Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gxvxccounter Trojan detected, please help


  • This topic is locked This topic is locked
34 replies to this topic

#1 SecurityAlert

SecurityAlert

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 05 June 2009 - 06:49 PM

Hello everyone, I am "SecurityAlert" and I have been having a problem. Recently, I have been experiencing problems with google searches on firefox and internet explorer, and whenever I try to click on a search result, I am redirected to a website called "jump.com". I have always canceled the action in the browser to stop any (further) possible harm to my computer.

I use Avira AntiVir Free Edition, and it has detected a suspicious file called "gxvxccounter.sys" in every scan, and other files that are similar to this. (e.g gxvxcxvirkhacekvsuawotomfchkdblhcgmbx.dll, etc)

These file names appear to be gibberish, however they appear to be actually malware, and are hidden in the system32 files, and I cannot see them even with administrative priviledges. Quarantining these files and deleting them has done nothing, as the file keeps reappearing in every system scan I perform. I have deleted these files and quarantined them to the point where now Avira says this malware cannot be deleted, and only copied to quarantine. Even though the file has been quarantined several times the effects are still visible.

I will provide a HJT log below. Any help would be appreciated.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:06 PM, on 05/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 209.234.247.4 nprotect.acclaimdownloads.com
O1 - Hosts: 209.234.247.4 nprotect.acclaimdownloads.com
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Solid State Networks IE Browser Plugin - {BD08A9D5-0E5C-4f42-99A3-C0CB5E860557} - C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidax.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [WinFlip] C:\Program Files\WinFlip\WinFlip.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViGlance] C:\Program Files\ViGlance\ViGlance.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WindowBlinds] C:\PROGRA~1\STARDO~1\OBJECT~1\WINDOW~1\WBInstall32.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\DarK HaX\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.windowsupdate.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239656246316
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239656236112
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
O16 - DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} (RedbananaVistaPlay Class) - http://dekaron.redbanana.jp/_include/_comm...anaAutoPlay.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{61B07799-CEB7-4ABA-84B0-C41507BD2FB9}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Microsoft NtfsSvc Manager Service (NtfsSvc) - Unknown owner - C:\WINDOWS\System32\test.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 12370 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 07 June 2009 - 01:53 PM

Hello SecurityAlert,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

***************

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 07 June 2009 - 02:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 09 June 2009 - 03:37 PM

Hello SifuMike,

Thank you for responding to my thread. My apologies for the delayed response. I cannot run Malware bytes for some unknown reason, the process does not start at all, even though I have disabled Avira and anything else that could come in conflict with this program. (I did notice my Java was out of date... by far though..)

I will post the SecurityCheck note below.

