Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROUBLE with: Computer Management & System Config


  • This topic is locked This topic is locked
16 replies to this topic

#1 SoraLaine

SoraLaine

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 24 April 2009 - 10:54 PM

I really need help here. When I click on those two tools, it doesn't respond. The last time I was able to open those 2 is before I installed the download manager program and VistaGlazz. I'm running OS Vista x32. I apologize for not being able to follow the instructions here beforehand. Sowee mod! So there. I hope I'm correct this time. Thank you in advance!

DDS (Ver_09-03-16.01) - NTFSx86
Run by My Computer at 11:44:39.73 on Sat 04/25/2009
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1013.229 [GMT 8:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\system32\Dwm.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
C:\WINDOWS\Media\rndll32.pif
C:\Windows\ehome\ehtray.exe
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
D:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\Windows\ehome\ehmsas.exe
C:\WINDOWS\pchealth\Global.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Windows\system32\svchost.exe -k SDRSVC
D:\Program Files\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
D:\^SoraLaine^\^TEMP^\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [PC Suite Tray] "d:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRunOnce: [<NO NAME>] c:\windows\system32\dllcache\Default.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [<NO NAME>] c:\windows\system\KEYBOARD.exe
mRunOnce: [<NO NAME>] c:\windows\system32\dllcache\Default.exe
mExplorerRun: [sys] c:\windows\fonts\Fonts.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 6.0\scieplugin.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {E0F70736-F4AC-4F05-A26E-E02DE53DFC5E} = 203.131.75.67 210.14.16.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\r3hook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\mycomp~1\appdata\roaming\mozilla\firefox\profiles\5aoqcaw3.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: d:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

============= SERVICES / DRIVERS ===============

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-1-26 20760]
R3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [2008-11-1 956552]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2006-11-2 10752]

============== File Associations ===============

regfile=c:\windows\pchealth\Global.exe

=============== Created Last 30 ================

2009-04-25 02:36 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\Software Informer
2009-04-25 01:31 <DIR> --d----- c:\program files\Software Informer
2009-04-25 01:31 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\Free Download Manager
2009-04-24 14:42 225,280 a--shr-- C:\MS-DOS.com
2009-04-24 14:42 118 a--shr-- C:\autorun.inf
2009-04-24 14:42 163,840 a------- c:\windows\system32\dllcache\tskmgr.exe
2009-04-24 14:41 225,280 a--shr-- c:\windows\system32\regedit.exe
2009-04-24 14:41 225,280 a--shr-- c:\windows\system32\drivers\drivers.cab.exe
2009-04-24 14:41 225,280 a--shr-- c:\windows\system32\dllcache\svchost.exe
2009-04-24 14:41 225,280 a--shr-- c:\windows\system32\dllcache\Global.exe
2009-04-24 14:41 225,280 a--shr-- c:\windows\system32\dllcache\Default.exe
2009-04-24 14:41 225,280 a--shr-- c:\windows\system\KEYBOARD.exe
2009-04-24 14:41 118 a--shr-- c:\windows\system32\dllcache\autorun.inf
2009-04-24 14:41 <DIR> --dsh--- c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
2009-04-24 14:41 <DIR> --dsh--- c:\windows\system32\dllcache
2009-04-18 00:48 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\Aveyond II
2009-04-18 00:11 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\Shape games
2009-04-17 22:40 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\Intenium
2009-04-16 15:27 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\EleFun Games
2009-04-16 15:16 <DIR> --d----- c:\users\mycomp~1\appdata\roaming\Aveyond I

==================== Find3M ====================

2009-04-25 09:58 44,045,600 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-25 09:58 603,728 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-24 18:09 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-24 18:09 51,200 a------- c:\windows\inf\infpub.dat
2009-04-24 14:42 4,356 ---shr-- c:\windows\cursors\Boom.vbs
2009-03-11 14:07 2,100 a------- c:\windows\ladydata.dat
2009-03-02 11:02 225,280 a--shr-- c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe
2009-03-02 11:02 225,280 a--shr-- c:\windows\pchealth\Global.exe
2009-03-02 11:02 225,280 a--shr-- c:\windows\media\rndll32.pif
2009-03-02 11:02 225,280 a--shr-- c:\windows\fonts\tskmgr.exe
2009-03-02 11:02 225,280 a--shr-- c:\windows\fonts\Fonts.exe
2009-03-02 11:02 225,280 ---shr-- c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\Global.exe
2009-03-02 11:02 225,280 ---s-r-- c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe
2009-02-23 00:32 2,368 a------- c:\windows\system32\STEC3.sys
2009-01-29 10:29 64,512 a---h--- c:\users\mycomp~1\appdata\roaming\dach100.dll
2008-12-04 12:18 665,600 a------- c:\windows\inf\drvindex.dat
2008-12-04 12:18 86,016 a------- c:\windows\inf\infstor.dat
2006-11-02 20:49 174 a--sh--- c:\program files\desktop.ini
2006-11-02 20:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 20:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 20:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 20:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-01-19 10:48 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-01-19 10:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-01-19 10:48 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat
2008-11-01 12:42 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-11-01 12:42 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-11-01 12:42 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:46:25.28 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SoraLaine

SoraLaine
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 25 April 2009 - 01:35 AM

I just discovered lately that the following Administrative tools are also inaccessible: :thumbup2:

Event viewer, Local Security Policy, Print Management, Reliability and Performance Monitor, Services, Task Scheduler, and Windows Firewall with Advanced Security

Edited by SoraLaine, 25 April 2009 - 01:35 AM.


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 25 April 2009 - 02:25 PM

Hello.

You have a Autorun/flash-drive infection here and more. We will start off with Combofix and flash-drive disinfector.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 SoraLaine

SoraLaine
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 27 April 2009 - 08:04 PM

Dear sir extremeboy,

I did exactly what u told me. After the following your generous advice, I am able to access system configuration only. The other tools I have mentioned before : Event viewer, Local Security Policy, Print Management, Reliability and Performance Monitor, Services, Task Scheduler, and Windows Firewall with Advanced Security and Computer Management, when clicked an Open With windows appears.

