Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Syware Protector 2009


  • This topic is locked This topic is locked
16 replies to this topic

#1 Source2007

Source2007

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 04:25 PM

I was infected so I ran the Windows Malicious Software Removal Tool. Now Spyware Protector doesn't pop up but I cannot access the internet (I am accessing the internet from my laptop and can transfer downloaded files through a USB drive), many applications won't open, and I can only boot my PC through safe mode. Here is the DDS log:


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Administrator at 13:10:37.76 on Fri 02/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.751 [GMT -8:00]

FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Shell=Explorer.exe
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [viwc] c:\windows\system32\viwc.exe
uRun: [LClock] c:\program files\lclock\LClock.exe
uRun: [Vista Sidebar] c:\program files\vista sidebar\sidebar.exe
uRun: [ViStart] c:\program files\vistart\ViStart.exe
uRun: [ViOrb] c:\program files\viorb\ViOrb.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {27527D31-447B-11D5-A46E-0001023B4289} - hxxp://gamingzone.ubisoft.com/dev/packages/GSManager.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: c00BF0A - c00BF0A.mat
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: vwhazz.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-7 353680]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\cheat engine\dbk32.sys --> c:\program files\cheat engine\dbk32.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\abhinandan\games\maplestory\new folder\uce\disk_1024.sys --> c:\abhinandan\games\maplestory\new folder\uce\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\abhinandan\games\maplestory\rev838\dualengi.sys --> c:\abhinandan\games\maplestory\rev838\DualEngi.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-12 33752]
S3 GGK;GGK;\??\c:\abhinandan\games\maplestory\ggk.sys --> c:\abhinandan\games\maplestory\ggk.sys [?]
S3 kaspersky1;kaspersky1;\??\c:\ms\kaspersky.sys --> c:\ms\kaspersky.sys [?]
S3 KIKIDRIVER;KIKIDRIVER;\??\c:\documents and settings\me\my documents\trickster\trickster hack\uce\kiki.sys --> c:\documents and settings\me\my documents\trickster\trickster hack\uce\kiki.sys [?]
S3 Networktemple01;Networktemple01;\??\c:\abhinandan\games\maplestory\uce\networktemple.sys --> c:\abhinandan\games\maplestory\uce\Networktemple.sys [?]
S3 NUBBER;NUBBER;\??\c:\abhinandan\games\maplestory\uce2\nubbk32.sys --> c:\abhinandan\games\maplestory\uce2\nubbk32.sys [?]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-5 822424]
S3 zenx1;zenx1;\??\c:\abhinandan\games\maplestory\zenx.sys --> c:\abhinandan\games\maplestory\zenx.sys [?]

=============== Created Last 30 ================

2009-02-19 22:00 10,240 a------- c:\windows\system32\iehelper.dll
2009-02-19 21:59 <DIR> --dsh--- c:\windows\system32\twain32
2009-02-19 21:59 364,044 a------- c:\windows\system32\wpv791235086889.cpx
2009-02-19 21:59 21,505 a---h--- c:\windows\system32\digeste.dll
2009-02-19 20:18 172,032 a------- c:\windows\system32\igfxres.dll
2009-02-19 17:39 <DIR> --d----- C:\rs_manager
2009-02-10 19:21 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-02-10 19:21 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-10 19:21 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-02-08 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-02-08 19:00 <DIR> --d----- c:\program files\Bonjour
2009-02-07 19:38 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-07 10:41 <DIR> --d----- c:\program files\Codemasters
2009-01-31 22:07 <DIR> --d----- c:\program files\Apophysis 2.0
2009-01-25 10:27 <DIR> --d----- C:\divx
2009-01-24 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-01-24 20:37 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-24 20:37 <DIR> --d----- c:\program files\VSO
2009-01-24 15:55 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-02-20 13:08 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-16 23:46 2,855 a------- c:\windows\pif\Setup.PIF
2009-01-04 15:36 163,815 a------- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-01-04 15:30 162,893 a------- c:\windows\Animated GIF Converter and Booster Pack Uninstaller.exe
2008-12-28 14:48 2,330,643 a------- c:\windows\system32\x264vfw.dll
2008-12-27 17:31 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 09:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 03:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 19:00 81,984 a------- c:\windows\system32\bdod.bin
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2004-08-04 02:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 02:00 50,688 ---sh--- c:\windows\twain_32.dll
2007-06-24 12:15 88 -c-shr-- c:\windows\system32\B5030D566D.sys
2007-06-24 12:15 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2004-08-04 02:00 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 02:00 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 02:00 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-04 02:00 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2007-12-04 10:38 550,912 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 02:00 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 13:11:52.89 ===============

Thanks in advance to whoever helps.

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 04:40 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 04:47 PM

I downloaded combofix but when I run it, nothing happens. I don't see any prompts and no windows pop up.

Btw I am running it in safe mode, because windows doesn't show up in normal mode (just a black screen).

Edited by Source2007, 20 February 2009 - 04:48 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 04:48 PM

Hello.

Please rename ComboFix.exe to ComboFix123.exe and try again.

EDIT: If ComboFix runs, and reboots the machine, make sure you allow it to boot into Normal Mode, even if it will crash.

With Regards,
The Panda

Edited by PropagandaPanda, 20 February 2009 - 04:49 PM.


