayon Physics Deluxe
2009-03-10 19:35 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2009-03-09 14:18 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2009-03-09 09:39 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2009-03-08 15:51 --------- d-----w c:\documents and settings\Faiz\Application Data\HPAppData
2009-03-08 15:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 15:46 --------- d-----w c:\program files\IEPro
2009-03-07 16:00 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-02-22 08:21 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2009-02-22 08:19 --------- d-----w c:\program files\UltraISO
2009-02-17 16:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 14:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-17 14:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 11:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 10:59 --------- d-----w c:\program files\IrfanView
2009-01-30 10:31 409,600 ----a-w c:\windows\system32\wrap_oal.dll
2009-01-30 10:31 114,688 ----a-w c:\windows\system32\OpenAL32.dll
2009-01-30 09:10 --------- d-----w c:\program files\KigoVideoConverter
2009-01-27 08:51 --------- d-----w c:\program files\Leawo
2009-01-27 08:51 --------- d-----w c:\documents and settings\Faiz\Application Data\Leawo
2009-01-27 08:46 --------- d-----w c:\documents and settings\Faiz\Application Data\GSplit
2009-01-27 08:43 --------- d-----w c:\program files\GSplit
2009-01-26 14:51 --------- d-----w c:\program files\Rockstar Games
2009-01-26 12:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-24 06:57 --------- d-----w c:\documents and settings\Faiz\Application Data\HP
2009-01-24 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-01-23 18:41 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 18:03 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-01-22 09:13 --------- d-----w c:\documents and settings\Faiz\Application Data\Broadband
2009-01-21 14:54 --------- d-----w c:\program files\Google
2009-01-16 15:27 --------- d-----w c:\program files\Yahoo!
2009-01-16 15:26 --------- d-----w c:\program files\XMotorRacingDemo
2009-01-16 15:25 --------- d-----w c:\program files\Telltale Games
2009-01-16 14:26 --------- d-----w c:\documents and settings\Faiz\Application Data\Capcom
2009-01-16 13:50 --------- d-----w c:\program files\GameBoost
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
1994-11-19 06:26 988 ----a-w c:\documents and settings\Faiz\INSTALL.BAT
1993-03-31 21:25 35,762 ----a-w c:\documents and settings\Faiz\LHA.EXE
2008-11-20 16:41 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! service GUI component"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-06 81000]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 4670968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-14 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2009-02-06 02:38 81000 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-11-21 00:22 1805552 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-11-14 13:00 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"d:\\limewirehere\\LimeWire\\LimeWire.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hlds.exe"=
"e:\\Counter Strike\\hltv.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\WINDOWS\\System32\\yj.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-08 20560]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-05-11 29184]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-03 31504]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-11-21 25773]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\drivers\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\drivers\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\drivers\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\drivers\z530obex.sys [2007-10-30 83344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]

2009-01-23 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-22 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all links with IDM
IE: Download FLV video content with IDM
IE: Download with IDM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} -
LSP: PrxerDrv.dll
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: f:\soft\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: f:\soft\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\soft\DivX\DivX Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 21:48:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{97DDDEE0-D344-627D-B413-AD212C9E32EA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E926004A-D040-0207-2B3B-F738CA62248C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fe,25,12,d3,ce,54,19,af,bd,f6,80,0d,61,a2,49,74,d4,cc,b4,2e,e3,10,94,
6d,8f,2b,59,31,8c,35,93,4c,e8,6d,2d,03,5e,b1,24,41,4a,f6,fb,32,9d,8b,e0,82,\
"??"=hex:0f,96,5a,b6,9c,27,42,72,4b,ae,2d,69,7c,1d,1c,2a

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:30,85,82,e4,23,b7,fa,ca,4b,f6,47,3c,3d,05,e7,c6,9b,bb,7e,8e,a5,
8d,cb,2d,e4,66,e6,54,f5,c8,a8,75,26,a4,27,bd,b6,77,4a,4a,9c,17,3f,f1,e2,34,\
"rkeysecu"=hex:73,dd,9e,53,78,ac,dc,d8,6c,85,70,fa,a6,34,88,84