I sincerely thank you for the advice earlier. Now, I have to humbly ask again for your help. I'll really appreciate it. Bless your soul, man! Hoping to hear from you. :thumbup2:

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 27 April 2009 - 08:11 PM

Hello.

Yes, we are not done, so some other things may not work. I need to see the Combofix report please...

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 SoraLaine

SoraLaine
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 27 April 2009 - 08:34 PM

Here it is sir: (thank you :thumbup2: )


ComboFix 09-04-25.A3 - My Computer 04/26/2009 19:55.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1013.299 [GMT 8:00]
Running from: d:\downloads\Software\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\MS-DOS.com
c:\windows\Cursors\Boom.vbs
c:\windows\Fonts\fonts.exe
c:\windows\Fonts\tskmgr.exe
c:\windows\Fonts\wav.wav
c:\windows\Help\Microsoft.hlp
c:\windows\Media\rndll32.pif
c:\windows\pchealth\Global.exe
c:\windows\system\KEYBOARD.exe
c:\windows\system32\dllcache\autorun.inf
c:\windows\system32\dllcache\Default.exe
c:\windows\system32\dllcache\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
c:\windows\system32\dllcache\tskmgr.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\system32\mpxa.exe
c:\windows\system32\regedit.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-25 11:17 . 2009-04-25 11:17 64512 ---ha-w c:\users\My Computer\AppData\Roaming\dach100.dll
2009-04-24 18:36 . 2009-04-24 18:36 -------- d-----w c:\users\My Computer\AppData\Roaming\Software Informer
2009-04-24 17:31 . 2009-04-24 17:31 -------- d-----w c:\program files\Software Informer
2009-04-24 17:31 . 2009-04-25 01:19 -------- d-----w c:\users\My Computer\AppData\Roaming\Free Download Manager
2009-04-24 06:41 . 2009-04-26 11:55 -------- d-sh--w c:\windows\system32\dllcache
2009-04-24 06:41 . 2009-03-02 03:02 225280 --sha-r c:\windows\system32\dllcache\svchost.exe
2009-04-17 17:03 . 2009-04-17 17:03 -------- d-----w c:\users\My Computer\AppData\Local\AlwaysNeat
2009-04-17 16:48 . 2009-04-17 16:50 -------- d-----w c:\users\My Computer\AppData\Roaming\Aveyond II
2009-04-17 16:11 . 2009-04-17 16:11 -------- d-----w c:\users\My Computer\AppData\Roaming\Shape games
2009-04-17 14:40 . 2009-04-17 14:40 -------- d-----w c:\users\My Computer\AppData\Roaming\Intenium
2009-04-16 07:27 . 2009-04-16 07:27 -------- d-----w c:\users\My Computer\AppData\Roaming\EleFun Games
2009-04-16 07:16 . 2009-04-16 07:20 -------- d-----w c:\users\My Computer\AppData\Roaming\Aveyond I

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 11:59 . 2008-10-27 22:05 44550944 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-26 03:31 . 2008-10-27 22:05 610280 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 09:40 . 2009-01-10 03:46 918045 ---ha-w C:\DH Temp.tmp
2009-04-25 04:47 . 2008-10-27 21:27 198064 ----a-w c:\users\My Computer\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-25 01:21 . 2008-11-03 11:18 -------- d-----w c:\users\My Computer\AppData\Roaming\Winamp
2009-04-24 10:09 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-24 10:09 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-23 04:38 . 2008-11-24 07:37 -------- d-----w c:\users\My Computer\AppData\Roaming\BitTorrent
2009-04-19 11:18 . 2009-01-19 02:48 -------- d-----w c:\users\Luli\AppData\Roaming\PC Suite
2009-04-17 14:47 . 2008-11-01 10:57 -------- d-----w c:\users\My Computer\AppData\Roaming\PlayFirst
2009-04-17 14:47 . 2008-11-01 10:57 -------- d-----w c:\programdata\PlayFirst
2009-04-16 07:56 . 2008-11-27 05:05 -------- d-----w c:\programdata\Yahoo!
2009-04-12 14:32 . 2009-01-19 04:25 -------- d-----w c:\users\Luli\AppData\Roaming\Nokia
2009-04-12 13:46 . 2009-01-19 02:49 198064 ----a-w c:\users\Luli\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-03 12:48 . 2008-11-18 11:35 -------- d-----w c:\users\My Computer\AppData\Roaming\ForgottenRiddles2
2009-03-25 17:19 . 2009-03-25 17:19 -------- d-----w c:\users\My Computer\AppData\Roaming\dvdcss
2009-03-16 06:08 . 2008-11-10 07:16 -------- d-----w c:\users\My Computer\AppData\Roaming\FileZilla
2009-03-11 06:07 . 2009-03-11 06:06 2100 ----a-w c:\windows\ladydata.dat
2009-03-09 08:20 . 2009-03-09 08:20 -------- d-----w c:\programdata\Zylom
2009-02-22 16:32 . 2009-02-22 16:32 2368 ----a-w c:\windows\System32\STEC3.sys
2009-01-17 04:45 . 2009-01-17 04:38 198064 ----a-w c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2008-10-27 21:33 . 2008-10-27 21:26 680 ----a-w c:\users\My Computer\AppData\Local\d3d9caps.dat
2006-11-02 12:49 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
2009-01-19 02:48 . 2006-11-02 13:00 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-01-19 02:48 . 2006-11-02 13:00 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-01-19 02:48 . 2006-11-02 13:00 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"MSConfig"="c:\windows\System32\msconfig.exe" [2006-11-02 222208]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-02-13 4915200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\I:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Users^My Computer^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\My Computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B26DCFF-1474-49E1-B39E-31A58E61E14F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{0BEB03C8-E517-478A-B074-B59157216353}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5347951C-EFFA-49C5-A229-0F0D417CE7F7}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B3769933-E632-45C5-8B07-3FF31A06E42E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{363B383A-3B96-417F-901C-86E937414570}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB11D72D-4248-4099-9006-6801914A3BF9}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{B3F399DC-52EB-43F1-B088-AE230C99A51B}"= UDP:d:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{51357AB4-77BE-4AA2-89F8-9A7F59D41B29}"= TCP:d:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A782D121-86BE-46B3-BD14-D46F426CE0AC}"= UDP:d:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C2C2C230-44BB-43B5-8A39-FDF6CD2865D1}"= TCP:d:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{1C74EC3F-AE9C-484B-B5B1-210C67B24977}d:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:d:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{F04B5CC9-E511-4F56-A231-EDD9CD0EC4F2}d:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:d:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{85165889-8F3D-4C05-8C78-2C168D5C130F}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{AD0ABE6F-C4E7-4241-AC9C-589809A33B34}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{FE51C761-9D35-49B6-ADF5-CA5CCCAAB819}"= UDP:d:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{006106B2-A7F5-4258-8597-227A8F41331D}"= TCP:d:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{B2A37F72-478A-43C6-A368-2C727B72E549}d:\\program files\\bittorrent\\bittorrent.exe"= UDP:d:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{14489F5F-3414-4F69-A1B7-09D9D02A6EE1}d:\\program files\\bittorrent\\bittorrent.exe"= TCP:d:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{6BF994FF-4786-48F3-ADDE-1017C6DDC4FA}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{EF087462-C7F3-4157-BD21-AE3446289C53}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{2161754D-6F4D-4313-83C5-9D4F1F5ECF71}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7915587B-9691-4466-A746-8C13895802D5}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{639FDD66-C159-4579-BB94-6BF908E796B5}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4E1C22FE-8F63-44AF-9975-25049072F82A}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"d:\\Program Files\\BitTorrent\\bittorrent.exe"= d:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 NeroRegInCDSrv;Nero Registry InCD Service; [x]
R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2007-01-26 20760]
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys [2002-02-14 956552]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - 2fiji.com
\shell\explore\Command - 2fiji.com
\shell\open\Command - 2fiji.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46200a7e-a8c5-11dd-a819-001fd00d015f}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\MS-DOS.com
\shell\Explore\command - I:\MS-DOS.com
\shell\Open\command - I:\MS-DOS.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789ffbe7-a9b3-11dd-a8b8-001fd00d015f}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\MS-DOS.com
\shell\Explore\command - H:\MS-DOS.com
\shell\Open\command - H:\MS-DOS.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-<NO NAME> - c:\windows\system32\dllcache\Default.exe
HKLM-RunOnce-<NO NAME> - c:\windows\system32\dllcache\Default.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\5aoqcaw3.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: d:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 19:59
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"d:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll

- - - - - - - > 'lsass.exe'(684)
c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll
.
Completion time: 2009-04-26 20:01
ComboFix-quarantined-files.txt 2009-04-26 12:01

Pre-Run: 47,707,099,136 bytes free
Post-Run: 47,528,386,560 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
230 --- E O F --- 2008-12-04 14:33

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 27 April 2009 - 08:49 PM

Hello.

Combofix is outdated, please delete Combofix.exe you have right now and re-download it from one of the links below and save it on your desktop.

Link 1
Link 2
Link 3

Double click it to run it like last time. Follow any prompts and post the log once it's done.

Question for you:
Did you run Flash-drive disinfector as requested in my previous post? If not, please do so now.

2nd Question for you:
Do you still have your Windows Vista disk available? We may need it later.

Please run GMER now.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
    Alternate Download Site 3
  • Unzip/extract the file to its own folder. Right-Click and select Extract All...
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will now start extracting.
  • Once it is done, check (tick) the Show extracted files box and click Finish
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on gmer.exe and select Run as administrator to run it. It will start running a scan.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If you receive no notice, click on the Scan button near the bottom.

  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

Getting VERY late for me, so I'm heading off to bed now. I'll hear from you soon once I get back from "work" tomorrow.

Post back with:
-Combofix log
-Answer to my questions.
-GMER log

With Regards,
Extremeboy

Edited by extremeboy, 27 April 2009 - 08:50 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 SoraLaine

SoraLaine
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 28 April 2009 - 05:34 AM

Sorry if my timing wasn't right. I forgot about the time difference. My apologies.

Answers:
1. After downloading it, I double clicked it but no window or whatsoever appeared. It didn't seem to respond.
2. I don't have my vista disk. :)

Combofix log

ComboFix 09-04-27.03 - My Computer 04/28/2009 15:53.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1013.362 [GMT 8:00]
Running from: d:\^soralaine^\^TEMP^\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-25 11:17 . 2009-04-25 11:17 64512 ---ha-w c:\users\My Computer\AppData\Roaming\dach100.dll
2009-04-24 18:36 . 2009-04-24 18:36 -------- d-----w c:\users\My Computer\AppData\Roaming\Software Informer
2009-04-24 17:31 . 2009-04-24 17:31 -------- d-----w c:\program files\Software Informer
2009-04-24 17:31 . 2009-04-25 01:19 -------- d-----w c:\users\My Computer\AppData\Roaming\Free Download Manager
2009-04-24 06:41 . 2009-03-02 03:02 225280 --sha-r c:\windows\system32\dllcache\svchost.exe
2009-04-24 06:41 . 2009-04-26 11:55 -------- d-sh--w c:\windows\system32\dllcache
2009-04-17 17:03 . 2009-04-17 17:03 -------- d-----w c:\users\My Computer\AppData\Local\AlwaysNeat
2009-04-17 16:48 . 2009-04-17 16:50 -------- d-----w c:\users\My Computer\AppData\Roaming\Aveyond II
2009-04-17 16:11 . 2009-04-17 16:11 -------- d-----w c:\users\My Computer\AppData\Roaming\Shape games
2009-04-17 14:40 . 2009-04-17 14:40 -------- d-----w c:\users\My Computer\AppData\Roaming\Intenium
2009-04-16 07:27 . 2009-04-16 07:27 -------- d-----w c:\users\My Computer\AppData\Roaming\EleFun Games
2009-04-16 07:16 . 2009-04-16 07:20 -------- d-----w c:\users\My Computer\AppData\Roaming\Aveyond I