#5 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 04:58 PM

It seemed combofix found some rootkits and rebooted. Unfortunately I didn't see your edit in time and got to the user screen in safe mood. I rebooted again though in normal mode and now I can access my account in normal mode. The ComboFix blue command prompt opened but it doesn't say anything in it. What should I do?

EDIT: sorry about that I guess I didn't wait long enough ComboFix is running now.

Edited by Source2007, 20 February 2009 - 05:00 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 05:13 PM

Hello.

Please let ComboFix finish. When it does, a logfile should open. Include that in your next reply.

The logfile should be located at
C:\ComboFix.txt

Followup by running GMER.

With Regards,
The Panda

Edited by PropagandaPanda, 20 February 2009 - 05:15 PM.


#7 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 05:37 PM

Okay sorry for the delay GMER took a while to run. Here is the ComboFix Log:

ComboFix 09-02-19.01 - Me 2009-02-20 13:59:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.668 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix123.exe
FW: ZoneAlarm Pro Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\PRE45
c:\temp\PRE45\pG8.log
c:\windows\dat.txt
c:\windows\IE4 Error Log.txt
c:\windows\search_res.txt
c:\windows\system32\AX5
c:\windows\system32\db
c:\windows\system32\digeste.dll
c:\windows\system32\drivers\UACdksrridw.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\inst.dat
c:\windows\system32\svm
c:\windows\system32\sX3i19
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\twex.exe
c:\windows\system32\u2
c:\windows\system32\UACatrpyvjo.dll
c:\windows\system32\UACavxbwxux.log
c:\windows\system32\UACkmuyyviq.log
c:\windows\system32\UACllotfuml.dll
c:\windows\system32\UACwbkwbarg.dat
c:\windows\system32\UACwcekdvjt.log
c:\windows\system32\UACwiqvmyxo.dll
c:\windows\system32\UACxspwsftl.dll
c:\windows\system32\wpv791235086889.cpx
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-20 13:08 . 2009-02-20 13:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-02-19 22:00 . 2009-02-20 11:07 5,541 --a------ c:\windows\system32\uacinit.dll
2009-02-19 20:18 . 2007-01-13 09:45 172,032 --a------ c:\windows\system32\igfxres.dll
2009-02-19 17:39 . 2008-01-21 18:33 <DIR> d-------- C:\rs_manager
2009-02-12 18:42 . 2009-02-12 18:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-12 18:38 . 2009-02-12 18:38 <DIR> d-------- c:\program files\NOS
2009-02-12 18:38 . 2009-02-12 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-10 19:21 . 2009-02-10 19:22 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-10 19:21 . 2008-12-08 03:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-10 19:21 . 2007-07-10 08:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-08 19:32 . 2009-02-08 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-08 19:00 . 2009-02-08 19:00 <DIR> d-------- c:\program files\Bonjour
2009-02-07 21:19 . 2009-02-08 19:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 19:56 . 2009-02-07 20:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-07 19:38 . 2009-02-07 19:38 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-07 10:41 . 2009-02-07 10:41 <DIR> d-------- c:\program files\Codemasters
2009-01-31 22:07 . 2009-02-10 17:18 <DIR> d-------- c:\program files\Apophysis 2.0
2009-01-25 10:27 . 2009-01-25 10:27 <DIR> d-------- C:\divx
2009-01-24 21:27 . 2009-01-24 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2009-01-24 20:37 . 2009-01-25 19:26 <DIR> d-------- c:\program files\VSO
2009-01-24 20:37 . 2009-01-24 20:37 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-24 15:55 . 2009-01-24 15:55 <DIR> d-------- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 19:09 3,470,336 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-13 02:51 --------- d-----w c:\program files\Common Files\Adobe
2009-02-08 23:54 --------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 1
2009-01-31 21:48 --------- d-----w c:\program files\Vuze
2009-01-26 23:19 2,741,284 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-01-25 18:01 --------- d-----w c:\program files\DivX
2009-01-22 03:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-22 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-16 01:57 --------- d-----w c:\program files\Lavasoft
2009-01-16 01:50 133,109 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_50_05_small.dmp.zip
2009-01-16 01:49 126,438 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_38_43_small.dmp.zip
2009-01-16 01:38 20,228,963 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_37_28_full.dmp.zip
2009-01-16 01:36 132,285 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_36_17_small.dmp.zip
2009-01-16 01:35 133,323 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_35_00_small.dmp.zip
2009-01-16 01:33 131,686 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_33_47_small.dmp.zip
2009-01-16 01:32 138,790 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_32_31_small.dmp.zip
2009-01-16 01:31 132,964 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_31_22_small.dmp.zip
2009-01-16 01:30 133,907 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_30_05_small.dmp.zip
2009-01-16 01:29 131,553 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_28_57_small.dmp.zip
2009-01-16 01:19 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-01-05 23:20 --------- d-----w c:\program files\Common Files\River Past
2009-01-04 23:50 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-04 23:36 163,815 ----a-w c:\windows\Video Cleaner Pro Uninstaller.exe
2009-01-04 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\River Past G5
2009-01-04 23:30 162,893 ----a-w c:\windows\Animated GIF Converter and Booster Pack Uninstaller.exe
2009-01-02 18:37 --------- d-----w c:\program files\Google
2009-01-01 19:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 19:53 --------- d-----w c:\program files\Dell
2008-12-27 20:38 --------- d-----w c:\program files\Intel
2008-12-27 19:59 --------- d-----w c:\program files\SystemRequirementsLab
2007-12-04 03:04 103 ----a-w c:\documents and settings\Abhishek\Application Data\scvhost.exe.bat
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2004-08-04 10:00 50,688 --sh--w c:\windows\twain_32.dll
2007-06-24 20:15 88 -csh--r c:\windows\system32\B5030D566D.sys
2007-06-24 20:15 3,350 -csha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 10:00 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 10:00 54,784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 10:00 413,696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 10:00 343,040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 10:00 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-08-10 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vwhazz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 01:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 00:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-08 15:21 133104 c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-07-05 15:21 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:localhost