---------------

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AviraAntiVirPersonal-FreeAntivirus
MicrosoftWindowsOneCareLiveAntiSpywareand AntiVirus
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Microsoft Windows OneCare Live AntiSpyware and AntiVirus
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 14
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 3643 seconds.
`````````End of Log```````````

------------------------

Here is the HJT log you also asked for:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:25 PM, on 09/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 209.234.247.4 nprotect.acclaimdownloads.com
O1 - Hosts: 209.234.247.4 nprotect.acclaimdownloads.com
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Solid State Networks IE Browser Plugin - {BD08A9D5-0E5C-4f42-99A3-C0CB5E860557} - C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidax.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WinFlip] C:\Program Files\WinFlip\WinFlip.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViGlance] C:\Program Files\ViGlance\ViGlance.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WindowBlinds] C:\PROGRA~1\STARDO~1\OBJECT~1\WINDOW~1\WBInstall32.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\DarK HaX\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.windowsupdate.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239656246316
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239656236112
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
O16 - DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} (RedbananaVistaPlay Class) - http://dekaron.redbanana.jp/_include/_comm...anaAutoPlay.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CCS\Services\Tcpip\..\{61B07799-CEB7-4ABA-84B0-C41507BD2FB9}: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O17 - HKLM\System\CS2\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.107,85.255.112.226
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Microsoft NtfsSvc Manager Service (NtfsSvc) - Unknown owner - C:\WINDOWS\System32\test.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 13185 bytes

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 09 June 2009 - 09:21 PM

Hi SecurityAlert,


Java™ 6 Update 14 is the latest Java version so leave that alone.

These are all old java versions and are malware magnets.
You need to uninstall them.
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7



The malware you have on your computer is preventing Malwarebytes from running.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a it.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version. The latest Database version is 2252.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.


If you can't update MBAM, manually download the database installer from http://malwarebytes.gt500.org/mbam-rules.exe
See also: http://malwarebytes.gt500.org/database.jsp

Edited by SifuMike, 09 June 2009 - 09:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 10 June 2009 - 04:13 PM

Thank you for replying SifuMike.

I was able to run Malware bytes after changing the name of mbam.exe to newtool.exe. I will post the log from MBAM and HJT below.

----------------------

MBAM logfile:

----------------------

Malwarebytes' Anti-Malware 1.37
Database version: 2259
Windows 5.1.2600 Service Pack 3

10/06/2009 4:52:29 PM
mbam-log-2009-06-10 (16-52-29).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 196885
Time elapsed: 43 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 10
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UNICCodecSoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{61b07799-ceb7-4aba-84b0-c41507bd2fb9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{61b07799-ceb7-4aba-84b0-c41507bd2fb9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{61b07799-ceb7-4aba-84b0-c41507bd2fb9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.107,85.255.112.226 -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\DarK HaX\Start Menu\Programs\UNICCodec (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\Log.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

--------------------------------------------

HJT log:

--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:26 PM, on 10/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Windows folder: C:\WINDOWS
System folder: C:\WINDOWS\SYSTEM32
Hosts file: C:\WINDOWS\System32\drivers\etc\hosts

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\newtool.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeC:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 209.234.247.4 nprotect.acclaimdownloads.com
O1 - Hosts: 209.234.247.4 nprotect.acclaimdownloads.com
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll (filesize 198424 bytes, MD5 2C1C01A81E9910EDBE8F1016E7213B83)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (filesize 94308 bytes, MD5 6F3A6FF8AB82327CC634DB3C5629BE16)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPuB.dll (filesize 206616 bytes, MD5 60EAB4DF5BBA385A71981B09B929C245)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (filesize 5931848 bytes, MD5 E95EF208C6093BD06661FB1C69810DC3)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (filesize 320920 bytes, MD5 66C9512CE2907613079B8415DEE265E5)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll (filesize 251672 bytes, MD5 1E2AE38F4FF4DF89D5497628E4360C17)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Solid State Networks IE Browser Plugin - {BD08A9D5-0E5C-4f42-99A3-C0CB5E860557} - C:\WINDOWS\system32\SolidStateNetworks\SolidStateION\solidax.dll (filesize 132400 bytes, MD5 DDC23164892CB97094CA0C1A4A418D08)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (filesize 41368 bytes, MD5 5AD21876943AD07CD61A9C5FECB623C7)
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll (filesize 96024 bytes, MD5 C4CFC880477B699C09B461381422AA13)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (filesize 73728 bytes, MD5 DECBFBA0F77F81D790CDBEB1A335426A)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (filesize 163840 bytes, MD5 87C7984BCA4FA1D480C4242EB67D252E)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll (filesize 247576 bytes, MD5 5DE28439D387AFCA451D7CD9A91C6F07)
O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (filesize 5931848 bytes, MD5 E95EF208C6093BD06661FB1C69810DC3)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 (filesize 40960 bytes, MD5 9E3213FE808967C72BA827AE36CC3030)
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exeC:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay (filesize 45056 bytes, MD5 5C2383D85256F2832CD864CD6F2403EF)
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exeC:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min (filesize 209153 bytes, MD5 7E096752C57DA53BA3ED72596926AA6B)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (filesize 413696 bytes, MD5 1C2B94C6A9A72D42845A6463D10F17B2)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (filesize 455168 bytes, MD5 5BC44DE47982037E2893C11255402B14)
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (filesize 455168 bytes, MD5 5BC44DE47982037E2893C11255402B14)
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC (filesize 59392 bytes, MD5 0567DC63F0575C9BC56A25A9E5162CB9)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (filesize 342312 bytes, MD5 83D679443A7AE280A6401BB2AAFE0224)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (filesize 208952 bytes, MD5 40B1A1B87639A44558FA75ADCC73B161)
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXEC:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (filesize 148888 bytes, MD5 126E99662E38D5982C54970D0DBF4A9F)
O4 - HKCU\..\Run: [WinFlip] C:\Program Files\WinFlip\WinFlip.exeC:\Program Files\WinFlip\WinFlip.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exeC:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViGlance] C:\Program Files\ViGlance\ViGlance.exeC:\Program Files\ViGlance\ViGlance.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (filesize 160592 bytes, MD5 A83885FF57A8AD5DFA8ADAD2B9F96911)
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (filesize 5724184 bytes, MD5 2FE0DAAF9DB6E9D67466D017E7A20964)
O4 - HKCU\..\Run: [WindowBlinds] C:\PROGRA~1\STARDO~1\OBJECT~1\WINDOW~1\WBInstall32.exeC:\PROGRA~1\STARDO~1\OBJECT~1\WINDOW~1\WBInstall32.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan (filesize 396288 bytes, MD5 20F0540052A349A7866127A44EEE6CB7)
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (filesize 288472 bytes, MD5 21F43C5E354663FAFF0BEA0BB85E22B3)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm (filesize 1049 bytes, MD5 E8B4EC62B8FE503CFD59BFC69BAAFDD3)