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 07:56 . 2008-10-27 22:05 44929056 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-28 06:18 . 2008-10-27 22:05 614984 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 11:17 . 2009-01-06 06:20 337 ---ha-w c:\windows\winshell.dat
2009-04-25 11:17 . 2001-10-17 09:09 66 ----a-w c:\windows\anticrash.dat
2009-04-25 09:40 . 2009-01-10 03:46 918045 ---ha-w C:\DH Temp.tmp
2009-04-25 04:47 . 2008-10-27 21:27 198064 ----a-w c:\users\My Computer\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-24 10:09 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-24 10:09 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-12 13:46 . 2009-01-19 02:49 198064 ----a-w c:\users\Luli\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-11 06:07 . 2009-03-11 06:06 2100 ----a-w c:\windows\ladydata.dat
2009-02-22 16:32 . 2009-02-22 16:32 2368 ----a-w c:\windows\system32\STEC3.sys
2006-11-02 12:49 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_11.59.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-27 21:35 . 2009-04-28 06:23 43704 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2009-04-28 06:23 70730 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-27 21:28 . 2009-04-28 06:23 12674 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1856034963-148099359-468817448-1000_UserData.bin
- 2008-10-27 21:28 . 2009-04-26 11:15 12674 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1856034963-148099359-468817448-1000_UserData.bin
- 2009-04-26 11:01 . 2009-04-26 11:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-28 06:19 . 2009-04-28 06:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-04-26 11:01 . 2009-04-26 11:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-28 06:19 . 2009-04-28 06:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-11-04 09:58 . 2009-04-24 18:12 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-11-04 09:58 . 2009-04-28 00:55 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-11-04 10:02 . 2009-04-28 00:55 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-11-04 10:02 . 2009-04-23 01:08 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-11-04 09:58 . 2009-04-28 00:55 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-11-04 09:58 . 2009-04-23 01:08 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"PC Suite Tray"="d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-02-13 4915200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\I:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Users^My Computer^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\My Computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B26DCFF-1474-49E1-B39E-31A58E61E14F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{0BEB03C8-E517-478A-B074-B59157216353}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5347951C-EFFA-49C5-A229-0F0D417CE7F7}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B3769933-E632-45C5-8B07-3FF31A06E42E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{363B383A-3B96-417F-901C-86E937414570}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB11D72D-4248-4099-9006-6801914A3BF9}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{B3F399DC-52EB-43F1-B088-AE230C99A51B}"= UDP:d:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{51357AB4-77BE-4AA2-89F8-9A7F59D41B29}"= TCP:d:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A782D121-86BE-46B3-BD14-D46F426CE0AC}"= UDP:d:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C2C2C230-44BB-43B5-8A39-FDF6CD2865D1}"= TCP:d:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{1C74EC3F-AE9C-484B-B5B1-210C67B24977}d:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:d:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{F04B5CC9-E511-4F56-A231-EDD9CD0EC4F2}d:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:d:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{85165889-8F3D-4C05-8C78-2C168D5C130F}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{AD0ABE6F-C4E7-4241-AC9C-589809A33B34}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{FE51C761-9D35-49B6-ADF5-CA5CCCAAB819}"= UDP:d:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{006106B2-A7F5-4258-8597-227A8F41331D}"= TCP:d:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{B2A37F72-478A-43C6-A368-2C727B72E549}d:\\program files\\bittorrent\\bittorrent.exe"= UDP:d:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{14489F5F-3414-4F69-A1B7-09D9D02A6EE1}d:\\program files\\bittorrent\\bittorrent.exe"= TCP:d:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{6BF994FF-4786-48F3-ADDE-1017C6DDC4FA}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{EF087462-C7F3-4157-BD21-AE3446289C53}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{2161754D-6F4D-4313-83C5-9D4F1F5ECF71}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7915587B-9691-4466-A746-8C13895802D5}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{639FDD66-C159-4579-BB94-6BF908E796B5}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4E1C22FE-8F63-44AF-9975-25049072F82A}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"d:\\Program Files\\BitTorrent\\bittorrent.exe"= d:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 NeroRegInCDSrv;Nero Registry InCD Service; [x]
R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2007-01-26 20760]
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys [2002-02-14 956552]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - 2fiji.com
\shell\explore\Command - 2fiji.com
\shell\open\Command - 2fiji.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46200a7e-a8c5-11dd-a819-001fd00d015f}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\MS-DOS.com
\shell\Explore\command - I:\MS-DOS.com
\shell\Open\command - I:\MS-DOS.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789ffbe7-a9b3-11dd-a8b8-001fd00d015f}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL H:\MS-DOS.com
\shell\Explore\command - H:\MS-DOS.com
\shell\Open\command - H:\MS-DOS.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\5aoqcaw3.default\
FF - prefs.js: browser.startup.homepage - google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 15:57
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\Flash10a.ocx, 1"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_USERS\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_USERS\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

[HKEY_USERS\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"

[HKEY_USERS\SOFTWARE\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)

[HKEY_USERS\SOFTWARE\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"

[HKEY_USERS\SOFTWARE\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)

[HKEY_USERS\SOFTWARE\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\SYSTEM\ControlSet019\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1168)
d:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
d:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
d:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
d:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
Completion time: 2009-04-28 16:00
ComboFix-quarantined-files.txt 2009-04-28 08:00
ComboFix2.txt 2009-04-26 12:01

Pre-Run: 46,507,413,504 bytes free
Post-Run: 46,256,918,528 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
315 --- E O F --- 2008-12-04 14:33


GMER log
I did what you told me, but I got a bit confused so I produced two logs. First is right after the "run as administrator" and the second is I scanned my C: and D: drives. Just to be sure. :step4:

FIRST
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 16:54:18
Windows 6.0.6000


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84CFC1F8

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Threads - GMER 1.0.15 ----

Thread System [4:388] 8C7DF6F0
Thread System [4:396] 8C7DF6F0
Thread System [4:400] 8C99AEB0
Thread System [4:404] 8C99AEB0
Thread System [4:408] 8C99AEB0

---- EOF - GMER 1.0.15 ----


SECOND
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 17:44:23
Windows 6.0.6000