S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\abhinandan\Games\maplestory\New Folder\UCE\disk_1024.sys --> c:\abhinandan\Games\maplestory\New Folder\UCE\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\abhinandan\Games\maplestory\rev838\DualEngi.sys --> c:\abhinandan\Games\maplestory\rev838\DualEngi.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-12 33752]
S3 GGK;GGK;\??\c:\abhinandan\Games\maplestory\ggk.sys --> c:\abhinandan\Games\maplestory\ggk.sys [?]
S3 kaspersky1;kaspersky1;\??\c:\ms\kaspersky.sys --> c:\ms\kaspersky.sys [?]
S3 KIKIDRIVER;KIKIDRIVER;\??\c:\documents and settings\Me\My Documents\Trickster\Trickster Hack\UCE\kiki.sys --> c:\documents and settings\Me\My Documents\Trickster\Trickster Hack\UCE\kiki.sys [?]
S3 Networktemple01;Networktemple01;\??\c:\abhinandan\Games\maplestory\UCE\Networktemple.sys --> c:\abhinandan\Games\maplestory\UCE\Networktemple.sys [?]
S3 NUBBER;NUBBER;\??\c:\abhinandan\Games\maplestory\UCE2\nubbk32.sys --> c:\abhinandan\Games\maplestory\UCE2\nubbk32.sys [?]
S3 zenx1;zenx1;\??\c:\abhinandan\Games\maplestory\zenx.sys --> c:\abhinandan\Games\maplestory\zenx.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7f911a5-cef5-11dd-89c5-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2515548537-2599581172-2936092582-1006.job
- c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 15:21]

2006-12-03 c:\windows\Tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1156293579.job
- c:\program files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-25 00:10]

2009-02-20 c:\windows\Tasks\xavhahba.job
- c:\windows\system32\wvUlmlKB.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll
WebBrowser-{5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
Notify-c00BF0A - c00BF0A.mat
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-LClock - c:\program files\LClock\LClock.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-ViOrb - c:\program files\ViOrb\ViOrb.exe
MSConfigStartUp-Vista Sidebar - c:\program files\Vista Sidebar\sidebar.exe
MSConfigStartUp-ViStart - c:\program files\ViStart\ViStart.exe
MSConfigStartUp-WatchDog - c:\program files\mobile PhoneTools\WatchDog.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: imageshack.us\toolbar
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 14:08:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2515548537-2599581172-2936092582-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9ED3003E-2B33-CF5E-8A28-561C452C796C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaigmbgnpjjacdbifa"=hex:6a,61,6a,6e,68,6b,6a,70,6d,64,6c,62,68,61,66,6a,6f,68,
6a,63,00,f2
"haogcoogpihljlhp"=hex:6a,61,6a,6e,68,6b,6a,70,6d,64,6c,62,68,61,66,6a,6f,68,
6a,63,00,f2
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Microsoft Office\Office\FINDFAST.EXE
c:\program files\Microsoft Office\Office\OSA.EXE
.
**************************************************************************
.
Completion time: 2009-02-20 14:13:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-20 22:13:38

Pre-Run: 10,786,353,152 bytes free
Post-Run: 10,785,779,712 bytes free

283 --- E O F --- 2009-01-14 07:21:25


and the GMER log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-20 14:34:22
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAA5798D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAA5766E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAA583490]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAA579E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAA580C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAA580E90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAA584D50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAA579F80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAA576C70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xAA583D10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xAA583AC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAA580600]
SSDT spna.sys ZwEnumerateKey [0xF73DCCA2]
SSDT spna.sys ZwEnumerateValueKey [0xF73DD030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xAA584230]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAA5842B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xAA584FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAA576AD0]
SSDT spna.sys ZwOpenKey [0xF73BE0C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAA5824F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAA5822B0]
SSDT spna.sys ZwQueryKey [0xF73DD108]
SSDT spna.sys ZwQueryValueKey [0xF73DCF88]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAA584970]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xAA5843D0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAA5794F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xAA5847C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAA579AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAA576EA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xAA583800]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAA581580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAA581400]

INT 0x62 ? 86566BF8
INT 0x63 ? 86566BF8
INT 0x63 ? 86566BF8
INT 0x63 ? 86566BF8
INT 0x84 ? 863E6E58
INT 0x94 ? 863E6E58
INT 0xA4 ? 863E6E58
INT 0xB4 ? 863E6E58

