Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Son of a gun...it's back again


  • This topic is locked This topic is locked
3 replies to this topic

#1 Phyll_durt

Phyll_durt

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 14 April 2009 - 12:26 PM

For the record and for contextual information, previous topics in order from oldest to newest are:

http://www.bleepingcomputer.com/forums/t/217495/i-think-i-am-infected/

http://www.bleepingcomputer.com/forums/t/218437/virus-keeps-reappearing-after-removing/ ~ OB


Ok...this is getting ridiculous. All I did today was check my University email, check out Fox News and listen to streaming talk radio and now that virus is back. I was at these sites this morning and yesterday...no issues...went to class this morning...came back and checked same sites, brought up streaming online radio, minimized the window, opened a new window and went back to Fox news and bam...it's back. UGGGG!!!!!

I'm really sorry for coming back and bugging you about this. I do not understand what the deal is with this. I have a very routine web surfing habit. Check my email, check the news, occassionally update a game, and just recently started listening to streaming talk radio via the internet. But this virus is new. Everything was fine from the last fix until today. Like I said, no questionable websites involved.

Oh yeah..I also played alittle Total War: Empire which runs thru Steam. Do you think it is coming through Steam? From the time we had this resolved until today, Steam was not running.

If Steam is the culprit...I'm done with games via Steam.

***HJT Log***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:07, on 04.15.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\WINDOWS\CTHELPER.EXE
E:\Program Files\Creative\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Unlocker\UnlockerAssistant.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Steam\steam.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
E:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\Avira Premium Security Suite\avgnt.exe" /min
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [VolPanel] "E:\Program Files\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pyuyenafidac] rundll32.exe "C:\WINDOWS\etomizihawagur.dll",e

O4 - HKCU\..\Run: [NVIDIA nTune] E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1184716127546
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15106/CTPID.cab
O23 - Service: Avira Premium Security Suite Firewall (AntiVirFirewallService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avfwsvc.exe
O23 - Service: Avira Premium Security Suite Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\sched.exe
O23 - Service: Avira Premium Security Suite Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Avira Premium Security Suite MailGuard helper service (AVEService) - Avira GmbH - E:\Program Files\Avira\Avira Premium Security Suite\avesvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Creative Audio Service (CTAudSvcService) - Unknown owner - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 9190 bytes

Edited by Orange Blossom, 14 April 2009 - 12:40 PM.


BC AdBot (Login to Remove)

 


#2 Phyll_durt

Phyll_durt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 14 April 2009 - 01:09 PM

Thanks Orange Blossom for adding the links. I guess I should have done that. Sorry.

I hope I didn't violate anything by taking it upon myself to utilize the previous methods that were instructed to me. I assumed that since this was the same problem, the same method would work again.

I used the instructions given me by the most excellent miekiemos in my last posting.

Here are the results:

***************************************************************************
ComboFixLog (before applying the script given to me in my previously posted topic)
***************************************************************************