---- System - GMER 1.0.15 ----

INT 0x52 ? 85903F00
INT 0x62 ? 85903F00
INT 0x72 ? 83F3FBF8
INT 0x82 ? 83F3FBF8
INT 0xA2 ? 85903F00
INT 0xB3 ? 85903F00

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\sprt.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8A272ACF 5 Bytes JMP 859034E0
.text a8h8s85s.SYS 8AAC9000 22 Bytes [8E, 71, FA, 82, 78, 70, FA, ...]
.text a8h8s85s.SYS 8AAC9017 74 Bytes [00, 99, 07, 48, 80, A4, 05, ...]
.text a8h8s85s.SYS 8AAC9062 84 Bytes [C8, 82, 58, 68, C5, 82, 8C, ...]
.text a8h8s85s.SYS 8AAC90B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a8h8s85s.SYS 8AAC90CE 80 Bytes [00, 00, 27, 00, 00, 00, E0, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [807056D2] \SystemRoot\System32\Drivers\sprt.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80705040] \SystemRoot\System32\Drivers\sprt.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [807057FC] \SystemRoot\System32\Drivers\sprt.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [807050BE] \SystemRoot\System32\Drivers\sprt.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8070513C] \SystemRoot\System32\Drivers\sprt.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [80714D92] \SystemRoot\System32\Drivers\sprt.sys
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortCompleteRequest] 71642446
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 7E398AAD
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] C7077528
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortMoveMemory] 71902846
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortReadPortUshort] 468B8AAD
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7468016A
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\a8h8s85s.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84CFC1F8
Device \FileSystem\udfs \UdfsCdRom 8C7C7500
Device \FileSystem\udfs \UdfsDisk 8C7C7500
Device \Driver\volmgr \Device\VolMgrControl 83F411F8
Device \Driver\usbuhci \Device\USBPDO-0 859F31F8
Device \Driver\usbuhci \Device\USBPDO-1 859F31F8
Device \Driver\usbuhci \Device\USBPDO-2 859F31F8
Device \Driver\usbuhci \Device\USBPDO-3 859F31F8
Device \Driver\usbehci \Device\USBPDO-4 859F7500

AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\volmgr \Device\HarddiskVolume1 83F411F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 83F411F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 85A9F500
Device \Driver\cdrom \Device\CdRom1 85A9F500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84CFB1F8
Device \Driver\atapi \Device\Ide\IdePort0 84CFB1F8
Device \Driver\atapi \Device\Ide\IdePort1 84CFB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-3 84CFB1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 8C749500
Device \Driver\PCI_PNP2984 \Device\0000004a sprt.sys
Device \Driver\Smb \Device\NetbiosSmb 8C76E1F8
Device \Driver\iScsiPrt \Device\RaidPort0 85A321F8

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\sptd \Device\1533674991 sprt.sys
Device \Driver\usbuhci \Device\USBFDO-0 859F31F8
Device \Driver\usbuhci \Device\USBFDO-1 859F31F8
Device \Driver\netbt \Device\NetBT_Tcpip_{10C5B427-EFF8-4D99-A033-A0D4C249CE23} 8C749500
Device \Driver\usbuhci \Device\USBFDO-2 859F31F8
Device \Driver\usbuhci \Device\USBFDO-3 859F31F8
Device \Driver\usbehci \Device\USBFDO-4 859F7500
Device \Driver\a8h8s85s \Device\Scsi\a8h8s85s1 85A33500
Device \Driver\a8h8s85s \Device\Scsi\a8h8s85s1Port3Path0Target0Lun0 85A33500
Device \FileSystem\cdfs \Cdfs 8C9551F8

---- Threads - GMER 1.0.15 ----

Thread System [4:388] 8C7DF6F0
Thread System [4:396] 8C7DF6F0
Thread System [4:400] 8C99AEB0
Thread System [4:404] 8C99AEB0
Thread System [4:408] 8C99AEB0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x6C 0x32 0x29 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9E 0x49 0xCA 0x2A ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x84 0xF0 0x6A 0x5B ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xE3 0x91 0xAC 0x04 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCE 0xBF 0x66 0x95 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x30 0xE8 0xDC 0x24 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCE 0xBF 0x66 0x95 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x30 0xE8 0xDC 0x24 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4A 0xCC 0xDD 0x14 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x30 0xE8 0xDC 0x24 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4A 0xCC 0xDD 0x14 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x30 0xE8 0xDC 0x24 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3A 0xCD 0xF4 0x4A ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3A 0xCD 0xF4 0x4A ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3A 0xCD 0xF4 0x4A ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x94 0x94 0x4C 0x28 ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x51 0xBE 0xC9 0xF0 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x51 0xBE 0xC9 0xF0 ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x51 0xBE 0xC9 0xF0 ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9C 0x2A 0x00 0x5D ...
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x07 0xB9 0x43 ...
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet017\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x56 0x38 0x6C 0x1D ...
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x07 0xB9 0x43 ...
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet018\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x56 0x38 0x6C 0x1D ...
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7C 0x6C 0x32 0x29 ...
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x30 0x3F 0x24 0xC1 ...
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet019\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9E 0x49 0xCA 0x2A ...

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 327680/294912 bytes
File C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 (size mismatch) 294912/196608 bytes

---- EOF - GMER 1.0.15 ----




Sincere thanks! :thumbup2:

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 28 April 2009 - 02:37 PM

Hello again.

First thing is first. I need to mention this to you in case I forget later on. If you have any other machines connected to this same network they may also be infected since you had an infection that was a WORM and a few other infections. One of the infections can do the following:

Connects to specified IRC servers and joins a channel to receive commands. The commands may include the following:


Scan for vulnerable computers
Download or upload files
List or end running processes
Steal cached passwords
Log keystrokes to steal information entered into windows with titles containing the following strings:


bank
login
e-bay
ebay
paypal

Start a local HTTP, FTP, or TFTP server
Search for files on the compromised computer
Capture screenshots, data from the clipboard, and footage from webcams
Visit URLs
Flush the DNS and ARP caches
Open a command shell on the compromised computer
Intercept packets on the local area network
Send net send messages

Please read the following and act accordingly.

One/more of the infection is a keylogger/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

A Keylogger program is a program that logs all the information you type into your keyboard. These are very dangerous and can give the bad guys your passwords as well. It would be in your best interest to consider any security codes that you use for banking or other business and personal reasons to be compromised. I am going to have you upload a file to determine if it is indeed a keylogger but even it it is not the presence of the backdoor infections is cause for the actions that were talked about above.