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C50 805044BC 2 Bytes [ E0, 66 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C74 805044E0 12 Bytes [ 90, 9E, 57, AA, 80, 0C, 58, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CB4 80504520 2 Bytes [ 70, 6C ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CB7 80504523 5 Bytes [ AA, 10, 3D, 58, AA ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D46 805045B2 6 Bytes [ 58, AA, B0, 42, 58, AA ]
.text ...
? spna.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F63D868E 5 Bytes JMP 863E6438
.text ax341bny.SYS F6312384 1 Byte [ 20 ]
.text ax341bny.SYS F6312386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text ax341bny.SYS F63123AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text ax341bny.SYS F63123C4 3 Bytes [ 00, 00, 00 ]
.text ax341bny.SYS F63123C9 1 Byte [ 00 ]
.text ...
? C:\ComboFix123\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73BF040] spna.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73BF13C] spna.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73BF0BE] spna.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73BF7FC] spna.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73BF6D2] spna.sys
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\ax341bny.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AA57E410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AA57E220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AA57EB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AA57C780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AA57C780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AA57E410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AA57E220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AA57EB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AA57E410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AA57EB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AA57E220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AA57C780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AA57EB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AA57E220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AA57E410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AA57C780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AA57E410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AA57E220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AA57EB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AA57E410] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AA57C780] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AA57EB50] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AA57E220] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 865651F8

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\sptd \Device\1452221204 spna.sys
Device \Driver\usbehci \Device\USBPDO-0 863E3500
Device \Driver\usbuhci \Device\USBPDO-1 863E4500
Device \Driver\usbuhci \Device\USBPDO-2 863E4500
Device \Driver\PCI_PNP1204 \Device\00000053 spna.sys
Device \Driver\PCI_PNP1204 \Device\00000053 spna.sys
Device \Driver\usbuhci \Device\USBPDO-3 863E4500
Device \Driver\usbuhci \Device\USBPDO-4 863E4500
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Ftdisk \Device\HarddiskVolume1 865D71F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume2 865D71F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom0 863AB1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 865D71F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom1 863AB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 865661F8
Device \Driver\atapi \Device\Ide\IdePort0 865661F8
Device \Driver\atapi \Device\Ide\IdePort1 865661F8
Device \Driver\atapi \Device\Ide\IdePort2 865661F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 865661F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 865D71F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\NetBT \Device\NetBt_Wins_Export 8624E500
Device \Driver\NetBT \Device\NetbiosSmb 8624E500
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\NetBT \Device\NetBT_Tcpip_{463B50B9-3FFC-4F24-9A18-0C60D1D87490} 8624E500
Device \Driver\usbuhci \Device\USBFDO-0 863E4500
Device \Driver\usbuhci \Device\USBFDO-1 863E4500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85D4A1F8
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 863E4500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85D4A1F8
Device \Driver\usbuhci \Device\USBFDO-3 863E4500
Device \Driver\usbehci \Device\USBFDO-4 863E3500
Device \Driver\Ftdisk \Device\FtControl 865D71F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{68E7EA14-21D5-4090-B4ED-AC14717921A0} 8624E500
Device \Driver\ax341bny \Device\Scsi\ax341bny1Port3Path0Target0Lun0 8639B1F8
Device \Driver\ax341bny \Device\Scsi\ax341bny1 8639B1F8
Device \FileSystem\Fastfat \Fat 85B7A1F8
Device \FileSystem\Fastfat \Fat A8D971F9

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Cdfs \Cdfs 86259500
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8C 0x18 0xA6 0x9E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC0 0xE1 0x55 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0xED 0x3B 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xED 0xA8 0x25 0xB8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xED 0xA8 0x25 0xB8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xED 0xA8 0x25 0xB8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8C 0x18 0xA6 0x9E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC0 0xE1 0x55 0x8B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x47 0xED 0x3B 0xCB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xED 0xA8 0x25 0xB8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xED 0xA8 0x25 0xB8 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xED 0xA8 0x25 0xB8 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9ED3003E-2B33-CF5E-8A28-561C452C796C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9ED3003E-2B33-CF5E-8A28-561C452C796C}@iaigmbgnpjjacdbifa 0x6A 0x61 0x6A 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9ED3003E-2B33-CF5E-8A28-561C452C796C}@haogcoogpihljlhp 0x6A 0x61 0x6A 0x6E ...

---- EOF - GMER 1.0.14 ----

Thanks for taking the time to help me

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 05:58 PM

Hello Source2007.

I notice that you have some game cheats or "hacks" installed on your machine. These are more often than not bundled with infections.

Are any of these games installed at the moment?

Let's finish that off.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/205100/syware-protector-2009/
    
    Suspect::[59]
    c:\windows\System32\Drivers\ax341bny.SYS
    
    File::
    c:\windows\system32\uacinit.dll
    c:\windows\Tasks\xavhahba.job
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-
    "FirewallOverride"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

With Regards,
The Panda

#9 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 06:21 PM

Heres the combofix log:

ComboFix 09-02-19.01 - Me 2009-02-20 15:07:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.552 [GMT -8:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\uacinit.dll
c:\windows\Tasks\xavhahba.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\uacinit.dll
c:\windows\Tasks\xavhahba.job

.
((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.