ComboFix 09-04-14.09 - Phrog 04.15.2009 13:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2266 [GMT -4:00]
Running from: c:\documents and settings\Phrog\Desktop\ComboFix.exe
AV: Avira Premium Security Suite *On-access scanning disabled* (Updated)
FW: Avira Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\mpmonac.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 17:08 . 2009-04-15 17:09 16 ----a-w c:\windows\Hgevifemeyudafaw.bin
2009-04-15 17:08 . 2009-04-15 17:08 1366 ----a-w c:\windows\Obopuregadagakus.dat
2009-04-15 13:40 . 2009-04-15 13:40 4194322 ----a-w C:\memory_map.tga
2009-04-14 12:22 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-14 12:21 . 2008-08-14 10:11 2189184 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-14 12:21 . 2008-08-14 10:09 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-14 12:21 . 2008-08-14 09:33 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-14 12:21 . 2008-08-14 09:33 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-14 12:20 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-14 12:20 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-14 12:20 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-14 12:20 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-14 12:20 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\system32\scripting
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\system32\en
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\l2schemas
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\system32\bits
2009-04-14 12:12 . 2009-04-14 12:14 -------- d-----w c:\windows\ServicePackFiles
2009-04-14 12:08 . 2004-07-17 15:35 67866 ------w c:\windows\system32\drivers\netwlan5.img
2009-04-11 01:34 . 2009-04-11 01:34 -------- d-----w c:\documents and settings\Phrog\Local Settings\Application Data\{123D569F-AF26-46DD-94C0-0A4AF5A2A266}
2009-04-09 20:05 . 2009-04-09 20:05 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-04-08 12:51 . 2009-04-08 12:51 -------- d-----w c:\program files\Bonjour
2009-04-08 12:02 . 2009-04-08 12:02 -------- d-----w c:\program files\iPod
2009-04-08 12:02 . 2009-04-08 12:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 12:01 . 2009-04-08 12:01 -------- d-----w c:\documents and settings\Phrog\Local Settings\Application Data\Apple
2009-04-08 12:01 . 2009-04-08 12:01 -------- d-----w c:\program files\Apple Software Update
2009-04-08 12:01 . 2009-04-08 12:02 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 11:21 . 2009-04-08 11:21 -------- d-----w c:\documents and settings\Phrog\Application Data\Apple Computer
2009-04-07 19:45 . 2009-04-07 19:45 -------- d-----w c:\documents and settings\Phrog\Application Data\Malwarebytes
2009-04-07 19:45 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-07 19:45 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 19:45 . 2009-04-07 19:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 18:42 . 2009-04-05 18:42 -------- d-----w c:\documents and settings\Administrator.PHR0G-3F7CE7C45.000\Local Settings\Application Data\{E8839C00-FEEB-4F19-88D7-C35624E30515}
2009-03-27 18:37 . 2009-03-27 18:37 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-24 01:04 . 2009-04-05 01:04 214832 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-20 22:32 . 2009-03-20 22:32 -------- d-----w c:\documents and settings\Phrog\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 12:17 . 2009-04-14 12:17 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041420090415\index.dat
2009-04-14 12:14 . 2007-07-17 20:03 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 12:12 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-04-10 13:10 . 2007-07-23 14:59 -------- d-----w c:\program files\SpywareDetector
2009-04-06 00:16 . 2009-04-05 14:51 2908 ----a-w C:\aaw7boot.log
2009-04-05 18:46 . 2007-10-01 16:25 4942742 --sha-r C:\SDSignature.txt
2009-04-05 18:44 . 2008-12-11 01:38 6691277 --sh--r C:\SDVirus.txt
2009-04-05 18:44 . 2008-03-20 00:00 2867966 --sha-r C:\ExecSignature.txt
2009-04-05 14:50 . 2008-11-25 16:01 -------- d-----w c:\documents and settings\Phrog\Application Data\Desktopicon
2009-04-04 12:46 . 2007-07-18 23:12 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-28 23:18 . 2008-10-27 00:25 139280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 23:18 . 2008-10-27 00:25 202000 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-22 12:50 . 2007-07-17 21:14 86888 ----a-w c:\documents and settings\Phrog\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 22:51 . 2007-09-30 19:17 -------- d-----w c:\program files\AGEIA Technologies
2009-03-11 23:14 . 2008-06-19 21:16 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 00:28 . 2009-03-09 00:28 -------- d-----w c:\documents and settings\Phrog\Application Data\The Creative Assembly
2009-02-17 03:17 . 2007-07-17 21:01 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-22 15:29 . 2008-08-01 02:25 1060864 ----a-w c:\windows\system32\CheckDll.dll
2009-01-16 22:24 . 2009-01-16 22:24 70936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-11-29 20:37 . 2007-11-06 20:15 22328 ----a-w c:\documents and settings\Phrog\Application Data\PnkBstrK.sys
2008-06-20 21:23 . 2008-06-20 21:23 128 ----a-w c:\documents and settings\Phrog\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2009-01-07 1364944]
"avgnt"="e:\program files\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-12 266497]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"VolPanel"="e:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Pyuyenafidac"="c:\windows\etomizihawagur.dll" [2008-04-14 158720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-07-11 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-08-07 25600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
2008-12-01 16:15 475136 ----a-w c:\program files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mpmonac.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"e:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2005-07-26 348352]
R3 athena;athena;c:\windows\system32\DRIVERS\athena.sys [2006-01-19 107392]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-07-26 43392]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-08 79360]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2001-08-17 96256]
R3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2004-07-30 56576]
R3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [2008-12-10 21888]
R3 SDAntiRtKt;SDAntiRtKt;c:\program files\SpywareDetector\SDAntiRtKt.sys [2008-07-15 11264]
S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2008-05-07 71592]
S1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [2009-01-05 13696]
S2 AntiVirFirewallService;Avira Premium Security Suite Firewall;e:\program files\Avira\Avira Premium Security Suite\avfwsvc.exe [2008-05-16 344321]
S2 AVEService;Avira Premium Security Suite MailGuard helper service;e:\program files\Avira\Avira Premium Security Suite\avesvc.exe [2008-05-09 41217]
S2 SDService;SDService;c:\program files\SpywareDetector\SDService.exe [2009-01-08 1713616]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2008-05-07 71464]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2008-04-28 120960]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-05 c:\windows\Tasks\Crysis WarsŪ Updates.job
- c:\windows\Installer\Crysis WarsŪ Updates for All Users.lnk [2008-10-25 12:24]