Sorry if my timing wasn't right. I forgot about the time difference. My apologies.

No need to apologize. I just wanted to let you know in case you were wondering where I went.

After downloading it, I double clicked it but no window or whatsoever appeared. It didn't seem to respond.

You are using a Vista OS. Please right-click and Run as Administrator... and it should work this time. No log will be produced but just run it and let me know once it's done. It should only take 1 minute maximum, unless there is any other problem(s).

Running from: d:\^soralaine^\^TEMP^\ComboFix.exe

Please make sure Combofix.exe is on your desktop not anywhere else. Please delete Combofix.exe that you have currently. Re-download it and make sure you save it on your desktop this time.

Let me know once you have done those steps, and I will give you the next set of instructions in my next post hopefully :thumbup2:

With Regards,
Extremeboy

Edited by extremeboy, 28 April 2009 - 02:44 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 SoraLaine

SoraLaine
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 29 April 2009 - 10:17 PM

First of all, I want to say thank you so much for the added information. I really appreciate every help coming from an expert like you. :thumbup2:

About what you wrote, thankfully I'm not connected with any other network. Only through the internet. And, I'm most thankful is that I'm not into those online banking and other serious transactions that can greatly affect my life. I'll keep in mind about the logins and emails. :step4: I just wish that reformating is the last thing I'd ever do coz it's going to cause me soo much trouble.

First quote, I'm glad you're not mad at me or something. You see, this is my first time to humbly ask for online help and I'm not really familiar on how to make an approach to you guys. I know people like me cause added stress to your busy life, so I want to lessen the trouble by following your directions as correctly as possible and being able to express my sincere thank yous.

Second quote, I did run as admin but no window or whatsoever appeared :step1:

Third quote, is it okay if I copied that exact combofix.exe from my folder to Desktop? Is that the same? Sorry, I have a measly dial-up internet connection and cant download it again coz I'm saving my internet card. :step5:


Sincere thanks again dude! ^___^ :)

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 30 April 2009 - 07:51 PM

Hello SoraLaine. :thumbup2:

Sorry for the delay.

There's an area in the log that needs addressing so I will ask about it and once I receive an answer, then I'll I'll give you the next set of instructions. In the meantime I suggest you avoid using the internet or surfing around the web too much. Better if you disconnect from the net. I'll probably won't reply until tomorrow, however if you want to check if I replied you can.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 01 May 2009 - 11:11 AM

Hello.

Thank you for being paitent. Have been testing out a batch file I created, let's see if it works out..

Sorry, I have a measly dial-up internet connection and cant download it again coz I'm saving my internet card.

You HAVE to update Combofix for me... I know that you are on a budget, but we need to update Combofix NOW. Updates are very important since certain "bugs" or addtional features are updated.

I need you delete Combofix and re-download it then follow the instructions below.

We need the internet connection to do certain steps and download and running tools or we can't fix everything.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case UTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.


This file: c:\windows\system32\dllcache\svchost.exe <- This one in theory is a legit program but right now it's a bad copy dropped by the infection. Let's see if we copy another copy over if there's a legit on on board.


Please PLUG in ALL flash-drives/removable drives you have into the infected computer right now. From what I saw from the logs there should be at least 2 flash-drives/removable drives that were infected.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/222125/trouble-with-computer-management-system-config/
    
    KillAll::
    
    Suspect::[68]
    c:\windows\system32\dllcache\svchost.exe
    File::
    H:\MS-DOS.com
    I:\MS-DOS.com
    RegLock::
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46200a7e-a8c5-11dd-a819-001fd00d015f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{789ffbe7-a9b3-11dd-a8b8-001fd00d015f}]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
    "DFSR-1"=-
    Driver::
    NeroRegInCDSrv
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".
**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.
Let me know how it goes and if the upload went successfully or not in your next reply.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :file
    C:\windows\system32\svchost.exe
    :filefind 
    svchost.exe
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Run Attached Batch File

Make sure all your flash-drives/removable drives are plugged in at this time. Plug in all your removable drives like when you were going to run Combofix.

Please run the CAutorun.bat attached file below. Simply click the attached file and download it to your desktop.

You're removable drives should be plugged in now.

Right-click and select Run as Administrator.... Allow it to run when you get a security warning.

It should take less then 30 seconds to complete. Once it's done a notepad file called Log.txt should pop up and be created on your desktop. Please post the contents of that log in your next reply.

For your next reply I would like to see:
-Combofix log
-SystemLook Log
-Log.txt log

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 SoraLaine

SoraLaine
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Philippines
  • Local time:06:19 PM

Posted 04 May 2009 - 09:23 AM

Sorry for the very late reply.

Thank God all the tools worked! Thank you too! :thumbup2:

Combofix Log
ComboFix 09-05-03.3 - My Computer 05/04/2009 19:27.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1013.289 [GMT 8:00]
Running from: c:\users\My Computer\Desktop\ComboFix.exe
Command switches used :: c:\users\My Computer\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point

FILE ::
H:\MS-DOS.com
I:\MS-DOS.com

file zipped: c:\windows\System32\dllcache\Suspect_svchost.exe.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\MS-DOS.com
c:\windows\Cursors\Boom.vbs
c:\windows\Fonts\fonts.exe
c:\windows\Fonts\tskmgr.exe
c:\windows\Fonts\wav.wav
c:\windows\Help\Microsoft.hlp
c:\windows\Media\rndll32.pif
c:\windows\pchealth\Global.exe
c:\windows\system\KEYBOARD.exe
c:\windows\system32\dllcache\autorun.inf
c:\windows\system32\dllcache\Default.exe
c:\windows\system32\dllcache\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
c:\windows\system32\dllcache\tskmgr.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\system32\regedit.exe
D:\Autorun.inf
H:\MS-DOS.com
I:\MS-DOS.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NeroRegInCDSrv