2009-02-20 14:16 . 2009-02-20 14:16 250 --a------ c:\windows\gmer.ini
2009-02-20 13:08 . 2009-02-20 13:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-02-19 20:18 . 2007-01-13 09:45 172,032 --a------ c:\windows\system32\igfxres.dll
2009-02-19 17:39 . 2008-01-21 18:33 <DIR> d-------- C:\rs_manager
2009-02-12 18:42 . 2009-02-12 18:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-12 18:38 . 2009-02-12 18:38 <DIR> d-------- c:\program files\NOS
2009-02-12 18:38 . 2009-02-12 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-10 19:21 . 2009-02-10 19:22 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-10 19:21 . 2008-12-08 03:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-10 19:21 . 2007-07-10 08:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-08 19:32 . 2009-02-08 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-08 19:00 . 2009-02-08 19:00 <DIR> d-------- c:\program files\Bonjour
2009-02-07 21:19 . 2009-02-08 19:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 19:56 . 2009-02-07 20:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-07 19:38 . 2009-02-07 19:38 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-07 10:41 . 2009-02-07 10:41 <DIR> d-------- c:\program files\Codemasters
2009-01-31 22:07 . 2009-02-10 17:18 <DIR> d-------- c:\program files\Apophysis 2.0
2009-01-25 10:27 . 2009-01-25 10:27 <DIR> d-------- C:\divx
2009-01-24 21:27 . 2009-01-24 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2009-01-24 20:37 . 2009-01-25 19:26 <DIR> d-------- c:\program files\VSO
2009-01-24 20:37 . 2009-01-24 20:37 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-24 15:55 . 2009-01-24 15:55 <DIR> d-------- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 19:09 3,470,336 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-02-13 02:51 --------- d-----w c:\program files\Common Files\Adobe
2009-02-08 23:54 --------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 1
2009-01-31 21:48 --------- d-----w c:\program files\Vuze
2009-01-26 23:19 2,741,284 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-01-25 18:01 --------- d-----w c:\program files\DivX
2009-01-22 03:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-22 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-17 07:46 2,855 ----a-w c:\windows\PIF\Setup.PIF
2009-01-16 01:57 --------- d-----w c:\program files\Lavasoft
2009-01-16 01:50 133,109 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_50_05_small.dmp.zip
2009-01-16 01:49 126,438 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_38_43_small.dmp.zip
2009-01-16 01:38 20,228,963 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_37_28_full.dmp.zip
2009-01-16 01:36 132,285 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_36_17_small.dmp.zip
2009-01-16 01:35 133,323 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_35_00_small.dmp.zip
2009-01-16 01:33 131,686 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_33_47_small.dmp.zip
2009-01-16 01:32 138,790 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_32_31_small.dmp.zip
2009-01-16 01:31 132,964 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_31_22_small.dmp.zip
2009-01-16 01:30 133,907 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_30_05_small.dmp.zip
2009-01-16 01:29 131,553 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_01_15_17_28_57_small.dmp.zip
2009-01-16 01:19 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-01-05 23:20 --------- d-----w c:\program files\Common Files\River Past
2009-01-04 23:50 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-04 23:36 163,815 ----a-w c:\windows\Video Cleaner Pro Uninstaller.exe
2009-01-04 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\River Past G5
2009-01-04 23:30 162,893 ----a-w c:\windows\Animated GIF Converter and Booster Pack Uninstaller.exe
2009-01-02 18:37 --------- d-----w c:\program files\Google
2009-01-01 19:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 19:53 --------- d-----w c:\program files\Dell
2008-12-28 22:48 2,330,643 ----a-w c:\windows\system32\x264vfw.dll
2008-12-28 01:31 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 20:38 --------- d-----w c:\program files\Intel
2008-12-27 19:59 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 03:00 81,984 ----a-w c:\windows\system32\bdod.bin
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2007-12-04 03:04 103 ----a-w c:\documents and settings\Abhishek\Application Data\scvhost.exe.bat
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2004-08-04 10:00 50,688 --sh--w c:\windows\twain_32.dll
2007-06-24 20:15 88 -csh--r c:\windows\system32\B5030D566D.sys
2007-06-24 20:15 3,350 -csha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 10:00 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 10:00 54,784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 10:00 413,696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 10:00 343,040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 10:00 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-20_14.12.29.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-20 22:16:07 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-02-20 22:16:07 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-08-10 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 01:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 00:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-08 15:21 133104 c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-07-05 15:21 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:localhost

S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\abhinandan\Games\maplestory\New Folder\UCE\disk_1024.sys --> c:\abhinandan\Games\maplestory\New Folder\UCE\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\abhinandan\Games\maplestory\rev838\DualEngi.sys --> c:\abhinandan\Games\maplestory\rev838\DualEngi.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-12 33752]
S3 GGK;GGK;\??\c:\abhinandan\Games\maplestory\ggk.sys --> c:\abhinandan\Games\maplestory\ggk.sys [?]
S3 kaspersky1;kaspersky1;\??\c:\ms\kaspersky.sys --> c:\ms\kaspersky.sys [?]
S3 KIKIDRIVER;KIKIDRIVER;\??\c:\documents and settings\Me\My Documents\Trickster\Trickster Hack\UCE\kiki.sys --> c:\documents and settings\Me\My Documents\Trickster\Trickster Hack\UCE\kiki.sys [?]
S3 Networktemple01;Networktemple01;\??\c:\abhinandan\Games\maplestory\UCE\Networktemple.sys --> c:\abhinandan\Games\maplestory\UCE\Networktemple.sys [?]
S3 NUBBER;NUBBER;\??\c:\abhinandan\Games\maplestory\UCE2\nubbk32.sys --> c:\abhinandan\Games\maplestory\UCE2\nubbk32.sys [?]
S3 zenx1;zenx1;\??\c:\abhinandan\Games\maplestory\zenx.sys --> c:\abhinandan\Games\maplestory\zenx.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7f911a5-cef5-11dd-89c5-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2515548537-2599581172-2936092582-1006.job
- c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 15:21]

