Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Injector .EL


  • Please log in to reply
34 replies to this topic

#1 wkdhaka

wkdhaka

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 June 2009 - 10:44 AM

Hi. I have two Trojan Horse Injectors .EL one is from "\\?\globalroot\systemroot\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll" AVG 8.5 Free Edition says it has moved it to the virus vault but when I rescan it AVG finds it back again in the same area. The other Trojan Horse Injector .EL is from: "C:\WINDOWS\system32\svchost.exe (1140)" but with this one AVG cannot remove it. These Trojans have affected Google and Yahoo in my internet browser Mozilla Firefox and probably other stuff too.
Thanks in advance.

Here are the DDS files:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Hassaan at 15:48:52.14 on 18/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\users\programs\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\documents and settings\hassaan\desktop\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - f:\users\programs\midpx\jadinvoker\MidpInvoker.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - f:\users\programs\midpx\jadinvoker\MidpInvoker.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [VC7Player] c:\program files\hhvcdv7sys\VC7Play.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "f:\users\programs\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - f:\users\programs\micros~1\office12\EXCEL.EXE/3000
IE: Link to &MidpX - f:\users\programs\midpx\jadinvoker\extent\jad_wrap.htm
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\users\programs\micros~1\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\users\programs\micros~1\office12\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
TCP: NameServer = 85.255.112.21,85.255.112.89
TCP: {408B4471-79BD-4528-9867-A1FAE527D106} = 85.255.112.21,85.255.112.89
TCP: {554B8A8A-2B95-44CB-AB8F-C8FB3822E399} = 85.255.112.21,85.255.112.89
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\users\programs\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hassaan\applic~1\mozilla\firefox\profiles\mnpqpjuc.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-15 00:50 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-15 00:49 <DIR> --d----- c:\documents and settings\hassaan\.housecall6.6
2009-06-10 17:13 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-27 12:42 3,532 a------- C:\drmHeader.bin

==================== Find3M ====================

2009-06-16 20:45 75,712 a------- c:\docume~1\hassaan\applic~1\GDIPFONTCACHEV1.DAT
2009-06-16 16:11 87,608 a------- c:\docume~1\hassaan\applic~1\inst.exe
2009-06-16 16:11 47,360 a------- c:\docume~1\hassaan\applic~1\pcouffin.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-08 16:14 34 a------- c:\documents and settings\hassaan\jagex_runescape_preferences.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 21:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-05 21:46 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-05 21:45 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-26 13:30 26,310 ac------ c:\windows\system32\change.dat
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2008-04-24 19:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-02-19 21:54 14,290 a------- c:\program files\settings.dat
2008-01-25 22:01 0 a---h--- c:\documents and settings\hassaan\hpothb07.dat
2007-07-08 14:02 3,655,608 a------- c:\program files\FLV PlayerRCATSetup.exe
2007-07-08 14:02 25,990,432 a------- c:\program files\FLV PlayerRCSetup.exe
2007-02-15 10:49 32 a----r-- c:\documents and settings\all users\hash.dat
2006-07-31 12:02 278,528 a------- c:\program files\common files\FDEUnInstaller.exe

============= FINISH: 15:50:39.98 ===============

Edited by wkdhaka, 18 June 2009 - 10:49 AM.

Posted Image

BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:08:56 PM

Posted 24 June 2009 - 02:20 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 25 June 2009 - 11:31 AM

Hi, thanks for replying. Here are the new dds scripts.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Hassaan at 17:26:21.17 on 25/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\users\programs\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\documents and settings\hassaan\desktop\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - f:\users\programs\midpx\jadinvoker\MidpInvoker.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - f:\users\programs\midpx\jadinvoker\MidpInvoker.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [VC7Player] c:\program files\hhvcdv7sys\VC7Play.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "f:\users\programs\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - f:\users\programs\micros~1\office12\EXCEL.EXE/3000
IE: Link to &MidpX - f:\users\programs\midpx\jadinvoker\extent\jad_wrap.htm
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\users\programs\micros~1\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\users\programs\micros~1\office12\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
TCP: NameServer = 85.255.112.21,85.255.112.89
TCP: {408B4471-79BD-4528-9867-A1FAE527D106} = 85.255.112.21,85.255.112.89
TCP: {554B8A8A-2B95-44CB-AB8F-C8FB3822E399} = 85.255.112.21,85.255.112.89
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\users\programs\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hassaan\applic~1\mozilla\firefox\profiles\mnpqpjuc.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-15 00:50 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-15 00:49 <DIR> --d----- c:\documents and settings\hassaan\.housecall6.6
2009-06-10 17:13 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-27 12:42 3,532 a------- C:\drmHeader.bin