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-04 11:24 . 2009-05-04 11:25 -------- d-----w C:\32788R22FWJFW
2009-05-02 10:57 . 2009-05-02 11:14 -------- d-----w c:\program files\Trend Micro
2009-05-02 06:44 . 2009-05-02 06:44 -------- d-----w c:\users\My Computer\AppData\Local\Trend Micro
2009-05-02 06:32 . 2009-05-02 10:59 -------- d-----w c:\programdata\Trend Micro
2009-05-02 06:32 . 2009-05-02 10:59 -------- d-----w c:\users\All Users\Trend Micro
2009-05-02 05:07 . 2009-05-02 05:07 -------- d-----w C:\KAV
2009-04-25 11:17 . 2009-04-25 11:17 64512 ---ha-w c:\users\My Computer\AppData\Roaming\dach100.dll
2009-04-24 18:36 . 2009-04-24 18:36 -------- d-----w c:\users\My Computer\AppData\Roaming\Software Informer
2009-04-24 17:31 . 2009-04-24 17:31 -------- d-----w c:\program files\Software Informer
2009-04-24 17:31 . 2009-04-25 01:19 -------- d-----w c:\users\My Computer\AppData\Roaming\Free Download Manager
2009-04-24 06:41 . 2009-03-02 03:02 225280 --sha-r c:\windows\system32\dllcache\svchost.exe
2009-04-24 06:41 . 2009-05-04 11:27 -------- d-sh--w c:\windows\system32\dllcache
2009-04-17 17:03 . 2009-04-17 17:03 -------- d-----w c:\users\My Computer\AppData\Local\AlwaysNeat
2009-04-17 16:48 . 2009-04-17 16:50 -------- d-----w c:\users\My Computer\AppData\Roaming\Aveyond II
2009-04-17 16:11 . 2009-04-17 16:11 -------- d-----w c:\users\My Computer\AppData\Roaming\Shape games
2009-04-17 14:40 . 2009-04-17 14:40 -------- d-----w c:\users\My Computer\AppData\Roaming\Intenium
2009-04-16 07:27 . 2009-04-16 07:27 -------- d-----w c:\users\My Computer\AppData\Roaming\EleFun Games
2009-04-16 07:16 . 2009-04-16 07:20 -------- d-----w c:\users\My Computer\AppData\Roaming\Aveyond I

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 11:48 . 2006-11-02 13:00 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 11:35 . 2008-10-27 22:05 45018656 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-30 15:41 . 2008-10-27 21:26 1356 ----a-w c:\users\My Computer\AppData\Local\d3d9caps.dat
2009-04-28 06:18 . 2008-10-27 22:05 614984 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 11:17 . 2009-01-06 06:20 337 ---ha-w c:\windows\winshell.dat
2009-04-25 11:17 . 2001-10-17 09:09 66 ----a-w c:\windows\anticrash.dat
2009-04-25 09:40 . 2009-01-10 03:46 918045 ---ha-w C:\DH Temp.tmp
2009-04-25 04:47 . 2008-10-27 21:27 198064 ----a-w c:\users\My Computer\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-24 10:09 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstrng.dat
2009-04-24 10:09 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-03-11 06:07 . 2009-03-11 06:06 2100 ----a-w c:\windows\ladydata.dat
2009-02-22 16:32 . 2009-02-22 16:32 2368 ----a-w c:\windows\system32\STEC3.sys
2006-11-02 12:49 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-04-26_11.59.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-27 21:35 . 2009-05-04 09:54 46404 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:03 . 2009-05-04 10:20 72782 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-27 21:28 . 2009-05-04 10:20 13660 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1856034963-148099359-468817448-1000_UserData.bin
+ 2006-11-02 13:00 . 2009-05-02 11:15 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2009-01-19 02:48 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:00 . 2009-05-02 11:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2009-01-19 02:48 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2009-01-19 02:48 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:00 . 2009-05-02 11:15 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-10-30 14:19 . 2009-04-24 18:32 2774 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-10-30 14:19 . 2009-05-02 16:15 2774 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-05-04 10:17 . 2009-05-04 11:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-04-26 11:01 . 2009-04-26 11:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-04-26 11:01 . 2009-04-26 11:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-04 10:17 . 2009-05-04 11:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-05-04 11:24 784254 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-24 09:44 784254 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-04 11:24 158990 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-24 09:44 158990 c:\windows\System32\perfc009.dat
+ 2008-11-04 09:58 . 2009-05-04 10:44 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-11-04 09:58 . 2009-04-24 18:12 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-11-04 10:02 . 2009-05-04 10:44 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-11-04 10:02 . 2009-04-23 01:08 262144 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-11-04 09:58 . 2009-05-04 10:44 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-11-04 09:58 . 2009-04-23 01:08 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 129560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-02-13 4915200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Users^My Computer^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\My Computer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6B26DCFF-1474-49E1-B39E-31A58E61E14F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{0BEB03C8-E517-478A-B074-B59157216353}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5347951C-EFFA-49C5-A229-0F0D417CE7F7}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B3769933-E632-45C5-8B07-3FF31A06E42E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{363B383A-3B96-417F-901C-86E937414570}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB11D72D-4248-4099-9006-6801914A3BF9}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{B3F399DC-52EB-43F1-B088-AE230C99A51B}"= UDP:d:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{51357AB4-77BE-4AA2-89F8-9A7F59D41B29}"= TCP:d:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A782D121-86BE-46B3-BD14-D46F426CE0AC}"= UDP:d:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C2C2C230-44BB-43B5-8A39-FDF6CD2865D1}"= TCP:d:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{1C74EC3F-AE9C-484B-B5B1-210C67B24977}d:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:d:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{F04B5CC9-E511-4F56-A231-EDD9CD0EC4F2}d:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:d:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{85165889-8F3D-4C05-8C78-2C168D5C130F}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{AD0ABE6F-C4E7-4241-AC9C-589809A33B34}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{FE51C761-9D35-49B6-ADF5-CA5CCCAAB819}"= UDP:d:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{006106B2-A7F5-4258-8597-227A8F41331D}"= TCP:d:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{B2A37F72-478A-43C6-A368-2C727B72E549}d:\\program files\\bittorrent\\bittorrent.exe"= UDP:d:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{14489F5F-3414-4F69-A1B7-09D9D02A6EE1}d:\\program files\\bittorrent\\bittorrent.exe"= TCP:d:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{6BF994FF-4786-48F3-ADDE-1017C6DDC4FA}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{EF087462-C7F3-4157-BD21-AE3446289C53}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{2161754D-6F4D-4313-83C5-9D4F1F5ECF71}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7915587B-9691-4466-A746-8C13895802D5}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{639FDD66-C159-4579-BB94-6BF908E796B5}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{4E1C22FE-8F63-44AF-9975-25049072F82A}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"d:\\Program Files\\BitTorrent\\bittorrent.exe"= d:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2007-01-26 20760]
S3 Winacusb;Winacusb;c:\windows\system32\DRIVERS\winacusb.sys [2002-02-14 956552]