2006-12-03 c:\windows\Tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1156293579.job
- c:\program files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-25 00:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: imageshack.us\toolbar
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\cerenvfp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Me\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 15:08:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2515548537-2599581172-2936092582-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9ED3003E-2B33-CF5E-8A28-561C452C796C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaigmbgnpjjacdbifa"=hex:6a,61,6a,6e,68,6b,6a,70,6d,64,6c,62,68,61,66,6a,6f,68,
6a,63,00,f2
"haogcoogpihljlhp"=hex:6a,61,6a,6e,68,6b,6a,70,6d,64,6c,62,68,61,66,6a,6f,68,
6a,63,00,f2
.
Completion time: 2009-02-20 15:10:34
ComboFix-quarantined-files.txt 2009-02-20 23:10:31
ComboFix2.txt 2009-02-20 22:13:42

Pre-Run: 10,717,544,448 bytes free
Post-Run: 10,702,512,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

259 --- E O F --- 2009-01-14 07:21:25

and the mbam log (it found nothing):

Malwarebytes' Anti-Malware 1.34
Database version: 1782
Windows 5.1.2600 Service Pack 2

2/20/2009 3:18:53 PM
mbam-log-2009-02-20 (15-18-53).txt

Scan type: Quick Scan
Objects scanned: 91790
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ty once again.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 06:38 PM

Hello Source2007.

There was evidence of some games, including "Maple Story, installed on this machine. Some of their components remain. It appears that the game was already uninstalled.

I am concerned that some of the cheats or other drivers for them may contain malware.

Could I have your permission to remove them with another CFScript?

With Regards,
The Panda

#11 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 07:24 PM

Sorry for the late reply. Sure, I don't play those games anymore and don't want any remnants of them.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 07:49 PM

Hello.

Please run this CFScript.
Driver::
CEDRIVER52
DISK_DRIVE32
Dua1
GGK
kaspersky1
KIKIDRIVER
Networktemple01
NUBBER
zenx1
Post back the log.

Please also take a new DDS.txt log.

With Regards,
The Panda

#13 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2009 - 08:28 PM

Heres the combofix log:

ComboFix 09-02-19.01 - Me 2009-02-20 17:05:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.619 [GMT -8:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DISK_DRIVE32
-------\Legacy_DUA1
-------\Legacy_GGK
-------\Legacy_KASPERSKY1
-------\Legacy_KIKIDRIVER
-------\Legacy_NETWORKTEMPLE01
-------\Legacy_NUBBER
-------\Legacy_ZENX1
-------\Service_CEDRIVER52
-------\Service_DISK_DRIVE32
-------\Service_Dua1
-------\Service_GGK
-------\Service_kaspersky1
-------\Service_KIKIDRIVER
-------\Service_Networktemple01
-------\Service_NUBBER
-------\Service_zenx1


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-20 15:14 . 2009-02-20 15:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 15:14 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 15:14 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-20 14:16 . 2009-02-20 14:16 250 --a------ c:\windows\gmer.ini
2009-02-20 13:08 . 2009-02-20 13:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-02-19 20:18 . 2007-01-13 09:45 172,032 --a------ c:\windows\system32\igfxres.dll
2009-02-19 17:39 . 2008-01-21 18:33 <DIR> d-------- C:\rs_manager
2009-02-12 18:42 . 2009-02-12 18:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-12 18:38 . 2009-02-12 18:38 <DIR> d-------- c:\program files\NOS
2009-02-12 18:38 . 2009-02-12 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-02-10 19:21 . 2009-02-10 19:22 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-10 19:21 . 2008-12-08 03:53 57,344 --a------ c:\windows\system32\ff_vfw.dll
2009-02-10 19:21 . 2007-07-10 08:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-08 19:32 . 2009-02-08 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-08 19:00 . 2009-02-08 19:00 <DIR> d-------- c:\program files\Bonjour
2009-02-07 21:19 . 2009-02-08 19:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-07 19:56 . 2009-02-07 20:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-02-07 19:38 . 2009-02-07 19:38 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-02-07 10:41 . 2009-02-07 10:41 <DIR> d-------- c:\program files\Codemasters
2009-01-31 22:07 . 2009-02-10 17:18 <DIR> d-------- c:\program files\Apophysis 2.0
2009-01-25 10:27 . 2009-01-25 10:27 <DIR> d-------- C:\divx
2009-01-24 21:27 . 2009-01-24 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2009-01-24 20:37 . 2009-01-25 19:26 <DIR> d-------- c:\program files\VSO
2009-01-24 20:37 . 2009-01-24 20:37 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2009-01-24 15:55 . 2009-01-24 15:55 <DIR> d-------- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 02:51 --------- d-----w c:\program files\Common Files\Adobe
2009-02-08 23:54 --------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 1
2009-01-31 21:48 --------- d-----w c:\program files\Vuze
2009-01-25 18:01 --------- d-----w c:\program files\DivX
2009-01-22 03:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-22 03:49 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-16 01:57 --------- d-----w c:\program files\Lavasoft
2009-01-16 01:19 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-01-05 23:20 --------- d-----w c:\program files\Common Files\River Past
2009-01-04 23:50 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-04 23:36 163,815 ----a-w c:\windows\Video Cleaner Pro Uninstaller.exe
2009-01-04 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\River Past G5
2009-01-04 23:30 162,893 ----a-w c:\windows\Animated GIF Converter and Booster Pack Uninstaller.exe
2009-01-02 18:37 --------- d-----w c:\program files\Google
2009-01-01 19:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 19:53 --------- d-----w c:\program files\Dell
2008-12-27 20:38 --------- d-----w c:\program files\Intel
2008-12-27 19:59 --------- d-----w c:\program files\SystemRequirementsLab
2007-12-04 03:04 103 ----a-w c:\documents and settings\Abhishek\Application Data\scvhost.exe.bat
2004-08-04 10:00 94,784 --sh--w c:\windows\twain.dll
2004-08-04 10:00 50,688 --sh--w c:\windows\twain_32.dll
2007-06-24 20:15 88 -csh--r c:\windows\system32\B5030D566D.sys
2007-06-24 20:15 3,350 -csha-w c:\windows\system32\KGyGaAvL.sys
2004-08-04 10:00 1,028,096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 10:00 54,784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 10:00 413,696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 10:00 343,040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 10:00 11,776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-20_14.12.29.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-20 22:16:07 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-02-20 22:16:07 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-02-21 01:13:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2009-02-21 01:13:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-08-10 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 01:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 00:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-08 15:21 133104 c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-11-05 21:59 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2006-07-05 15:21 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:localhost