2009-04-14 c:\windows\Tasks\User_Feed_Synchronization-{1BF35C0D-7D42-4398-A0DA-086795D423B3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 13:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:b0,39,7d,55,59,13,93,e4,6a,fc,5c,06,66,37,c2,b3,62,e9,2a,30,a4,
3c,53,2c,fa,f5,58,21,4b,d3,fb,cc,77,17,31,33,4c,cb,3d,eb,c8,df,75,fd,80,11,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SpywareDetector\SDNotify.dll

- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(624)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Avira\Avira Premium Security Suite\sched.exe
e:\program files\Avira\Avira Premium Security Suite\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
e:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
e:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-15 17:55
ComboFix2.txt 2009-04-13 19:51

Pre-Run: 15,796,879,360 bytes free
Post-Run: 15,728,148,480 bytes free

225 --- E O F --- 2009-04-14 12:33

*************************************************************************
ComboFixLog (after applying the script given to me in my previously posted topic)
*************************************************************************

ComboFix 09-04-14.09 - Phrog 04.15.2009 13:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2307 [GMT -4:00]
Running from: c:\documents and settings\Phrog\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phrog\Desktop\CFScript.txt
AV: Avira Premium Security Suite *On-access scanning disabled* (Updated)
FW: Avira Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\Hgevifemeyudafaw.bin
c:\windows\ixebiqobacagayus.dll
c:\windows\Obopuregadagakus.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Hgevifemeyudafaw.bin
c:\windows\Obopuregadagakus.dat