--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\My Computer\AppData\Roaming\Mozilla\Firefox\Profiles\5aoqcaw3.default\
FF - prefs.js: browser.startup.homepage - google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 19:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql]
"ImagePath"="\"d:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3332)
d:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
d:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
d:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
d:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\inetsrv\inetinfo.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
d:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
d:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Windows Media Player\wmplayer.exe
.
**************************************************************************
.
Completion time: 2009-05-04 19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 11:57
ComboFix2.txt 2009-04-28 08:00
ComboFix3.txt 2009-04-26 12:01

Pre-Run: 45,947,035,648 bytes free
Post-Run: 46,527,619,072 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=19 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
221 --- E O F --- 2008-12-04 14:33
Upload was successful


SystemLook Log
SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 22:05 on 04/05/2009 by My Computer (Administrator - Elevation successful)

========== file ==========

C:\windows\system32\svchost.exe - File found and opened.
MD5: 10DA15933D582D2FEDCF705EFE394B09
Created at 08:35 on 02/11/2006
Modified at 09:45 on 02/11/2006
Size: 22016 bytes
Attributes: --a---
FileDescription: Host Process for Windows Services
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion: 6.0.6000.16386
OriginalFilename: svchost.exe.mui
InternalName: svchost.exe
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

========== filefind ==========

Searching for "svchost.exe"
C:\Windows\System32\dllcache\svchost.exe -rahs- 225280 bytes [06:41 24/04/2009] [03:02 02/03/2009] 60EFD4C99B47472E2AAB9AC8CD26AEB1
C:\Windows\System32\svchost.exe --a--- 22016 bytes [08:35 02/11/2006] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6000.16386_none_b38497a50862ad11\svchost.exe --a--- 22016 bytes [08:35 02/11/2006] [09:45 02/11/2006] 10DA15933D582D2FEDCF705EFE394B09

-=End Of File=-


Log.txt
"c:\autorun.inf" "Folder autorun created".
"D:\autorun.inf" "Folder autorun created".
"E:\autorun.inf" failed to create folder.
"F:\autorun.inf" failed to create folder.
"G:\autorun.inf" failed to create folder.
"H:\autorun.inf" Folder already Exists.
"I:\autorun.inf" Folder already Exists.
"J:\autorun.inf" failed to create folder.
"K:\autorun.inf" failed to create folder.


Thank you so much. Hope to hear from you soon. :)

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 04 May 2009 - 03:25 PM

Hello SoraLaine.

Don't think I forgot you just because I'm not posting you the instructions yet. You are running a Vista machine which I'm not extremely familiar with how it works and everything since I don't use a Windows Vista machine (but I'm getting one soon). I need to do some further research on this and will get back to you ASAP.

Thanks for being patient with me. Will be back soon.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:19 PM

Posted 04 May 2009 - 04:54 PM

Hello again.

Sorry for the short delay. Please follow the instructions below. Make sure you follow them carefully and precisely.

DO NOT use this computer too much in terms of surfing on the web, running other applications are okay but avoid using the internet unless I tell you so.

Just want to ask again: Is there another computer that you may be able to reply to me and so that we can download any of the tools we need?

*Reply Note*: I know it may take a few days before you can post the logs, but it would be best if you can do the steps at ONE GO, meaning finish all the steps in one day and not stop the procedure and continue the next day. Just an estimate, completing ALL these tasks below may take approximately 4-5 hours. MBAM is the one that may take a long time, the other ones shouldn't take too long.

Thanks.

Download, Install and Update MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
Malwarebytes shall now launch and update itself, if it does not you can click on the update tab and click Update Now. If it's fully updated it should say something like "no newer updates available". If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

Note: Allow Malwarebytes Anti-Malware to create a desktop shortcut icon for Malwarebytes so you can acess it easier later on

Download and Save RootRepeal CR

Please download RootRepeal to your desktop

Do NOT run ANY of the tools we downloaded/updated right now. I will let you know when to run it


Physically disconnect your machine from the internet as your system will be unprotected. This means even after you reboot the computer CAN NOT be connected to the internet. <-Important


Vista should NOT have the dllcache folder, I want to make sure just in case (as that folder is very important in XP), but is not used in Vista, let's see what's in there.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    KillAll::
    
    File::
    c:\windows\winshell.dat
    c:\windows\anticrash.dat
    c:\windows\ladydata.dat
    H:\autorun.inf
    I:\autorun.inf
    Rootkit::
    c:\windows\system32\dllcache\svchost.exe
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{85165889-8F3D-4C05-8C78-2C168D5C130F}"=-
    "{AD0ABE6F-C4E7-4241-AC9C-589809A33B34}"=-
    "{FE51C761-9D35-49B6-ADF5-CA5CCCAAB819}"=-
    "{006106B2-A7F5-4258-8597-227A8F41331D}"=-
    Dir::
    c:\windows\system32\dllcache
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run SystemLookup
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Scan with Malwarebytes Anti-Malware
  • Double click the Malwarebytes Anti-Malware icon to run it.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Scan with RootRepeal

**NOTE**: Your computer should STILL be disconnected from the Internet.
  • Right-click on RootRepeal and click Extract All...
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on Rooter.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL SIX
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Post the log here in your reply.
Now you may re-connect to the internet and post the logs I requested.

For your next reply I would like to see:
-Combofix log
-SystemLookUp log
-MBAM log
-RootRepeal log

After you post the logs, continue to refrain from using the internet too much except seeing if I replied or not. Avoid surfing the web as well.

Thanks :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users