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm (filesize 1898 bytes, MD5 208F30C68E12274B625E3EDF9186680C)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (filesize 320920 bytes, MD5 66C9512CE2907613079B8415DEE265E5)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (filesize 320920 bytes, MD5 66C9512CE2907613079B8415DEE265E5)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (filesize 53248 bytes, MD5 AB3DC3C25CA84B17838E62AE53C9BEF9)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (filesize 53248 bytes, MD5 AB3DC3C25CA84B17838E62AE53C9BEF9)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (filesize 2007088 bytes, MD5 E796C980DA2806B7B9B6278185B4092B)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (filesize 2007088 bytes, MD5 E796C980DA2806B7B9B6278185B4092B)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\DarK HaX\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll (filesize 1499136 bytes, MD5 8FB4ADABF167EABB1B5DF8EDAE803526)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll (filesize 1499136 bytes, MD5 8FB4ADABF167EABB1B5DF8EDAE803526)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 B23DD8B3FC77BF928B76379ACD559AE4)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (filesize 558080 bytes, MD5 B23DD8B3FC77BF928B76379ACD559AE4)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 970860A66BB616A1D0C135C76F5BDAB2)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1695232 bytes, MD5 970860A66BB616A1D0C135C76F5BDAB2)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.windowsupdate.microsoft.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239656246316
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239656236112
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
O16 - DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} (RedbananaVistaPlay Class) - http://dekaron.redbanana.jp/_include/_comm...anaAutoPlay.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B82F8D2-0712-4B1B-94AD-F17D587A21EB}: NameServer = 67.69.235.1 207.164.234.193
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeC:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exeC:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Microsoft NtfsSvc Manager Service (NtfsSvc) - Unknown owner - C:\WINDOWS\System32\test.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exeC:\WINDOWS\System32\HPZipm12.exe

--
End of file - 16562 bytes

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 10 June 2009 - 04:26 PM

Hi SecurityAlert,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus and MicrosoftWindowsOneCareLiveAntiSpywareand AntiVirus before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To modify Windows Live OneCare Antivirus settings

1.On the Windows Live OneCare start screen, click View or change settings, and then click the Antivirus tab.

2.Click Antivirus Exclusions to turn antivirus monitoring on or off, view quarantined files, and exclude specific files from scanning and monitoring.

3.Clear the Monitor for virus-like behavior during Antivirus monitoring check box to disable real-time monitoring and protection. Windows Live OneCare will prompt you and change the color of its icon if your system is not sufficiently protected after turning Antivirus off.

Now that you have real time monitoring turned off , proceed with my previous instructions and we will continue.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 10 June 2009 - 09:59 PM

Hello SifuMike,

I have downloaded and installed ComboFix successfully. However it seems as though I do not have Windows recovery console as I skim through the ComboFix log for myself. Could this be a problem?; and if so, please do tell me what I can do to fix this.
I will provide the ComboFix log below:

--------------------

ComboFix 09-06-09.06 - DarK HaX 10/06/2009 22:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1033.18.1271.908 [GMT -7:00]
Running from: c:\documents and settings\DarK HaX\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents
c:\windows\system32\drivers\gxvxcqllxbeyxwhwidwkspiboevbjngwyqpqj.sys
c:\windows\system32\drivers\gxvxctxejbmlklskkltfqrgwidupkfvmkhlpx.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcxvirkhacekvsuawotomfchkdblhcgmbx.dll
c:\windows\system32\mssocktx.dll
c:\windows\system32\whnt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Legacy_ILVMONEYDRIVER53
-------\Service_IlvMoneyDRIVER53


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-10 23:04 . 2009-06-10 23:04 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\Malwarebytes
2009-06-10 10:12 . 2009-06-10 10:08 404225 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.exe
2009-06-10 10:12 . 2009-06-10 10:08 345345 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\update.dll
2009-06-10 10:12 . 2009-04-09 17:20 79105 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\updaterc.dll
2009-06-10 10:12 . 2009-02-13 23:01 79105 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\updext.dll
2009-06-10 10:12 . 2008-12-05 18:32 126721 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\TMP_UPDATE\scewxmlw.dll
2009-06-09 23:28 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 23:28 . 2009-06-09 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 23:28 . 2009-06-10 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:28 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:22 . 2009-06-09 22:22 152576 ----a-w- c:\documents and settings\DarK HaX\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 22:46 . 2009-06-05 22:46 -------- d-----w- c:\program files\Trend Micro
2009-05-31 17:28 . 2009-05-31 17:28 96 ---ha-w- c:\windows\system32\HsInfo.dat
2009-05-31 17:23 . 2009-05-31 17:23 -------- d-----w- c:\program files\alaplaya
2009-05-31 05:25 . 2009-06-02 00:17 -------- d-----w- c:\documents and settings\DarK HaX\Local Settings\Application Data\PMB Files
2009-05-31 05:25 . 2009-05-31 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-05-31 00:41 . 2009-05-31 00:41 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-05-30 09:01 . 2009-05-30 09:02 -------- d-----w- c:\program files\ZStuff
2009-05-29 05:59 . 2009-05-29 05:59 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-05-29 05:59 . 2009-05-29 05:59 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-05-29 05:17 . 2009-05-30 09:03 -------- d-----w- c:\program files\Spybot
2009-05-29 02:31 . 2009-05-29 02:31 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\ViSplore
2009-05-29 02:31 . 2009-05-31 02:46 -------- d-----w- c:\windows\system32\VIRepair
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\ViSplore
2009-05-29 02:26 . 2009-04-25 10:12 348161 ----a-w- c:\windows\system32\viwc.exe
2009-05-29 02:26 . 2009-05-29 02:31 -------- d-----w- c:\program files\ViStart
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\ViGlance
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\Vista Rainbar
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\Vista Drive Icon
2009-05-29 02:26 . 2009-03-18 15:46 6181376 ----a-w- c:\windows\system32\sevenui.exe
2009-05-29 02:25 . 2006-12-11 08:15 498176 ----a-w- c:\windows\system32\logon.scr
2009-05-29 02:12 . 2009-03-24 00:39 20480 ----a-w- c:\windows\system32\scrnrdr.exe
2009-05-29 02:03 . 2009-05-29 02:03 -------- d-----w- c:\program files\febooti fileTweak Hash and CRC
2009-05-28 22:09 . 2004-08-20 22:50 159744 ----a-w- c:\windows\system32\igfxres.dll
2009-05-28 22:04 . 2009-05-28 22:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\system32\scripting
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\system32\en
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\l2schemas
2009-05-28 08:02 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-05-28 07:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-05-28 07:17 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-05-28 07:17 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-05-28 07:14 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-28 07:12 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 07:12 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 07:12 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 07:12 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 07:12 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 07:12 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 07:12 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 07:12 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 07:12 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 07:12 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-28 07:12 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-28 07:12 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-28 07:10 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 07:10 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 06:57 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-05-28 06:53 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-05-28 03:45 . 2009-05-28 03:45 -------- d-----w- c:\program files\iPod
2009-05-28 03:45 . 2009-05-28 03:46 -------- d-----w- c:\program files\iTunes
2009-05-28 03:45 . 2009-05-28 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-28 01:36 . 2009-05-28 01:36 -------- d-----w- C:\Quarantine
2009-05-27 07:05 . 2009-05-27 07:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 07:00 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-27 07:00 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-27 07:00 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-27 07:00 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-27 07:00 . 2009-05-27 07:00 -------- d-----w- c:\program files\Avira
2009-05-27 07:00 . 2009-05-27 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-27 06:19 . 2009-05-27 06:19 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\AVGTOOLBAR