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,a4,f7,b1,89,cf,ad,a2,9b,7d,d9,9a,d8,4c,7e,d6,0b,5b,5a,ec,92,
df,31,f9,bb,04,72,a5,7a,0d,92,d2,dc,83,74,ae,8c,bf,ba,1f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):54,37,7c,dd,77,93,ad,54,19,2a,6e,31,24,ea,f1,2a,80,7e,b5,75,c3,
6b,cf,38,38,f4,78,2a,bc,e3,41,20,c0,a9,d8,fa,3d,1b,3a,46,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ae2345f2-230c-4bb8-bdc8-5aef1cb41404}]
@Denied: (Full) (Everyone)
"Model"=dword:00000064
"Therad"=dword:00000013
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,84,cf,46,0a,21,fa,ec,c6,c8,e5,61,a3,cf,fa,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b90d530c-906e-4baa-9fd4-7adc0fc63088}]
@Denied: (Full) (Everyone)
"Model"=dword:00000143
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BBBD570AEA5626CE0052DEFCA9BE840BA522422E6CF4DCAD1D9EE56C6EB3042B63F114C6A31814262C8309D5336C17998A5C6B98E321D732347A0F11CDD49E4D8C2A38F9863BD10F7CBF20444D837B8CC3AD09DCE538BA4AC9EE6D57B82CD303869C92C0B6047EE7DA35D8C866B34DDD834F6CEC67E60A7AFB3E43DD7A404787C5733B2AB12FDD99EE4CB41971858AD8C39E2EF25BB96AAC6DF300437D0E1F1A13700DAF228F830DDAB0F53844FF44F907730CC31DD5F3DDBFE53ADB45795B779374AFD711480359015E995F44290515E9C7050C3F89CD6AFF24B5FFC4E8049AA079B9DCA8B918FE1C494019F6AE5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555BA7FD869164D6794A2D97226D213B5550B220AF5F08153778C160D74805BBE97B4948327D68176084DE526BC59EFFB6C072F5FE2433569AA1A107F208D32AE2D788506046C2AE58091A974A0D826ACA8A3B7395AA69F15E51FE321013608A22F9985E13EAB95D985CF10AFD237E0DFA2B458E11F725CA5E21B35AC064B0F290DE15BE293FB27446A3921537C175B87A6F5822768221A2D877078DF13BF0A96EEFBA159346A5A572F6440DFBBBE645835857A5B61D49C827368770081AD5181AE79C89745A9BA8C8D4A9F5BA2975DCB0265D7D2294CBBBEF6AB50509BCDD1445A4D9076600C6A20EFC7C64DB82F3D1E75FB89E752F0E041184CF49E23818A7E36D192D1918C9E91772012C2F5390ED12E94CEF7644B8DAA103BAAB74A4D9215B6413908DA469F2474F5B04C49096DAAFA5CBC655A0D54E1CD520BED3BD80FAB093E41FCB0FBCC6271D3A7FD951B8E3361663B9422085B11F1CB06198F6FBD3188CBBE1A7C911517A9A7CC712F8A3738182A897021B1DEA6D0475A945881EE514A5319489A107FD18B434EC2E01CC14A8E0036E62C272E55F5C79EBC9A22078293208AF95C24A468BA5AA99269B21C3FE1A727E78EA6AC911DB43EF54E0BFC79DFE2A0A0871E32F00F883486F95B4A2F69C2156A87925196B9D9F4A5DC965E32DC30BF345474E74914C81546384260F82B588C674BF1A662EF66D6B7A9454CECEC809FB1F0C01D91897E477DBF3989BBE652ECDC7F6F4D37196DC71A86B9782A26AFC818FCBCBAAC62ED9CDF1DB5045E0A006E4CC0DAF79A4367013FBCBDAD3455FE1A6A8DCB3DC3C540379ED253A2893B9216BB1C276ED7302E921F083C4713769348B0AB71354290840F75D54F4AA9D2A143B395698B7BD4835D331745B4983D73D777D5574A59D1AAF09E928A76F05BA6A5C3A35E3D595B88957A8F0EFAD6110C264C7B4B33FB4D88FA5B650D3553977F427C32E40A8721C5C6F689EBB2248A2FDFC5823CBF63F9D7A271217E298BFAEF"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
Completion time: 2009-03-16 21:49:44
ComboFix-quarantined-files.txt 2009-03-16 16:19:42
ComboFix2.txt 2009-03-11 15:48:42
ComboFix3.txt 2009-03-10 18:56:53
ComboFix4.txt 2009-03-02 15:07:26

Pre-Run: 2,501,976,064 bytes free
Post-Run: 2,487,185,408 bytes free

286

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 17 March 2009 - 08:27 AM

Hello.