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-12 33752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7f911a5-cef5-11dd-89c5-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2515548537-2599581172-2936092582-1006.job
- c:\documents and settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 15:21]

2006-12-03 c:\windows\Tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1156293579.job
- c:\program files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-25 00:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: imageshack.us\toolbar
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\cerenvfp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Me\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 17:15:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2515548537-2599581172-2936092582-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9ED3003E-2B33-CF5E-8A28-561C452C796C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaigmbgnpjjacdbifa"=hex:6a,61,6a,6e,68,6b,6a,70,6d,64,6c,62,68,61,66,6a,6f,68,
6a,63,00,f2
"haogcoogpihljlhp"=hex:6a,61,6a,6e,68,6b,6a,70,6d,64,6c,62,68,61,66,6a,6f,68,
6a,63,00,f2
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Microsoft Office\Office\FINDFAST.EXE
c:\program files\Microsoft Office\Office\OSA.EXE
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-02-20 17:22:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 01:22:03
ComboFix2.txt 2009-02-20 23:10:35
ComboFix3.txt 2009-02-20 22:13:42

Pre-Run: 10,620,735,488 bytes free
Post-Run: 10,487,595,008 bytes free

263 --- E O F --- 2009-01-14 07:21:25

the DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Me at 17:23:26.90 on Fri 02/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.584 [GMT -8:00]

FW: ZoneAlarm Pro Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\me\startm~1\programs\startup\lastfm~1.lnk - c:\program files\last.fm\LastFMHelper.exe
StartupFolder: c:\docume~1\me\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\me\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\documents and settings\me\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: imageshack.us\toolbar
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {27527D31-447B-11D5-A46E-0001023B4289} - hxxp://gamingzone.ubisoft.com/dev/packages/GSManager.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\cerenvfp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-7 353680]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-12 33752]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-5 822424]

=============== Created Last 30 ================

2009-02-20 16:13 <DIR> --d----- c:\docume~1\me\applic~1\DMCache
2009-02-20 15:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 15:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 15:06 <DIR> a-dshr-- C:\cmdcons
2009-02-20 14:16 250 a------- c:\windows\gmer.ini
2009-02-20 13:51 161,792 a------- c:\windows\SWREG.exe
2009-02-20 13:51 98,816 a------- c:\windows\sed.exe
2009-02-19 20:18 172,032 a------- c:\windows\system32\igfxres.dll
2009-02-19 17:39 <DIR> --d----- C:\rs_manager
2009-02-10 19:21 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-02-10 19:21 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-10 19:21 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-02-08 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-02-08 19:00 <DIR> --d----- c:\program files\Bonjour
2009-02-07 21:19 <DIR> --d----- c:\docume~1\me\applic~1\URSoft
2009-02-07 19:38 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-07 10:41 <DIR> --d----- c:\program files\Codemasters
2009-01-31 22:07 <DIR> --d----- c:\program files\Apophysis 2.0
2009-01-25 10:27 <DIR> --d----- C:\divx
2009-01-24 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-01-24 20:37 87,608 a------- c:\docume~1\me\applic~1\inst.exe
2009-01-24 20:37 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-24 20:37 47,360 a------- c:\docume~1\me\applic~1\pcouffin.sys
2009-01-24 20:37 <DIR> --d----- c:\program files\VSO
2009-01-24 15:55 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-02-20 13:08 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-16 23:46 2,855 a------- c:\windows\pif\Setup.PIF
2009-01-04 15:36 163,815 a------- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-01-04 15:30 162,893 a------- c:\windows\Animated GIF Converter and Booster Pack Uninstaller.exe
2008-12-28 14:48 2,330,643 a------- c:\windows\system32\x264vfw.dll
2008-12-27 17:31 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 09:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 03:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 19:00 81,984 a------- c:\windows\system32\bdod.bin
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-01-20 22:03 22,328 a------- c:\docume~1\me\applic~1\PnkBstrK.sys
2004-08-04 02:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 02:00 50,688 ---sh--- c:\windows\twain_32.dll
2007-06-24 12:15 88 -c-shr-- c:\windows\system32\B5030D566D.sys
2007-06-24 12:15 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2004-08-04 02:00 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 02:00 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 02:00 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-04 02:00 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2007-12-04 10:38 550,912 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 02:00 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 17:23:45.90 ===============

Attached Files



#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 20 February 2009 - 08:36 PM

Hello.