==================== Find3M ====================

2009-06-16 20:45 75,712 a------- c:\docume~1\hassaan\applic~1\GDIPFONTCACHEV1.DAT
2009-06-16 16:11 87,608 a------- c:\docume~1\hassaan\applic~1\inst.exe
2009-06-16 16:11 47,360 a------- c:\docume~1\hassaan\applic~1\pcouffin.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-08 16:14 34 a------- c:\documents and settings\hassaan\jagex_runescape_preferences.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 21:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-05 21:46 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-05 21:45 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-26 13:30 26,310 ac------ c:\windows\system32\change.dat
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-04-24 19:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-02-19 21:54 14,290 a------- c:\program files\settings.dat
2008-01-25 22:01 0 a---h--- c:\documents and settings\hassaan\hpothb07.dat
2007-07-08 14:02 3,655,608 a------- c:\program files\FLV PlayerRCATSetup.exe
2007-07-08 14:02 25,990,432 a------- c:\program files\FLV PlayerRCSetup.exe
2007-02-15 10:49 32 a----r-- c:\documents and settings\all users\hash.dat
2006-07-31 12:02 278,528 a------- c:\program files\common files\FDEUnInstaller.exe

============= FINISH: 17:27:27.39 ===============
Posted Image

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 26 June 2009 - 12:17 PM

Hello wkdhaka :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 27 June 2009 - 01:51 PM

Hi The Wall thanks for replying,
I downloaded Malwarebytes Anti-Malware and ran the installer file, but when it finished showing the two check boxes they were both ticked and i clicked finished. When I clicked finished no window popped up, so I double clicked the shortcut on my desktop and again no window popped up. So I went to the "Malwarebytes' Anti-Malware" folder in the Program Files folder and double clicked on the program there but again no window opened. I then copied and pasted the "MBAM.exe" file in the same folder and windows renamed it "Copy of MBAM". I double clicked on "Copy of MBAM" and it opened, I then went to the update tab and tried to update it but it failed so I downloaded "MBAM-Rules.exe" and ran it. The window said it had finished and I closed it. I then ran a quick scan and it found some infections, I'll post the log below. It then asked me to restart the computer and i clicked "yes" and it restarted. When the computer rebooted I tried to click the shortcut "Malwarebytes' Anti-Malware" but it didn't load up, so I again went to the Malwarebytes' Anti-Malware folder and double clicked "MBAM.exe" and again it did not load. So I double clicked the "Copy of MBAM" and it loaded, I then again ran the quick scan and it said it found no infections. At the stage I was curious as Malwarebytes Anti-Malware shortcut or the program did not load, so i re-enabled AVG Free Edition 8.5 and it said it found the same Trojan Horse Injectors as last time so those infections have not gone. I went to "Google" and "Yahoo" and they are still affected.
Thanks in advanced.
Here is the Malwarebytes Anti-Malware log.

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

27/06/2009 18:51:32
mbam-log-2009-06-27 (18-51-32).txt

Scan type: Quick Scan
Objects scanned: 137717
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{408b4471-79bd-4528-9867-a1fae527d106}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{554b8a8a-2b95-44cb-ab8f-c8fb3822e399}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{408b4471-79bd-4528-9867-a1fae527d106}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{554b8a8a-2b95-44cb-ab8f-c8fb3822e399}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{408b4471-79bd-4528-9867-a1fae527d106}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{554b8a8a-2b95-44cb-ab8f-c8fb3822e399}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\Najam\Application Data\ErrorSmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\Najam\application data\errorsmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\Najam\application data\errorsmart\Registry Backups (Rogue.ErrorSmart) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Najam\application data\errorsmart\Log\2008 Apr 15 - 01_50_31 PM_234.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\Najam\application data\errorsmart\registry backups\2008-04-15_13-52-23.reg (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
Posted Image

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 27 June 2009 - 02:56 PM

Try this next:


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 27 June 2009 - 03:59 PM

Hi, thanks for the fast reply.
I ran SmitFraudFix and here is the report.
Thanks in advance.