2009-05-27 06:18 . 2009-05-27 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 06:18 . 2009-05-27 06:18 -------- d-----w- c:\program files\AVG
2009-05-27 04:29 . 2009-05-27 04:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-25 01:58 . 2009-05-25 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-05-25 01:55 . 2009-05-25 01:55 -------- d-----w- c:\program files\Siber Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 05:13 . 2008-01-20 06:43 -------- d-----w- c:\program files\FlashGet
2009-06-11 05:08 . 2008-01-26 21:27 169936 ----a-w- c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\FlashGot.exe
2009-06-11 04:38 . 2007-12-02 01:00 -------- d-----w- c:\program files\WinFlip
2009-06-10 22:58 . 2007-01-21 00:08 -------- d-----w- c:\program files\Java
2009-06-09 03:29 . 2007-02-10 01:15 39472 -c--a-w- c:\documents and settings\DarK HaX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 17:23 . 2007-11-13 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 17:23 . 2007-11-13 06:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-31 05:23 . 2009-02-28 10:25 -------- d-----w- c:\program files\Pando Networks
2009-05-30 00:55 . 2007-06-17 17:42 -------- d-----w- c:\program files\mIRC
2009-05-29 02:26 . 2007-12-02 01:00 -------- d-----w- c:\program files\TrueTransparency
2009-05-28 23:09 . 2007-06-27 06:45 -------- d-----w- c:\program files\Styler
2009-05-28 23:06 . 2009-02-08 07:21 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-28 23:04 . 2009-02-04 15:48 -------- d-----w- c:\program files\GameTribe
2009-05-28 23:04 . 2007-04-15 05:55 -------- d-----w- c:\program files\LimeWire
2009-05-28 15:07 . 2007-01-21 02:54 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-28 03:45 . 2007-07-15 21:59 -------- d-----w- c:\program files\Common Files\Apple
2009-05-21 18:33 . 2009-02-02 23:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-06 21:23 . 2009-05-08 02:44 372736 ----a-w- c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-04-20 05:48 . 2009-04-12 22:56 -------- d-----w- c:\program files\Sword of The New World
2009-04-19 20:13 . 2007-02-02 23:35 -------- d-----w- c:\program files\Unreal3.2
2009-04-19 20:11 . 2007-12-26 22:12 -------- d-----w- c:\program files\Yahoo!
2009-04-19 20:10 . 2007-04-13 23:44 -------- d-----w- c:\program files\Common Files\Real
2009-04-19 17:33 . 2007-12-04 15:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-18 16:44 . 2008-09-06 05:05 -------- d-----w- c:\program files\Perfect World Entertainment
2009-04-17 00:23 . 2007-01-21 00:09 -------- d-----w- c:\program files\Google
2009-04-13 23:31 . 2007-06-29 00:58 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\MSN6
2009-04-13 17:23 . 2009-04-13 17:23 450560 ----a-w- c:\windows\system32\SpeedTreeRT.dll
2009-04-13 17:16 . 2009-04-13 17:16 173167 ----a-w- c:\windows\system32\fmod.zip
2009-04-12 21:48 . 2008-11-05 08:19 -------- d-----w- c:\program files\Ntreev
2009-04-12 21:14 . 2009-04-12 21:14 -------- d-----w- c:\program files\New Folder
2009-04-04 18:11 . 2009-04-04 18:11 152576 ----a-w- c:\documents and settings\DarK HaX\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-28 09:05 . 2009-03-28 09:05 57344 ----a-w- c:\windows\system32\imcomm.dll
2009-03-22 04:38 . 2009-03-22 04:38 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 21:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-16 06:59 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-16 06:59 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-16 06:59 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-16 06:59 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2008-03-31 01:43 . 2008-03-31 01:43 473 ----a-w- c:\program files\Shortcut to OGPlanet.lnk
2008-02-13 04:19 . 2008-02-13 04:20 774144 -c--a-w- c:\program files\RngInterstitial.dll
2007-12-27 08:56 . 2009-04-18 02:09 2663 ----a-w- c:\program files\kfreadme.txt
2002-04-14 17:48 . 2009-04-18 02:09 68607 ----a-w- c:\program files\updates.txt
2002-03-13 23:46 . 2009-04-18 02:09 53248 ----a-w- c:\program files\zlib.dll
2002-01-16 04:35 . 2009-04-18 02:09 548864 ----a-w- c:\program files\ALLEG40.DLL
2007-07-17 17:11 . 2007-02-10 16:00 8139296 -csha-w- c:\windows\system32\drivers\fidbox.dat
2007-07-17 07:58 . 2007-02-10 16:00 604960 -csha-w- c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-02-21 03:36 2057984 501C033D08AC37C4BE751633AB02197C c:\windows\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-08 02:02 2074752 3066E12CC2B82232CF9975A267619237 c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\VITrans\ntkrnlpa.exe

[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-02-21 04:01 2180992 DF4D09B676964646FA166A78C816B4C3 c:\windows\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 02:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 11:08 2197760 704B98F5A22F142DE956F7FDE3A347D2 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\VITrans\ntoskrnl.exe

[-] 2008-04-14 00:12 1480704 D4F330787E9A12892C4441EE7F0F554A c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1423360 E4368D08C22012B357BEF3BA239AC667 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-06-05 396288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):73,65,76,65,6e,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-05-29 04:24 229376 ----a-w- c:\program files\Stardock2\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\DarK HaX\\Desktop\\mIRC.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager
"26843:TCP"= 26843:TCP:*:Disabled:SolidNetworkManager
"26843:UDP"= 26843:UDP:*:Disabled:SolidNetworkManager
"55513:TCP"= 55513:TCP:*:Disabled:SolidNetworkManager
"55513:UDP"= 55513:UDP:*:Disabled:SolidNetworkManager
"20202:TCP"= 20202:TCP:*:Disabled:SolidNetworkManager
"20202:UDP"= 20202:UDP:*:Disabled:SolidNetworkManager
"4755:TCP"= 4755:TCP:*:Disabled:SolidNetworkManager
"4755:UDP"= 4755:UDP:*:Disabled:SolidNetworkManager
"6545:TCP"= 6545:TCP:*:Disabled:SolidNetworkManager
"6545:UDP"= 6545:UDP:*:Disabled:SolidNetworkManager
"56331:TCP"= 56331:TCP:Pando Media Booster
"56331:UDP"= 56331:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2009 12:00 AM 108289]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2/19/2007 7:28 PM 14336]
S2 NtfsSvc;Microsoft NtfsSvc Manager Service;c:\windows\System32\test.exe /svc --> c:\windows\System32\test.exe [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\DARKHA~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\DARKHA~1\LOCALS~1\Temp\gel90xne.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva259;XDva259;\??\c:\windows\system32\XDva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-OneCareMP


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\DarK HaX\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: microsoft.com\*.windowsupdate
DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} - hxxp://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB
DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} - hxxp://dekaron.redbanana.jp/_include/_common/cab/RedbananaAutoPlay.cab
FF - ProfilePath - c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1372061&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\{4c004a54-a628-46bb-a406-8d899d00e918}\components\FFAlert.dll
FF - plugin: c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\{5601B994-0E9B-4ce2-8AB9-AD1155F2ABBD}\plugins\NPNeffyPlugin.dll
FF - plugin: c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???L????????????C????Disc Detector?B??????????????B????$???C????U?????????@???????????p???B??@?????P???$?? ??????~?~??????????@????????????????B?????|???????????????????p??????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Stardock\WindowBlinds]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IE40.BrowseUI\RegBackup]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,57,cc,74,ce,62,22,40,b6,48,23,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,57,cc,74,ce,62,22,40,b6,48,23,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\program files\Stardock2\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(3916)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Ctsvccda.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
c:\program files\Creative\ShareDLL\Mediadet.exe
.
**************************************************************************
.
Completion time: 2009-06-11 22:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 05:51

Pre-Run: 9,675,296,768 bytes free
Post-Run: 9,960,685,568 bytes free

375 --- E O F --- 2009-05-28 15:14

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 10 June 2009 - 11:14 PM

Hi SecurityAlert,

Delete ComboFix from your desktoip.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note:  It is important that it is saved directly to your desktop**



Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


Disable your Avira Antivirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 11 June 2009 - 02:39 PM

Hello SifuMike,

I will provide the new ComboFix log below.

ComboFix 09-06-11.05 - DarK HaX 11/06/2009 15:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1033.18.1271.846 [GMT -7:00]
Running from: c:\documents and settings\DarK HaX\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DarK HaX\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 08:13 . 2009-06-11 08:13 -------- d-----w- c:\windows\LastGood