Please run this script with ComboFix.
KILLALL::

File::
c:\windows\system32\yj.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Java\\jdk1.5.0_16\\jre\\bin\\java.exe"=-
"c:\\WINDOWS\\System32\\yj.exe"=-

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 24 March 2009 - 04:34 PM

Note to keep topic open.

#14 funky_beats06

funky_beats06
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 26 March 2009 - 02:18 PM

Hi panda, i tried doing as u said but i could not scan with kaspersky online scanner. iv already updated the database. dont know why it gets stuck and the "accept" button seems disabled.

heres the combofix log:

ComboFix 09-03-23.01 - Faiz 2009-03-25 21:48:53.21 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.166 [GMT 5.5:30]
Running from: c:\documents and settings\Faiz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Faiz\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090324-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\yj.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WMISYS


((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-24 00:05 . 2009-03-24 00:05 <DIR> d-------- c:\program files\Your Freedom
2009-03-13 12:19 . 2009-03-13 12:19 <DIR> d-------- c:\documents and settings\Faiz\Application Data\FDRLab
2009-03-13 11:24 . 2009-03-15 22:04 1,024 --a------ C:\.rnd
2009-03-11 00:33 . 2009-03-11 00:34 253,452 --a------ C:\GMER.zip
2009-03-07 22:18 . 2009-03-07 22:18 16 --a------ c:\windows\QH32.INI
2009-03-07 21:30 . 2009-03-25 21:38 <DIR> d-------- c:\documents and settings\Faiz\Application Data\Hamachi
2009-03-07 20:57 . 2009-03-07 21:30 <DIR> d-------- c:\program files\Hamachi
2009-03-02 15:36 . 2009-03-02 15:36 <DIR> d-------- c:\documents and settings\Faiz\Application Data\ImTOO Software Studio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 19:09 --------- d-----w c:\documents and settings\Faiz\Application Data\DMCache
2009-03-23 13:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-13 06:49 --------- d-----w c:\program files\FDRLab
2009-03-13 06:02 --------- d-----w c:\program files\Crayon Physics Deluxe
2009-03-09 14:18 --------- d-----w c:\documents and settings\Faiz\Application Data\dvdcss
2009-03-09 09:39 --------- d-----w c:\documents and settings\Faiz\Application Data\uTorrent
2009-03-08 15:51 --------- d-----w c:\documents and settings\Faiz\Application Data\HPAppData
2009-03-08 15:46 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-08 15:46 --------- d-----w c:\program files\IEPro
2009-03-07 16:00 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-02-22 08:21 32,936 ----a-w c:\documents and settings\Faiz\Application Data\GDIPFONTCACHEV1.DAT
2009-02-22 08:19 --------- d-----w c:\program files\UltraISO
2009-02-17 14:44 --------- d-----w c:\program files\SpywareBlaster
2009-02-17 14:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 11:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-07 07:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 10:59 --------- d-----w c:\program files\IrfanView
2009-01-30 09:10 --------- d-----w c:\program files\KigoVideoConverter
2009-01-27 08:51 --------- d-----w c:\program files\Leawo
2009-01-27 08:51 --------- d-----w c:\documents and settings\Faiz\Application Data\Leawo
2009-01-27 08:46 --------- d-----w c:\documents and settings\Faiz\Application Data\GSplit
2009-01-27 08:43 --------- d-----w c:\program files\GSplit
2009-01-26 12:41 --------- d--h--w c:\program files\InstallShield Installation Information
2007-10-17 05:50 3,346,944 ----a-w c:\program files\VersionTrackerProWindows40cn0074.msi
1994-11-19 06:26 988 ----a-w c:\documents and settings\Faiz\INSTALL.BAT
1993-03-31 21:25 35,762 ----a-w c:\documents and settings\Faiz\LHA.EXE
2008-11-20 16:41 2 --shatr c:\windows\winstart.bat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-16_21.48.29.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-13 09:14:57 10,698 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
+ 2009-03-13 09:14:57 10,698 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
+ 2009-03-25 16:23:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_210.dat
+ 2009-03-25 16:22:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! service GUI component"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-06 81000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-14 185896]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-06-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-29 13:09 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 22:34 24576 c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.NUB2"= NuB2.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2009-02-06 02:38 81000 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-01-13 09:47 163840 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-01-13 09:47 131072 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 c:\program files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-11-21 00:22 1805552 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 23:11 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-11-14 13:00 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 14:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 17:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Persistence"=c:\windows\system32\igfxpers.exe
"googletalk"=c:\program files\Google\Google Talk\googletalk.exe /autostart
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\onceuponatime\\DC++\\DCPlusPlus.exe"=
"d:\\onceuponatime\\Network Assistant\\Nassi.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Documents and Settings\\Faiz\\Desktop\\exe files\\uTorrent.exe"=
"c:\\Program Files\\IEPro\\MiniDM.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"d:\\limewirehere\\LimeWire\\LimeWire.exe"=
"f:\\games\\MIDTOWN MADNESS\\midtown.exe"=
"d:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Counter Strike\\czero.exe"=
"e:\\Counter Strike\\hlds.exe"=
"e:\\Counter Strike\\hltv.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-08 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-08 20560]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]
R3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-05-11 29184]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-10-03 31504]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2008-11-21 25773]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]
S3 z530bus;Sony Ericsson Z530 Driver driver (WDM);c:\windows\system32\drivers\z530bus.sys [2007-10-30 58288]
S3 z530mdfl;Sony Ericsson Z530 USB WMC Modem Filter;c:\windows\system32\drivers\z530mdfl.sys [2007-10-30 8336]
S3 z530mdm;Sony Ericsson Z530 USB WMC Modem Driver;c:\windows\system32\drivers\z530mdm.sys [2007-10-30 94064]
S3 z530mgmt;Sony Ericsson Z530 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\z530mgmt.sys [2007-10-30 85408]
S3 z530obex;Sony Ericsson Z530 USB WMC OBEX Interface;c:\windows\system32\drivers\z530obex.sys [2007-10-30 83344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 15:17]