SmitFraudFix v2.423

Scan done at 21:14:26.40, 27/06/2009
Run from C:\Documents and Settings\Hassaan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process


hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Hassaan


C:\DOCUME~1\Hassaan\LOCALS~1\Temp


C:\Documents and Settings\Hassaan\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS



Scanning for wininet.dll infection


End
Posted Image

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 27 June 2009 - 04:55 PM

You're welcome. :thumbup2:


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.





Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



When completed please post both the log from GMER and the one from SAS in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 30 June 2009 - 02:18 PM

Hi, this scans took some time so here is the first one the second one ill be coming soon I hope. Just that I've got such a busy week. Anyway here is the log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-28 22:24:02
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spkp.sys ZwCreateKey [0xF770B0E0]
SSDT spkp.sys ZwEnumerateKey [0xF7728CA2]
SSDT spkp.sys ZwEnumerateValueKey [0xF7729030]
SSDT spkp.sys ZwOpenKey [0xF770B0C0]
SSDT spkp.sys ZwQueryKey [0xF7729108]
SSDT spkp.sys ZwQueryValueKey [0xF7728F88]
SSDT spkp.sys ZwSetValueKey [0xF772919A]

INT 0x62 ? 85374BF8
INT 0x82 ? 85374BF8
INT 0xB4 ? 8533ABF8
INT 0xB4 ? 8533ABF8
INT 0xB4 ? 8533ABF8
INT 0xB4 ? 8533ABF8
INT 0xB4 ? 8533ABF8

Code 84EC6F68 ZwFlushInstructionCache
Code 84EC6FD6 IofCallDriver
Code 84EC9E26 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 84EC6FDB
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 84EC9E2B
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 84EC6F6C
? spkp.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F742C8AC 5 Bytes JMP 8533A1D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 853762D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F773B93C] spkp.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F773B990] spkp.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F770C040] spkp.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F770C13C] spkp.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F770C0BE] spkp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F770C7FC] spkp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F770C6D2] spkp.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8533A2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F771BD92] spkp.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 853731F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 853491F8
Device \Driver\usbuhci \Device\USBPDO-1 853491F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{554B8A8A-2B95-44CB-AB8F-C8FB3822E399} 84E9F1F8
Device \Driver\usbuhci \Device\USBPDO-2 853491F8
Device \Driver\usbehci \Device\USBPDO-3 853421F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{408B4471-79BD-4528-9867-A1FAE527D106} 84E9F1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 84E9F1F8
Device \Driver\NetBT \Device\NetbiosSmb 84E9F1F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 853491F8
Device \Driver\usbuhci \Device\USBFDO-1 853491F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84E9A1F8
Device \Driver\usbuhci \Device\USBFDO-2 853491F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84E9A1F8
Device \Driver\usbehci \Device\USBFDO-3 853421F8
Device \Driver\Ftdisk \Device\FtControl 853E21F8
Device \Driver\vdrv7000 \Device\Scsi\vdrv70001Port2Path0Target0Lun0 8519A1F8
Device \Driver\vdrv7000 \Device\Scsi\vdrv70001 8519A1F8
Device \FileSystem\Cdfs \Cdfs 84E741F8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1136] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!
Service C:\WINDOWS\system32\DRIVERS\vdrv7000.sys (*** hidden *** ) [SYSTEM] vdrv7000 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2B 0x2F 0xA1 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdmpxqhowftrritdxrujkxlbbeqpaiuti.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2B 0x2F 0xA1 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@ServiceBinary C:\WINDOWS\system32\drivers\VDRV7000.SYS
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@Group SCSI Miniport
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@ImagePath system32\DRIVERS\vdrv7000.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000@Tag 33
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\Enum
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\Enum@0 ROOT\SCSIADAPTER\0000
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\Enum@Count 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\Enum@NextInstance 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\parameters\pnpinterface
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\security
Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrv7000\security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXdmpxqhowftrritdxrujkxlbbeqpaiuti.dll
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2B 0x2F 0xA1 0xEE ...
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@ServiceBinary C:\WINDOWS\system32\drivers\VDRV7000.SYS
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@Group SCSI Miniport
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@ImagePath system32\DRIVERS\vdrv7000.sys
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@Start 1
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000@Tag 33
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\Enum
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\Enum@0 ROOT\SCSIADAPTER\0000
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\Enum@Count 1
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\Enum@NextInstance 1
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\parameters
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\parameters\pnpinterface
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\parameters\pnpinterface@1 1
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\security
Reg HKLM\SYSTEM\ControlSet004\Services\vdrv7000\security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2009-06-28 18:08:40
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@UnableToDetectTime 2009-06-27 17:26:18
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastSuccessTime 2009-06-13 21:55:09
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastError -2145107943
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7E1FAF86-5694-A7CE-E09C-A656DE7C83F6}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7E1FAF86-5694-A7CE-E09C-A656DE7C83F6}@iaaehggmgbccbchjjg 0x6A 0x61 0x62 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7E1FAF86-5694-A7CE-E09C-A656DE7C83F6}@hagdbmhdkccpnhin 0x6A 0x61 0x62 0x62 ...