2009-06-11 06:55 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-11 06:55 . 2009-06-11 06:58 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 23:04 . 2009-06-10 23:04 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\Malwarebytes
2009-06-09 23:28 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 23:28 . 2009-06-09 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 23:28 . 2009-06-10 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:28 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:22 . 2009-06-09 22:22 152576 ----a-w- c:\documents and settings\DarK HaX\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 22:46 . 2009-06-05 22:46 -------- d-----w- c:\program files\Trend Micro
2009-05-31 17:28 . 2009-05-31 17:28 96 ---ha-w- c:\windows\system32\HsInfo.dat
2009-05-31 17:23 . 2009-05-31 17:23 -------- d-----w- c:\program files\alaplaya
2009-05-31 05:25 . 2009-06-02 00:17 -------- d-----w- c:\documents and settings\DarK HaX\Local Settings\Application Data\PMB Files
2009-05-31 05:25 . 2009-05-31 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-05-31 00:41 . 2009-05-31 00:41 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-05-30 09:01 . 2009-05-30 09:02 -------- d-----w- c:\program files\ZStuff
2009-05-29 05:59 . 2009-05-29 05:59 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-05-29 05:59 . 2009-05-29 05:59 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-05-29 05:17 . 2009-05-30 09:03 -------- d-----w- c:\program files\Spybot
2009-05-29 02:31 . 2009-05-29 02:31 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\ViSplore
2009-05-29 02:31 . 2009-05-31 02:46 -------- d-----w- c:\windows\system32\VIRepair
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\ViSplore
2009-05-29 02:26 . 2009-04-25 10:12 348161 ----a-w- c:\windows\system32\viwc.exe
2009-05-29 02:26 . 2009-05-29 02:31 -------- d-----w- c:\program files\ViStart
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\ViGlance
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\Vista Rainbar
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\Vista Drive Icon
2009-05-29 02:26 . 2009-03-18 15:46 6181376 ----a-w- c:\windows\system32\sevenui.exe
2009-05-29 02:25 . 2006-12-11 08:15 498176 ----a-w- c:\windows\system32\logon.scr
2009-05-29 02:12 . 2009-03-24 00:39 20480 ----a-w- c:\windows\system32\scrnrdr.exe
2009-05-29 02:03 . 2009-05-29 02:03 -------- d-----w- c:\program files\febooti fileTweak Hash and CRC
2009-05-28 22:09 . 2004-08-20 22:50 159744 ----a-w- c:\windows\system32\igfxres.dll
2009-05-28 22:04 . 2009-05-28 22:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\system32\scripting
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\system32\en
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\l2schemas
2009-05-28 08:02 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-05-28 07:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-05-28 07:17 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-05-28 07:17 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-05-28 07:14 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-28 07:12 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 07:12 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 07:12 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 07:12 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 07:12 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 07:12 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 07:12 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 07:12 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 07:12 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 07:12 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-28 07:12 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-28 07:12 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-28 07:10 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 07:10 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 06:57 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-05-28 06:53 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-05-28 03:45 . 2009-05-28 03:45 -------- d-----w- c:\program files\iPod
2009-05-28 03:45 . 2009-05-28 03:46 -------- d-----w- c:\program files\iTunes
2009-05-28 03:45 . 2009-05-28 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-28 01:36 . 2009-05-28 01:36 -------- d-----w- C:\Quarantine
2009-05-27 07:05 . 2009-05-27 07:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 07:00 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-27 07:00 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-27 07:00 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-27 07:00 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-27 07:00 . 2009-05-27 07:00 -------- d-----w- c:\program files\Avira
2009-05-27 07:00 . 2009-05-27 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-27 06:19 . 2009-05-27 06:19 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\AVGTOOLBAR
2009-05-27 06:18 . 2009-05-27 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 06:18 . 2009-05-27 06:18 -------- d-----w- c:\program files\AVG
2009-05-27 04:29 . 2009-05-27 04:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-25 01:58 . 2009-05-25 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-05-25 01:55 . 2009-05-25 01:55 -------- d-----w- c:\program files\Siber Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 22:08 . 2008-01-26 21:27 169936 ----a-w- c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\FlashGot.exe
2009-06-11 13:56 . 2008-01-20 06:43 -------- d-----w- c:\program files\FlashGet
2009-06-11 04:38 . 2007-12-02 01:00 -------- d-----w- c:\program files\WinFlip
2009-06-10 22:58 . 2007-01-21 00:08 -------- d-----w- c:\program files\Java
2009-06-09 03:29 . 2007-02-10 01:15 39472 -c--a-w- c:\documents and settings\DarK HaX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 17:23 . 2007-11-13 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 17:23 . 2007-11-13 06:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-31 05:23 . 2009-02-28 10:25 -------- d-----w- c:\program files\Pando Networks
2009-05-30 00:55 . 2007-06-17 17:42 -------- d-----w- c:\program files\mIRC
2009-05-29 02:26 . 2007-12-02 01:00 -------- d-----w- c:\program files\TrueTransparency
2009-05-28 23:09 . 2007-06-27 06:45 -------- d-----w- c:\program files\Styler
2009-05-28 23:06 . 2009-02-08 07:21 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-28 23:04 . 2009-02-04 15:48 -------- d-----w- c:\program files\GameTribe
2009-05-28 23:04 . 2007-04-15 05:55 -------- d-----w- c:\program files\LimeWire
2009-05-28 15:07 . 2007-01-21 02:54 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-28 03:45 . 2007-07-15 21:59 -------- d-----w- c:\program files\Common Files\Apple
2009-05-21 18:33 . 2009-02-02 23:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-06 21:23 . 2009-05-08 02:44 372736 ----a-w- c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-04-20 05:48 . 2009-04-12 22:56 -------- d-----w- c:\program files\Sword of The New World
2009-04-19 20:13 . 2007-02-02 23:35 -------- d-----w- c:\program files\Unreal3.2
2009-04-19 20:11 . 2007-12-26 22:12 -------- d-----w- c:\program files\Yahoo!
2009-04-19 20:10 . 2007-04-13 23:44 -------- d-----w- c:\program files\Common Files\Real
2009-04-19 17:33 . 2007-12-04 15:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-18 16:44 . 2008-09-06 05:05 -------- d-----w- c:\program files\Perfect World Entertainment
2009-04-17 00:23 . 2007-01-21 00:09 -------- d-----w- c:\program files\Google
2009-04-13 23:31 . 2007-06-29 00:58 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\MSN6
2009-04-13 17:23 . 2009-04-13 17:23 450560 ----a-w- c:\windows\system32\SpeedTreeRT.dll
2009-04-13 17:16 . 2009-04-13 17:16 173167 ----a-w- c:\windows\system32\fmod.zip
2009-04-04 18:11 . 2009-04-04 18:11 152576 ----a-w- c:\documents and settings\DarK HaX\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-28 09:05 . 2009-03-28 09:05 57344 ----a-w- c:\windows\system32\imcomm.dll
2009-03-22 04:38 . 2009-03-22 04:38 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 21:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-16 06:59 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-16 06:59 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-16 06:59 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-16 06:59 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2008-03-31 01:43 . 2008-03-31 01:43 473 ----a-w- c:\program files\Shortcut to OGPlanet.lnk
2008-02-13 04:19 . 2008-02-13 04:20 774144 -c--a-w- c:\program files\RngInterstitial.dll
2007-12-27 08:56 . 2009-04-18 02:09 2663 ----a-w- c:\program files\kfreadme.txt
2002-04-14 17:48 . 2009-04-18 02:09 68607 ----a-w- c:\program files\updates.txt
2002-03-13 23:46 . 2009-04-18 02:09 53248 ----a-w- c:\program files\zlib.dll
2002-01-16 04:35 . 2009-04-18 02:09 548864 ----a-w- c:\program files\ALLEG40.DLL
2007-07-17 17:11 . 2007-02-10 16:00 8139296 -csha-w- c:\windows\system32\drivers\fidbox.dat
2007-07-17 07:58 . 2007-02-10 16:00 604960 -csha-w- c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-02-21 03:36 2057984 501C033D08AC37C4BE751633AB02197C c:\windows\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-08 02:02 2074752 3066E12CC2B82232CF9975A267619237 c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\VITrans\ntkrnlpa.exe