2009-01-23 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-01-22 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Download all links with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetAll.htm
IE: Download FLV video content with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEGetVL.htm
IE: Download with IDM - c:\documents and settings\Faiz\Desktop\Exe Files\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{000002a3-84fe-43f1-b958-f2c3ca804f1a} - {CD275D4E-791A-4993-9D4D-6A071EDD2709} -
LSP: PrxerDrv.dll
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\documents and settings\Faiz\Application Data\Mozilla\Firefox\Profiles\97mxx2t5.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: f:\soft\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: f:\soft\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\soft\DivX\DivX Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 21:55:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk23]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk23.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{97DDDEE0-D344-627D-B413-AD212C9E32EA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E926004A-D040-0207-2B3B-F738CA62248C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:fe,25,12,d3,ce,54,19,af,bd,f6,80,0d,61,a2,49,74,d4,cc,b4,2e,e3,10,94,
6d,8f,2b,59,31,8c,35,93,4c,e8,6d,2d,03,5e,b1,24,41,4a,f6,fb,32,9d,8b,e0,82,\
"??"=hex:0f,96,5a,b6,9c,27,42,72,4b,ae,2d,69,7c,1d,1c,2a

[HKEY_USERS\S-1-5-21-1275210071-1450960922-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:30,85,82,e4,23,b7,fa,ca,4b,f6,47,3c,3d,05,e7,c6,9b,bb,7e,8e,a5,
8d,cb,2d,e4,66,e6,54,f5,c8,a8,75,26,a4,27,bd,b6,77,4a,4a,9c,17,3f,f1,e2,34,\
"rkeysecu"=hex:73,dd,9e,53,78,ac,dc,d8,6c,85,70,fa,a6,34,88,84