---- Files - GMER 1.0.15 ----

File C:\Avenger\MSIVXcount 4 bytes
File C:\WINDOWS\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys 79872 bytes executable
File C:\WINDOWS\system32\MSIVXcount 4 bytes
File C:\WINDOWS\system32\MSIVXdmpxqhowftrritdxrujkxlbbeqpaiuti.dll 52224 bytes executable
File C:\WINDOWS\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll 26624 bytes executable

---- EOF - GMER 1.0.15 ----
Posted Image

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 04 July 2009 - 08:36 AM

Are you still with me?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 05 July 2009 - 04:07 AM

Hi, yes I am it's just that I've been so busy. I am about to do the second scan now.

Edited by wkdhaka, 05 July 2009 - 04:08 AM.

Posted Image

#12 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 05 July 2009 - 08:35 AM

Hi sorry for the delay. Here is the report.
Thanks in advanced.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2009 at 12:33 PM

Application Version : 4.26.1006

Core Rules Database Version : 3972
Trace Rules Database Version: 1912

Scan type : Complete Scan
Total Scan Time : 02:07:37

Memory items scanned : 493
Memory threats detected : 0
Registry items scanned : 8063
Registry threats detected : 2
File items scanned : 134623
File threats detected : 42

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare

Adware.180solutions/Seekmo/Zango
C:\DOCUMENTS AND SETTINGS\HASSAAN\LOCAL SETTINGS\TEMP\1809.TMP

Adware.Tracking Cookie
C:\Documents and Settings\Hassaan\Cookies\Hassaan@advert.runescape[2].txt
C:\Documents and Settings\Hassaan\Cookies\shahana@ehg-bskyb.hitbox[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@ad.zanox[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@ad1.emediate[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@ads.addynamix[1].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@ads.monster[1].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@advert.runescape[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@as-us.falkag[1].txt
C:\Documents and SettingsHassaan\Cookies\Hassaan@belnk[1].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@dist.belnk[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@media.fastclick[1].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@partner2profit[2].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@www.burstnet[1].txt
C:\Documents and Settings\Hassaan\Cookies\Hassaan@z1.adserver[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.zanox[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adecn[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.lucidmedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.lucidmedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.lucidmedia[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adtech[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@advertising[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@apmebf[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@avgtechnologies.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@eas.apm.emediate[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media6degrees[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@mediaplex[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@track.adform[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@tradedoubler[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zanox[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@zedo[1].txt

Trojan.Downloader-Gen/Suspicious
C:\RECOVER\SYSPREP\SFTRUN.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Hassaan\Local Settings\Temporary Internet Files\Content.IE5\2Z8CXU4V\footer_cat[1].gif
C:\Documents and Settings\Hassaan\Local Settings\Temporary Internet Files\Content.IE5\HZFL5GAI\div[1].gif
C:\Documents and Settings\Hassaan\Local Settings\Temporary Internet Files\Content.IE5\2Z8CXU4V\4803[1].jpg
C:\Documents and Settings\Hassaan\Local Settings\Temporary Internet Files\Content.IE5\UZ6TX5F2\4362[1].jpg
Posted Image

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 AM

Posted 05 July 2009 - 09:17 AM

Before you run ComboFix be sure to disable your antivirus along with any program such as SuperAntiSpyware or Window's Defender. Instructions can be found here.