[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-02-21 04:01 2180992 DF4D09B676964646FA166A78C816B4C3 c:\windows\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 02:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 11:08 2197760 704B98F5A22F142DE956F7FDE3A347D2 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\VITrans\ntoskrnl.exe

[-] 2008-04-14 00:12 1480704 D4F330787E9A12892C4441EE7F0F554A c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1423360 E4368D08C22012B357BEF3BA239AC667 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-11_05.39.43 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-06-05 396288]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):73,65,76,65,6e,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-05-29 04:24 229376 ----a-w- c:\program files\Stardock2\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\DarK HaX\\Desktop\\mIRC.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager
"26843:TCP"= 26843:TCP:*:Disabled:SolidNetworkManager
"26843:UDP"= 26843:UDP:*:Disabled:SolidNetworkManager
"55513:TCP"= 55513:TCP:*:Disabled:SolidNetworkManager
"55513:UDP"= 55513:UDP:*:Disabled:SolidNetworkManager
"20202:TCP"= 20202:TCP:*:Disabled:SolidNetworkManager
"20202:UDP"= 20202:UDP:*:Disabled:SolidNetworkManager
"4755:TCP"= 4755:TCP:*:Disabled:SolidNetworkManager
"4755:UDP"= 4755:UDP:*:Disabled:SolidNetworkManager
"6545:TCP"= 6545:TCP:*:Disabled:SolidNetworkManager
"6545:UDP"= 6545:UDP:*:Disabled:SolidNetworkManager
"56331:TCP"= 56331:TCP:Pando Media Booster
"56331:UDP"= 56331:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2009 12:00 AM 108289]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2/19/2007 7:28 PM 14336]
S2 NtfsSvc;Microsoft NtfsSvc Manager Service;c:\windows\System32\test.exe /svc --> c:\windows\System32\test.exe [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\DARKHA~1\LOCALS~1\Temp\gel90xne.sys --> c:\docume~1\DARKHA~1\LOCALS~1\Temp\gel90xne.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva259;XDva259;\??\c:\windows\system32\XDva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &FlashGet으로 모두 받기 - c:\program files\FlashGet\jc_all.htm
IE: &FlashGet으로 받기 - c:\program files\FlashGet\jc_link.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\DarK HaX\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: microsoft.com\*.windowsupdate
TCP: {5B82F8D2-0712-4B1B-94AD-F17D587A21EB} = 67.69.235.1 207.164.234.193
DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} - hxxp://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB
DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} - hxxp://dekaron.redbanana.jp/_include/_common/cab/RedbananaAutoPlay.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 15:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = c:\program files\Creative\ShareDLL\CtNotify.exe?X???L????????????C????Disc Detector?B??????????????B????$???C????U?????????@???????????p???B??@?????P???$?? ??????~?~??????????@????????????????B?????|???????????????????p??????B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Stardock\WindowBlinds]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IE40.BrowseUI\RegBackup]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,57,cc,74,ce,62,22,40,b6,48,23,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,57,cc,74,ce,62,22,40,b6,48,23,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\program files\Stardock2\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(2884)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-11 15:34
ComboFix-quarantined-files.txt 2009-06-11 22:34
ComboFix2.txt 2009-06-11 05:51

Pre-Run: 9,748,508,672 bytes free
Post-Run: 9,774,682,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /NoExecute=Alwaysoff /fastdetect

339 --- E O F --- 2009-05-28 15:14

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 11 June 2009 - 04:57 PM

Hi SecurityAlert,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\viwc.exe
      c:\windows\system32\sevenui.exe
      c:\windows\system32\scrnrdr.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 11 June 2009 - 06:29 PM

Hello SifuMike, I will post the file information results below.

-------------------
File information
File Name : viwc.exe
File Size : 348161 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : c858e1222af793339a44450a8df90732
SHA1 : 538fa34777744e73b72a4efbbfa279814e5ec8ea

Scanner results
Scanner results : 5% Scanner(2/38) found malware!
Time : 2009/06/11 18:09:18 (CDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090607195527 2009-06-07
-
1.908
AhnLab V3 2009.06.12.00 2009.06.12 2009-06-12
-
0.816
AntiVir 8.2.0.187 7.1.4.85 2009-06-11
-
0.153
Antiy 2.0.18 20090611.2526505 2009-06-11
-
0.119
Arcavir 2009 200906111942 2009-06-11
-
0.058
Authentium 5.1.1 200906111810 2009-06-11
-
1.145
AVAST! 4.7.4 090611-0 2009-06-11
-
0.017
AVG 8.5.286 270.12.63/2169 2009-06-11
-
3.396
BitDefender 7.81008.3348152 7.25926 2009-06-12
-
3.068
CA (VET) 9.0.0.143 31.6.6553 2009-06-11
-
6.510
ClamAV 0.95.1 9456 2009-06-12
-
0.059
Comodo 3.9 1316 2009-06-11
-
0.799
CP Secure 1.1.0.715 2009.06.11 2009-06-11
-
9.966
Dr.Web 4.44.0.9170 2009.06.11 2009-06-11
Tool.Prockill
4.868
F-Prot 4.4.4.56 20090609 2009-06-09
-
1.141
F-Secure 5.51.6100 2009.06.11.14 2009-06-11
-
0.069
Fortinet 2.81-3.117 10.488 2009-06-11
-
0.216
GData 19.5764/19.360 20090611 2009-06-11
-
4.215
Ikarus T3.1.01.59 2009.06.11.72852 2009-06-11
-
3.289
JiangMin 11.0.706 2009.06.11 2009-06-11
Trojan/Agent.caic
2.034
Kaspersky 5.5.10 2009.06.11 2009-06-11
-
0.051
KingSoft 2009.2.5.15 2009.6.11.18 2009-06-11
-
0.492
McAfee 5.3.00 5643 2009-06-11
-
3.041
Microsoft 1.4701 2009.06.12 2009-06-12
-
4.615
mks_vir 2.01 2009.06.10 2009-06-10
-
3.196
Norman 6.01.09 6.01.00 2009-06-11
-
4.007
nProtect 20090611.01 4233772 2009-06-11
-
5.552
Panda 9.05.01 2009.06.11 2009-06-11
-
1.719
Quick Heal 10.00 2009.06.11 2009-06-11
-
1.250
Rising 20.0 21.33.32.00 2009-06-11
-
0.787
Sophos 2.87.1 4.42 2009-06-12
-
2.384
Sunbelt 5180 5180 2009-06-10
-
0.910
Symantec 1.3.0.24 20090611.003 2009-06-11
-
0.070
The Hacker 6.3.4.3 v00344 2009-06-11
-
0.623
Trend Micro 8.700-1004 6.190.09 2009-06-11
-
0.029
VBA32 3.12.10.7 20090610.1435 2009-06-10
-
1.937
ViRobot 20090611 2009.06.11 2009-06-11
-
0.412
VirusBuster 4.5.11.10 10.107.10/1609255 2009-06-11
-
2.056
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.

--------------------
File information
File Name : sevenui.exe
File Size : 6181376 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 56e05796c7bf6b122a4db1ed10065a61
SHA1 : d75a1717e9fe77a33ed0867b7840077ca55f6670

Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/06/11 18:20:11 (CDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090607195527 2009-06-07
-
2.090
AhnLab V3 2009.06.12.00 2009.06.12 2009-06-12
-
0.747
AntiVir 8.2.0.187 7.1.4.85 2009-06-11
-
0.194
Antiy 2.0.18 20090611.2526505 2009-06-11
-
0.120
Arcavir 2009 200906111942 2009-06-11
-
0.110
Authentium 5.1.1 200906111810 2009-06-11
-
1.753
AVAST! 4.7.4 090611-0 2009-06-11
-
0.169
AVG 8.5.286 270.12.63/2169 2009-06-11
-
3.365
BitDefender 7.81008.3348152 7.25926 2009-06-12
-
2.953
CA (VET) 9.0.0.143 31.6.6553 2009-06-12
-
6.338
ClamAV 0.95.1 9456 2009-06-12
-
0.392
Comodo 3.9 1316 2009-06-11
-
0.713
CP Secure 1.1.0.715 2009.06.11 2009-06-11
-
10.170
Dr.Web 4.44.0.9170 2009.06.11 2009-06-11
-
4.966
F-Prot 4.4.4.56 20090609 2009-06-09
-
1.713
F-Secure 5.51.6100 2009.06.11.16 2009-06-11
-
0.146
Fortinet 2.81-3.117 10.488 2009-06-11
-
0.368
GData 19.5764/19.360 20090611 2009-06-11
-
4.239
Ikarus T3.1.01.59 2009.06.11.72853 2009-06-11
-
3.380
JiangMin 11.0.706 2009.06.11 2009-06-11
-
2.023
Kaspersky 5.5.10 2009.06.11 2009-06-11
-
0.082
KingSoft 2009.2.5.15 2009.6.11.18 2009-06-11
-
0.513
McAfee 5.3.00 5643 2009-06-11
-
3.060
Microsoft 1.4701 2009.06.12 2009-06-12
-
4.574
mks_vir 2.01 2009.06.10 2009-06-10
-
3.223
Norman 6.01.09 6.01.00 2009-06-11
-
4.007
nProtect 20090611.01 4233772 2009-06-11
-
5.338
Panda 9.05.01 2009.06.11 2009-06-11
-
1.771
Quick Heal 10.00 2009.06.11 2009-06-11
-
3.028
Rising 20.0 21.33.32.00 2009-06-11
-
0.803
Sophos 2.87.1 4.42 2009-06-12
-
2.378
Sunbelt 5180 5180 2009-06-10
-
1.117
Symantec 1.3.0.24 20090611.003 2009-06-11
-
0.128
The Hacker 6.3.4.3 v00344 2009-06-11
-
0.670
Trend Micro 8.700-1004 6.190.09 2009-06-11
-
0.029
VBA32 3.12.10.7 20090610.1435 2009-06-10
-
2.163
ViRobot 20090611 2009.06.11 2009-06-11
-
0.422
VirusBuster 4.5.11.10 10.107.10/1609255 2009-06-11
-
3.784
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

-------------------

File information
File Name : scrnrdr.exe
File Size : 20480 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : e3e206ca10d3fc44da8411153fad9944
SHA1 : 18bf48c9c16f9212df4b4d50344b20436ffa3d95

Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2009/06/11 18:25:46 (CDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.1 20090607195527 2009-06-07
-
2.312
AhnLab V3 2009.06.12.00 2009.06.12 2009-06-12
-
0.721
AntiVir 8.2.0.187 7.1.4.85 2009-06-11
-
0.254
Antiy 2.0.18 20090611.2526505 2009-06-11
-
0.121
Arcavir 2009 200906111942 2009-06-11
-
0.031
Authentium 5.1.1 200906111810 2009-06-11
-
1.117