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c3,a4,f7,b1,89,cf,ad,a2,9b,7d,d9,9a,d8,4c,7e,d6,0b,5b,5a,ec,92,
df,31,f9,bb,04,72,a5,7a,0d,92,d2,dc,83,74,ae,8c,bf,ba,1f,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):54,37,7c,dd,77,93,ad,54,19,2a,6e,31,24,ea,f1,2a,80,7e,b5,75,c3,
6b,cf,38,38,f4,78,2a,bc,e3,41,20,c0,a9,d8,fa,3d,1b,3a,46,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ae2345f2-230c-4bb8-bdc8-5aef1cb41404}]
@Denied: (Full) (Everyone)
"Model"=dword:00000064
"Therad"=dword:00000013
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,84,cf,46,0a,21,fa,ec,c6,c8,e5,61,a3,cf,fa,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b90d530c-906e-4baa-9fd4-7adc0fc63088}]
@Denied: (Full) (Everyone)
"Model"=dword:00000143
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7BBBD570AEA5626CE0052DEFCA9BE840BA522422E6CF4DCAD1D9EE56C6EB3042B63F114C6A31814262C8309D5336C17998A5C6B98E321D732347A0F11CDD49E4D8C2A38F9863BD10F7CBF20444D837B8CC3AD09DCE538BA4AC9EE6D57B82CD303869C92C0B6047EE7DA35D8C866B34DDD834F6CEC67E60A7AFB3E43DD7A404787C5733B2AB12FDD99EE4CB41971858AD8C39E2EF25BB96AAC6DF300437D0E1F1A13700DAF228F830DDAB0F53844FF44F907730CC31DD5F3DDBFE53ADB45795B779374AFD711480359015E995F44290515E9C7050C3F89CD6AFF24B5FFC4E8049AA079B9DCA8B918FE1C494019F6AE5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555BA7FD869164D6794A2D97226D213B5550B220AF5F08153778C160D74805BBE97B4948327D68176084DE526BC59EFFB6C072F5FE2433569AA1A107F208D32AE2D788506046C2AE58091A974A0D826ACA8A3B7395AA69F15E51FE321013608A22F9985E13EAB95D985CF10AFD237E0DFA2B458E11F725CA5E21B35AC064B0F290DE15BE293FB27446A3921537C175B87A6F5822768221A2D877078DF13BF0A96EEFBA159346A5A572F6440DFBBBE645835857A5B61D49C827368770081AD5181AE79C89745A9BA8C8D4A9F5BA2975DCB0265D7D2294CBBBEF6AB50509BCDD1445A4D9076600C6A20EFC7C64DB82F3D1E75FB89E752F0E041184CF49E23818A7E36D192D1918C9E91772012C2F5390ED12E94CEF7644B8DAA103BAAB74A4D9215B6413908DA469F2474F5B04C49096DAAFA5CBC655A0D54E1CD520BED3BD80FAB093E41FCB0FBCC6271D3A7FD951B8E3361663B9422085B11F1CB06198F6FBD3188CBBE1A7C911517A9A7CC712F8A3738182A897021B1DEA6D0475A945881EE514A5319489A107FD18B434EC2E01CC14A8E0036E62C272E55F5C79EBC9A22078293208AF95C24A468BA5AA99269B21C3FE1A727E78EA6AC911DB43EF54E0BFC79DFE2A0A0871E32F00F883486F95B4A2F69C2156A87925196B9D9F4A5DC965E32DC30BF345474E74914C81546384260F82B588C674BF1A662EF66D6B7A9454CECEC809FB1F0C01D91897E477DBF3989BBE652ECDC7F6F4D37196DC71A86B9782A26AFC818FCBCBAAC62ED9CDF1DB5045E0A006E4CC0DAF79A4367013FBCBDAD3455FE1A6A8DCB3DC3C540379ED253A2893B9216BB1C276ED7302E921F083C4713769348B0AB71354290840F75D54F4AA9D2A143B395698B7BD4835D331745B4983D73D777D5574A59D1AAF09E928A76F05BA6A5C3A35E3D595B88957A8F0EFAD6110C264C7B4B33FB4D88FA5B650D3553977F427C32E40A8721C5C6F689EBB2248A2FDFC5823CBF63F9D7A271217E298BFAEF"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\oodag.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-25 21:57:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-25 16:27:31
ComboFix2.txt 2009-03-18 15:29:53
ComboFix3.txt 2009-03-16 16:19:45
ComboFix4.txt 2009-03-11 15:48:42
ComboFix5.txt 2009-03-25 16:18:10

Pre-Run: 1,751,437,312 bytes free
Post-Run: 1,799,585,792 bytes free

296

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 AM

Posted 26 March 2009 - 02:26 PM

Hello.

Looks better.

Let's update Windows first.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS log after please.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users