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 13:40 . 2009-04-15 13:40 4194322 ----a-w C:\memory_map.tga
2009-04-14 12:22 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-14 12:21 . 2008-08-14 10:11 2189184 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-14 12:21 . 2008-08-14 10:09 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-14 12:21 . 2008-08-14 09:33 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-14 12:21 . 2008-08-14 09:33 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-14 12:20 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-14 12:20 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-14 12:20 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-14 12:20 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-14 12:20 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\system32\scripting
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\system32\en
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\l2schemas
2009-04-14 12:14 . 2009-04-14 12:14 -------- d-----w c:\windows\system32\bits
2009-04-14 12:12 . 2009-04-14 12:14 -------- d-----w c:\windows\ServicePackFiles
2009-04-14 12:08 . 2004-07-17 15:35 67866 ------w c:\windows\system32\drivers\netwlan5.img
2009-04-11 01:34 . 2009-04-11 01:34 -------- d-----w c:\documents and settings\Phrog\Local Settings\Application Data\{123D569F-AF26-46DD-94C0-0A4AF5A2A266}
2009-04-09 20:05 . 2009-04-09 20:05 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-04-08 12:51 . 2009-04-08 12:51 -------- d-----w c:\program files\Bonjour
2009-04-08 12:02 . 2009-04-08 12:02 -------- d-----w c:\program files\iPod
2009-04-08 12:02 . 2009-04-08 12:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 12:01 . 2009-04-08 12:01 -------- d-----w c:\documents and settings\Phrog\Local Settings\Application Data\Apple
2009-04-08 12:01 . 2009-04-08 12:01 -------- d-----w c:\program files\Apple Software Update
2009-04-08 12:01 . 2009-04-08 12:02 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 11:21 . 2009-04-08 11:21 -------- d-----w c:\documents and settings\Phrog\Application Data\Apple Computer
2009-04-07 19:45 . 2009-04-07 19:45 -------- d-----w c:\documents and settings\Phrog\Application Data\Malwarebytes
2009-04-07 19:45 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-07 19:45 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-07 19:45 . 2009-04-07 19:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 18:42 . 2009-04-05 18:42 -------- d-----w c:\documents and settings\Administrator.PHR0G-3F7CE7C45.000\Local Settings\Application Data\{E8839C00-FEEB-4F19-88D7-C35624E30515}
2009-03-27 18:37 . 2009-03-27 18:37 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-24 01:04 . 2009-04-05 01:04 214832 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-20 22:32 . 2009-03-20 22:32 -------- d-----w c:\documents and settings\Phrog\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 12:17 . 2009-04-14 12:17 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041420090415\index.dat
2009-04-14 12:14 . 2007-07-17 20:03 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 12:12 . 2004-08-04 12:00 250048 --sha-r C:\ntldr
2009-04-10 13:10 . 2007-07-23 14:59 -------- d-----w c:\program files\SpywareDetector
2009-04-06 00:16 . 2009-04-05 14:51 2908 ----a-w C:\aaw7boot.log
2009-04-05 18:46 . 2007-10-01 16:25 4942742 --sha-r C:\SDSignature.txt
2009-04-05 18:44 . 2008-12-11 01:38 6691277 --sh--r C:\SDVirus.txt
2009-04-05 18:44 . 2008-03-20 00:00 2867966 --sha-r C:\ExecSignature.txt
2009-04-05 14:50 . 2008-11-25 16:01 -------- d-----w c:\documents and settings\Phrog\Application Data\Desktopicon
2009-04-04 12:46 . 2007-07-18 23:12 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-28 23:18 . 2008-10-27 00:25 139280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-28 23:18 . 2008-10-27 00:25 202000 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-22 12:50 . 2007-07-17 21:14 86888 ----a-w c:\documents and settings\Phrog\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 22:51 . 2007-09-30 19:17 -------- d-----w c:\program files\AGEIA Technologies
2009-03-11 23:14 . 2008-06-19 21:16 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-09 00:28 . 2009-03-09 00:28 -------- d-----w c:\documents and settings\Phrog\Application Data\The Creative Assembly
2009-02-17 03:17 . 2007-07-17 21:01 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-01-22 15:29 . 2008-08-01 02:25 1060864 ----a-w c:\windows\system32\CheckDll.dll
2009-01-16 22:24 . 2009-01-16 22:24 70936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-11-29 20:37 . 2007-11-06 20:15 22328 ----a-w c:\documents and settings\Phrog\Application Data\PnkBstrK.sys
2008-06-20 21:23 . 2008-06-20 21:23 128 ----a-w c:\documents and settings\Phrog\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2009-01-07 1364944]
"avgnt"="e:\program files\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-12 266497]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"VolPanel"="e:\program files\Creative\Volume Panel\VolPanlu.exe" [2008-08-06 233576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"UnlockerAssistant"="e:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-07-11 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-08-07 25600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
2008-12-01 16:15 475136 ----a-w c:\program files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"e:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"e:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2005-07-26 348352]
R3 athena;athena;c:\windows\system32\DRIVERS\athena.sys [2006-01-19 107392]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-07-26 43392]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-11-08 79360]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2001-08-17 96256]
R3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2004-07-30 56576]
R3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [2008-12-10 21888]
R3 SDAntiRtKt;SDAntiRtKt;c:\program files\SpywareDetector\SDAntiRtKt.sys [2008-07-15 11264]
S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2008-05-07 71592]
S1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [2009-01-05 13696]
S2 AntiVirFirewallService;Avira Premium Security Suite Firewall;e:\program files\Avira\Avira Premium Security Suite\avfwsvc.exe [2008-05-16 344321]
S2 AVEService;Avira Premium Security Suite MailGuard helper service;e:\program files\Avira\Avira Premium Security Suite\avesvc.exe [2008-05-09 41217]
S2 SDService;SDService;c:\program files\SpywareDetector\SDService.exe [2009-01-08 1713616]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2008-05-07 71464]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2008-04-28 120960]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-05 c:\windows\Tasks\Crysis WarsŪ Updates.job
- c:\windows\Installer\Crysis WarsŪ Updates for All Users.lnk [2008-10-25 12:24]

2009-04-14 c:\windows\Tasks\User_Feed_Synchronization-{1BF35C0D-7D42-4398-A0DA-086795D423B3}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 13:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-299502267-362288127-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:b0,39,7d,55,59,13,93,e4,6a,fc,5c,06,66,37,c2,b3,62,e9,2a,30,a4,
3c,53,2c,fa,f5,58,21,4b,d3,fb,cc,77,17,31,33,4c,cb,3d,eb,c8,df,75,fd,80,11,\
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1012)
c:\program files\SpywareDetector\SDNotify.dll

- - - - - - - > 'lsass.exe'(1068)
c:\windows\system32\nvLsp.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-15 18:00
ComboFix2.txt 2009-04-15 17:55
ComboFix3.txt 2009-04-13 19:51

Pre-Run: 15,705,964,544 bytes free
Post-Run: 15,686,557,696 bytes free

204 --- E O F --- 2009-04-14 12:33


Thanks once again for providing this service. Please keep up the good work!

Edited by Phyll_durt, 14 April 2009 - 01:20 PM.


#3 Phyll_durt

Phyll_durt
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 16 April 2009 - 07:19 AM

Well..I installed SP3 for windows. I reran the processes instructed in previous post and everything seems to be fine. So far...

So I am going to presume that the problem is solved yet once again.

Thanks to this site. Keep up the good work!

PS-You wouldn't happen to have any money tree seeds would you? :thumbup2:

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:29 PM

Posted 21 April 2009 - 05:55 PM

Thanks for informing us.
Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users