AVAST! 4.7.4 090611-0 2009-06-11
-
0.004
AVG 8.5.286 270.12.63/2169 2009-06-11
-
3.336
BitDefender 7.81008.3348152 7.25926 2009-06-12
-
2.957
CA (VET) 9.0.0.143 31.6.6553 2009-06-12
-
8.031
ClamAV 0.95.1 9456 2009-06-12
-
0.013
Comodo 3.9 1316 2009-06-11
-
0.718
CP Secure 1.1.0.715 2009.06.11 2009-06-11
-
9.980
Dr.Web 4.44.0.9170 2009.06.11 2009-06-11
-
4.661
F-Prot 4.4.4.56 20090609 2009-06-09
-
1.125
F-Secure 5.51.6100 2009.06.11.16 2009-06-11
-
5.832
Fortinet 2.81-3.117 10.488 2009-06-11
-
0.205
GData 19.5764/19.360 20090611 2009-06-11
-
4.371
Ikarus T3.1.01.59 2009.06.11.72853 2009-06-11
-
3.290
JiangMin 11.0.706 2009.06.11 2009-06-11
-
2.004
Kaspersky 5.5.10 2009.06.11 2009-06-11
-
0.079
KingSoft 2009.2.5.15 2009.6.11.18 2009-06-11
-
0.495
McAfee 5.3.00 5643 2009-06-11
-
3.146
Microsoft 1.4701 2009.06.12 2009-06-12
-
5.482
mks_vir 2.01 2009.06.10 2009-06-10
-
3.165
Norman 6.01.09 6.01.00 2009-06-11
-
4.007
nProtect 20090611.01 4233772 2009-06-11
-
5.995
Panda 9.05.01 2009.06.11 2009-06-11
-
1.720
Quick Heal 10.00 2009.06.11 2009-06-11
-
1.189
Rising 20.0 21.33.32.00 2009-06-11
-
0.819
Sophos 2.87.1 4.42 2009-06-12
-
2.386
Sunbelt 5180 5180 2009-06-10
-
0.841
Symantec 1.3.0.24 20090611.003 2009-06-11
-
0.059
The Hacker 6.3.4.3 v00344 2009-06-11
-
0.681
Trend Micro 8.700-1004 6.190.09 2009-06-11
-
0.027
VBA32 3.12.10.7 20090610.1435 2009-06-10
-
1.951
ViRobot 20090611 2009.06.11 2009-06-11
-
0.425
VirusBuster 4.5.11.10 10.107.10/1609255 2009-06-11
-
1.939
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

---------------------

These 3 files are from WindowsX Live Vista Transformation Pack 9 and I can 100% say that the viruses detected are false positives. Because of the fact that it does alter some system files to change the system interface, I'd assume one of these files would let off a red flag.

Edited by SecurityAlert, 11 June 2009 - 06:43 PM.


#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 11 June 2009 - 09:14 PM

Hi SecurityAlert,

You need to disable your Avira AntiVir Antivirus and MicrosoftWindowsOneCareLiveAntiSpywareand AntiVirus before running ComboFix, as they will prevent it from running.

To disable Avira Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


To modify Windows Live OneCare Antivirus settings

1.On the Windows Live OneCare start screen, click View or change settings, and then click the Antivirus tab.

2.Click Antivirus Exclusions to turn antivirus monitoring on or off, view quarantined files, and exclude specific files from scanning and monitoring.

3.Clear the Monitor for virus-like behavior during Antivirus monitoring check box to disable real-time monitoring and protection. Windows Live OneCare will prompt you and change the color of its icon if your system is not sufficiently protected after turning Antivirus off.

Now that you have real time monitoring turned off , proceed with my previous instructions and we will continue.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\docume~1\DARKHA~1\LOCALS~1\Temp\gel90xne.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
Driver:: 
gel90xne


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 11 June 2009 - 10:22 PM

This is the most recent ComboFix log as asked.

ComboFix 09-06-11.06 - DarK HaX 11/06/2009 22:54.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.949.82.1033.18.1271.826 [GMT -7:00]
Running from: c:\documents and settings\DarK HaX\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DarK HaX\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\docume~1\DARKHA~1\LOCALS~1\Temp\gel90xne.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEL90XNE
-------\Service_gel90xne


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-11 06:55 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-11 06:55 . 2009-06-11 06:58 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 23:04 . 2009-06-10 23:04 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\Malwarebytes
2009-06-09 23:28 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 23:28 . 2009-06-09 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 23:28 . 2009-06-12 02:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:28 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:22 . 2009-06-09 22:22 152576 ----a-w- c:\documents and settings\DarK HaX\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 22:46 . 2009-06-05 22:46 -------- d-----w- c:\program files\Trend Micro
2009-05-31 17:28 . 2009-05-31 17:28 96 ---ha-w- c:\windows\system32\HsInfo.dat
2009-05-31 17:23 . 2009-05-31 17:23 -------- d-----w- c:\program files\alaplaya
2009-05-31 05:25 . 2009-06-02 00:17 -------- d-----w- c:\documents and settings\DarK HaX\Local Settings\Application Data\PMB Files
2009-05-31 05:25 . 2009-05-31 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-05-31 00:41 . 2009-05-31 00:41 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-05-30 09:01 . 2009-05-30 09:02 -------- d-----w- c:\program files\ZStuff
2009-05-29 05:59 . 2009-05-29 05:59 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-05-29 05:59 . 2009-05-29 05:59 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-05-29 05:17 . 2009-05-30 09:03 -------- d-----w- c:\program files\Spybot
2009-05-29 02:31 . 2009-05-29 02:31 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\ViSplore
2009-05-29 02:31 . 2009-05-31 02:46 -------- d-----w- c:\windows\system32\VIRepair
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\ViSplore
2009-05-29 02:26 . 2009-04-25 10:12 348161 ----a-w- c:\windows\system32\viwc.exe
2009-05-29 02:26 . 2009-05-29 02:31 -------- d-----w- c:\program files\ViStart
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\ViGlance
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\Vista Rainbar
2009-05-29 02:26 . 2009-05-29 02:26 -------- d-----w- c:\program files\Vista Drive Icon
2009-05-29 02:26 . 2009-03-18 15:46 6181376 ----a-w- c:\windows\system32\sevenui.exe
2009-05-29 02:25 . 2006-12-11 08:15 498176 ----a-w- c:\windows\system32\logon.scr
2009-05-29 02:12 . 2009-03-24 00:39 20480 ----a-w- c:\windows\system32\scrnrdr.exe
2009-05-29 02:03 . 2009-05-29 02:03 -------- d-----w- c:\program files\febooti fileTweak Hash and CRC
2009-05-28 22:09 . 2004-08-20 22:50 159744 ----a-w- c:\windows\system32\igfxres.dll
2009-05-28 22:04 . 2009-05-28 22:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\system32\scripting
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\system32\en
2009-05-28 15:02 . 2009-05-28 15:02 -------- d-----w- c:\windows\l2schemas
2009-05-28 08:02 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-05-28 07:24 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-05-28 07:17 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-05-28 07:17 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-05-28 07:14 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-05-28 07:12 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-05-28 07:12 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-05-28 07:12 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-05-28 07:12 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-05-28 07:12 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-28 07:12 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-05-28 07:12 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-05-28 07:12 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-05-28 07:12 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-28 07:12 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-28 07:12 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-28 07:12 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-28 07:10 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-05-28 07:10 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-05-28 06:57 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-05-28 06:53 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-05-28 03:45 . 2009-05-28 03:45 -------- d-----w- c:\program files\iPod
2009-05-28 03:45 . 2009-05-28 03:46 -------- d-----w- c:\program files\iTunes
2009-05-28 03:45 . 2009-05-28 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-28 01:36 . 2009-05-28 01:36 -------- d-----w- C:\Quarantine
2009-05-27 07:05 . 2009-05-27 07:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-27 07:00 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-05-27 07:00 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-27 07:00 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-05-27 07:00 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-05-27 07:00 . 2009-05-27 07:00 -------- d-----w- c:\program files\Avira
2009-05-27 07:00 . 2009-05-27 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-27 06:19 . 2009-05-27 06:19 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\AVGTOOLBAR
2009-05-27 06:18 . 2009-05-27 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 06:18 . 2009-05-27 06:18 -------- d-----w- c:\program files\AVG
2009-05-27 04:29 . 2009-05-27 04:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-25 01:58 . 2009-05-25 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2009-05-25 01:55 . 2009-05-25 01:55 -------- d-----w- c:\program files\Siber Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 06:06 . 2008-01-20 06:43 -------- d-----w- c:\program files\FlashGet