Please uninstall these old versions of Java using Add/Remove Programs.
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_12
Java 2 SDK, SE v1.4.2_12
Java DB 10.3.1.4
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 10

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the F-Secure scan log
-a new DDS log (just DDS.txt is fine)

Please tell me of any symptoms still present.

With Regards,
The Panda

#15 Source2007

Source2007
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 21 February 2009 - 12:30 AM

heres the FSecure results:

Scanning Report
Friday, February 20, 2009 19:23:02 - 21:20:35
Computer name: ABHINANDAN
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 4 malware found
TrackingCookie.Atdmt (spyware)
System
Trojan-Downloader:W32/Zlob.HYY (virus)
System
C:\WINDOWS\SYSTEM32\HYTTLCVIQLGKXQWDR.EXE
W32/Packed_Upack.A (virus)
C:\DOCUMENTS AND SETTINGS\ME\MY DOCUMENTS\AZUREUS DOWNLOADS\ADOBE ILLUSTRATOR CS4 (MULTILINGUAL) [RH]\ADOBE ILLUSTRATOR CS4\KEYGEN\CS4MCLG.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 85680
System: 4018
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 4
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\TEMP\HSPERFDATA_ME\1760

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Blacklight: 0.0.0
F-Secure Hydra: 3.6.8511, 2009-02-20
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure AVP: 7.0.171, 2009-02-20
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

and the DDS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Me at 21:27:17.50 on Fri 02/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.523 [GMT -8:00]

FW: ZoneAlarm Pro Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Me\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\me\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
StartupFolder: c:\docume~1\me\startm~1\programs\startup\lastfm~1.lnk - c:\program files\last.fm\LastFMHelper.exe
StartupFolder: c:\docume~1\me\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\me\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\documents and settings\me\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: imageshack.us\toolbar
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab3.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {27527D31-447B-11D5-A46E-0001023B4289} - hxxp://gamingzone.ubisoft.com/dev/packages/GSManager.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\cerenvfp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\me\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-7 353680]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-12 33752]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-7-5 822424]

=============== Created Last 30 ================

2009-02-20 19:15 <DIR> --d----- C:\fsaua.data
2009-02-20 16:13 <DIR> --d----- c:\docume~1\me\applic~1\DMCache
2009-02-20 15:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 15:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 15:06 <DIR> a-dshr-- C:\cmdcons
2009-02-20 14:16 250 a------- c:\windows\gmer.ini
2009-02-20 13:51 161,792 a------- c:\windows\SWREG.exe
2009-02-20 13:51 98,816 a------- c:\windows\sed.exe
2009-02-19 20:18 172,032 a------- c:\windows\system32\igfxres.dll
2009-02-19 17:39 <DIR> --d----- C:\rs_manager
2009-02-10 19:21 57,344 a------- c:\windows\system32\ff_vfw.dll
2009-02-10 19:21 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-10 19:21 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-02-08 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-02-08 19:00 <DIR> --d----- c:\program files\Bonjour
2009-02-07 21:19 <DIR> --d----- c:\docume~1\me\applic~1\URSoft
2009-02-07 19:38 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-07 10:41 <DIR> --d----- c:\program files\Codemasters
2009-01-31 22:07 <DIR> --d----- c:\program files\Apophysis 2.0
2009-01-25 10:27 <DIR> --d----- C:\divx
2009-01-24 21:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2009-01-24 20:37 87,608 a------- c:\docume~1\me\applic~1\inst.exe
2009-01-24 20:37 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-01-24 20:37 47,360 a------- c:\docume~1\me\applic~1\pcouffin.sys
2009-01-24 20:37 <DIR> --d----- c:\program files\VSO
2009-01-24 15:55 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-02-20 13:08 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-01-16 23:46 2,855 a------- c:\windows\pif\Setup.PIF
2009-01-04 15:36 163,815 a------- c:\windows\Video Cleaner Pro Uninstaller.exe
2009-01-04 15:30 162,893 a------- c:\windows\Animated GIF Converter and Booster Pack Uninstaller.exe
2008-12-28 14:48 2,330,643 a------- c:\windows\system32\x264vfw.dll
2008-12-27 17:31 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 09:27 3,067,392 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 03:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 16:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 16:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-08 19:00 81,984 a------- c:\windows\system32\bdod.bin
2008-12-08 18:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-08 18:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-08 18:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-08 18:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-01-20 22:03 22,328 a------- c:\docume~1\me\applic~1\PnkBstrK.sys
2004-08-04 02:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 02:00 50,688 ---sh--- c:\windows\twain_32.dll
2007-06-24 12:15 88 -c-shr-- c:\windows\system32\B5030D566D.sys
2007-06-24 12:15 3,350 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2004-08-04 02:00 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 02:00 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 02:00 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-04 02:00 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2007-12-04 10:38 550,912 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 02:00 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 21:28:13.71 ===============


thanks for all the help, I don't see and visible symptoms left.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users