2009-06-12 05:46 . 2008-01-26 21:27 169936 ----a-w- c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\FlashGot.exe
2009-06-11 04:38 . 2007-12-02 01:00 -------- d-----w- c:\program files\WinFlip
2009-06-10 22:58 . 2007-01-21 00:08 -------- d-----w- c:\program files\Java
2009-06-09 03:29 . 2007-02-10 01:15 39472 -c--a-w- c:\documents and settings\DarK HaX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 17:23 . 2007-11-13 06:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 17:23 . 2007-11-13 06:42 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-31 05:23 . 2009-02-28 10:25 -------- d-----w- c:\program files\Pando Networks
2009-05-30 00:55 . 2007-06-17 17:42 -------- d-----w- c:\program files\mIRC
2009-05-29 02:26 . 2007-12-02 01:00 -------- d-----w- c:\program files\TrueTransparency
2009-05-28 23:09 . 2007-06-27 06:45 -------- d-----w- c:\program files\Styler
2009-05-28 23:06 . 2009-02-08 07:21 -------- d-----w- c:\program files\AviSynth 2.5
2009-05-28 23:04 . 2009-02-04 15:48 -------- d-----w- c:\program files\GameTribe
2009-05-28 23:04 . 2007-04-15 05:55 -------- d-----w- c:\program files\LimeWire
2009-05-28 15:07 . 2007-01-21 02:54 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-05-28 03:45 . 2007-07-15 21:59 -------- d-----w- c:\program files\Common Files\Apple
2009-05-21 18:33 . 2009-02-02 23:31 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-06 21:23 . 2009-05-08 02:44 372736 ----a-w- c:\documents and settings\DarK HaX\Application Data\Mozilla\Firefox\Profiles\mcrc1e4m.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2009-04-20 05:48 . 2009-04-12 22:56 -------- d-----w- c:\program files\Sword of The New World
2009-04-19 20:13 . 2007-02-02 23:35 -------- d-----w- c:\program files\Unreal3.2
2009-04-19 20:11 . 2007-12-26 22:12 -------- d-----w- c:\program files\Yahoo!
2009-04-19 20:10 . 2007-04-13 23:44 -------- d-----w- c:\program files\Common Files\Real
2009-04-19 17:33 . 2007-12-04 15:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-04-18 16:44 . 2008-09-06 05:05 -------- d-----w- c:\program files\Perfect World Entertainment
2009-04-17 00:23 . 2007-01-21 00:09 -------- d-----w- c:\program files\Google
2009-04-13 23:31 . 2007-06-29 00:58 -------- d-----w- c:\documents and settings\DarK HaX\Application Data\MSN6
2009-04-13 17:23 . 2009-04-13 17:23 450560 ----a-w- c:\windows\system32\SpeedTreeRT.dll
2009-04-13 17:16 . 2009-04-13 17:16 173167 ----a-w- c:\windows\system32\fmod.zip
2009-04-04 18:11 . 2009-04-04 18:11 152576 ----a-w- c:\documents and settings\DarK HaX\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-02 23:29 . 2009-04-02 23:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-28 09:05 . 2009-03-28 09:05 57344 ----a-w- c:\windows\system32\imcomm.dll
2009-03-22 04:38 . 2009-03-22 04:38 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2006-09-19 21:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-16 06:59 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-16 06:59 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-16 06:59 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-16 06:59 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2008-03-31 01:43 . 2008-03-31 01:43 473 ----a-w- c:\program files\Shortcut to OGPlanet.lnk
2008-02-13 04:19 . 2008-02-13 04:20 774144 -c--a-w- c:\program files\RngInterstitial.dll
2007-12-27 08:56 . 2009-04-18 02:09 2663 ----a-w- c:\program files\kfreadme.txt
2002-04-14 17:48 . 2009-04-18 02:09 68607 ----a-w- c:\program files\updates.txt
2002-03-13 23:46 . 2009-04-18 02:09 53248 ----a-w- c:\program files\zlib.dll
2002-01-16 04:35 . 2009-04-18 02:09 548864 ----a-w- c:\program files\ALLEG40.DLL
2007-07-17 17:11 . 2007-02-10 16:00 8139296 -csha-w- c:\windows\system32\drivers\fidbox.dat
2007-07-17 07:58 . 2007-02-10 16:00 604960 -csha-w- c:\windows\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-02-21 03:36 2057984 501C033D08AC37C4BE751633AB02197C c:\windows\$hf_mig$\KB914882\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-08 02:02 2074752 3066E12CC2B82232CF9975A267619237 c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\ntkrnlpa.exe
[7] 2009-02-08 02:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\VITrans\ntkrnlpa.exe

[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-02-21 04:01 2180992 DF4D09B676964646FA166A78C816B4C3 c:\windows\$hf_mig$\KB914882\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\$hf_mig$\KB956572\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 02:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 11:08 2197760 704B98F5A22F142DE956F7FDE3A347D2 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\VITrans\ntoskrnl.exe

[-] 2008-04-14 00:12 1480704 D4F330787E9A12892C4441EE7F0F554A c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1423360 E4368D08C22012B357BEF3BA239AC667 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-11_05.39.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-12 06:03 . 2009-06-12 06:03 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
+ 2009-06-12 05:53 . 2009-06-12 05:53 389120 c:\windows\system32\CF11369.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HijackThis startup scan"="c:\program files\Trend Micro\HijackThis\HijackThis.exe" [2009-06-05 396288]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Disc Detector"="c:\program files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 189952]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"Flashget"="c:\program files\FlashGet\flashget.exe" [2007-09-25 2007088]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):73,65,76,65,6e,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-05-29 04:24 229376 ----a-w- c:\program files\Stardock2\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\DarK HaX\\Desktop\\mIRC.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9842:TCP"= 9842:TCP:SolidNetworkManager
"9842:UDP"= 9842:UDP:SolidNetworkManager
"26843:TCP"= 26843:TCP:*:Disabled:SolidNetworkManager
"26843:UDP"= 26843:UDP:*:Disabled:SolidNetworkManager
"55513:TCP"= 55513:TCP:*:Disabled:SolidNetworkManager
"55513:UDP"= 55513:UDP:*:Disabled:SolidNetworkManager
"20202:TCP"= 20202:TCP:*:Disabled:SolidNetworkManager
"20202:UDP"= 20202:UDP:*:Disabled:SolidNetworkManager
"4755:TCP"= 4755:TCP:*:Disabled:SolidNetworkManager
"4755:UDP"= 4755:UDP:*:Disabled:SolidNetworkManager
"6545:TCP"= 6545:TCP:*:Disabled:SolidNetworkManager
"6545:UDP"= 6545:UDP:*:Disabled:SolidNetworkManager
"56331:TCP"= 56331:TCP:Pando Media Booster
"56331:UDP"= 56331:UDP:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/27/2009 12:00 AM 108289]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [2/19/2007 7:28 PM 14336]
S2 NtfsSvc;Microsoft NtfsSvc Manager Service;c:\windows\System32\test.exe /svc --> c:\windows\System32\test.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [1/23/2004 5:33 PM 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [1/23/2004 5:32 PM 28800]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva259;XDva259;\??\c:\windows\system32\XDva259.sys --> c:\windows\system32\XDva259.sys [?]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &FlashGet으로 모두 받기 - c:\program files\FlashGet\jc_all.htm
IE: &FlashGet으로 받기 - c:\program files\FlashGet\jc_link.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\DarK HaX\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: microsoft.com\*.windowsupdate
TCP: {5B82F8D2-0712-4B1B-94AD-F17D587A21EB} = 67.69.235.1 207.164.234.193
DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} - hxxp://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB
DPF: {D6855164-25C2-40D2-BA39-D8A57FF0B49C} - hxxp://dekaron.redbanana.jp/_include/_common/cab/RedbananaAutoPlay.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 23:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Stardock\WindowBlinds]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IE40.BrowseUI\RegBackup]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,57,cc,74,ce,62,22,40,b6,48,23,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,57,cc,74,ce,62,22,40,b6,48,23,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\program files\Stardock2\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(864)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Ctsvccda.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\conime.exe
c:\windows\system32\CF11369.exe
c:\program files\Creative\ShareDLL\Mediadet.exe
.
**************************************************************************
.
Completion time: 2009-06-12 23:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 06:16
ComboFix2.txt 2009-06-11 22:34
ComboFix3.txt 2009-06-11 05:51

Pre-Run: 9,757,577,216 bytes free
Post-Run: 9,749,131,264 bytes free

353 --- E O F --- 2009-05-28 15:14

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:16 AM

Posted 11 June 2009 - 11:05 PM

SecurityAlert,

Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SecurityAlert

SecurityAlert
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:16 AM

Posted 12 June 2009 - 06:38 PM

Hello SifuMike,

I would just like you to know that I have been very busy lately and I have not forgotten about this topic. I will post the Kapersky log once it finishes the scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users