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 06 July 2009 - 11:18 AM

Hi, I ran combo fix and the two Trojan Horse Injector .El s looks to be gone!
Can you please answer these questions for me?
1. Can I remove MBAM, SUPERANTISPYWARE, GMER, SMITFRAUD and Combo-fix and just keep my AVG? <-This is because I have low RAM.
2. What is the globalroot? is it a back door for the computer for hackers?
Thanks for helping to remove the Trojans.
Here are the DDS scripts:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Hassaan at 17:10:19.93 on 06/07/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\users\programs\micros~1\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\documents and settings\hassaan\desktop\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - f:\users\programs\midpx\jadinvoker\MidpInvoker.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - f:\users\programs\midpx\jadinvoker\MidpInvoker.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SAS.exe
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [VC7Player] c:\program files\hhvcdv7sys\VC7Play.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - f:\users\programs\micros~1\office12\EXCEL.EXE/3000
IE: Link to &MidpX - f:\users\programs\midpx\jadinvoker\extent\jad_wrap.htm
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\users\programs\micros~1\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\users\programs\micros~1\office12\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\users\programs\micros~1\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hassaan\applic~1\mozilla\firefox\profiles\mnpqpjuc.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-06 16:45 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-06 16:04 <DIR> a-dshr-- C:\cmdcons
2009-07-06 15:57 161,792 a------- c:\windows\SWREG.exe
2009-07-06 15:57 155,136 a------- c:\windows\PEV.exe
2009-07-06 15:57 98,816 a------- c:\windows\sed.exe
2009-07-05 14:48 <DIR> --d----- c:\docume~1\hassaan\applic~1\AVG8
2009-07-05 14:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-05 10:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-05 10:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-05 10:12 <DIR> --d----- c:\docume~1\hassaan\applic~1\SUPERAntiSpyware.com
2009-07-05 10:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-27 18:35 <DIR> --d----- c:\docume~1\hassaan\applic~1\Malwarebytes
2009-06-27 18:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 18:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 18:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 18:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 00:50 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-15 00:49 <DIR> --d----- c:\documents and settings\hassaan\.housecall6.6
2009-06-10 17:13 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-07-05 14:47 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 14:47 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 20:45 75,712 a------- c:\docume~1\hassaan\applic~1\GDIPFONTCACHEV1.DAT
2009-06-16 16:11 47,360 a------- c:\docume~1\hassaan\applic~1\pcouffin.sys
2009-05-27 12:42 3,532 a------- C:\drmHeader.bin
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-08 16:14 34 a------- c:\documents and settings\hassaan\jagex_runescape_preferences.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-26 13:30 26,310 ac------ c:\windows\system32\change.dat
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-04-24 19:11 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-02-19 21:54 14,290 a------- c:\program files\settings.dat
2008-01-25 22:01 0 a---h--- c:\documents and settings\hassaan\hpothb07.dat
2007-07-08 14:02 3,655,608 a------- c:\program files\FLV PlayerRCATSetup.exe
2007-07-08 14:02 25,990,432 a------- c:\program files\FLV PlayerRCSetup.exe
2007-02-15 10:49 32 a----r-- c:\documents and settings\all users\hash.dat
2006-07-31 12:02 278,528 a------- c:\program files\common files\FDEUnInstaller.exe

============= FINISH: 17:12:30.06 ===============

Edited by wkdhaka, 06 July 2009 - 11:41 AM.

Posted Image

#15 wkdhaka

wkdhaka
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 06 July 2009 - 12:41 PM

Here is the Combo-Fix report. Thanks again.

ComboFix 09-07-05.04 - Hassaan 06/07/2009 16:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.138 [GMT 1:00]
Running from: c:\documents and settings\Hassaan\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Hassaan\Application Data\inst.exe
c:\recycler\S-1-5-21-962593001-2593755746-1226798780-1003
c:\windows\Installer\af9e0.msp
c:\windows\Installer\af9ed.msp
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\MSIVXqomurublovyxjxjdultobwqvmywboyar.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXdmpxqhowftrritdxrujkxlbbeqpaiuti.dll
c:\windows\system32\MSIVXkmpmevdyuriesdiuhtijmearsjxfplwb.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 14:43 . 2009-07-06 14:43 -------- d-----w- c:\documents and settings\Hassaan\Local Settings\Application Data\AVG Security Toolbar
2009-07-05 13:48 . 2009-07-05 13:48 -------- d-----w- c:\documents and settings\Hassaan\Application Data\AVG8
2009-07-05 13:48 . 2009-07-05 13:47 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-07-05 13:47 . 2009-07-05 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-05 13:47 . 2009-07-05 13:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-07-05 09:15 . 2009-07-06 14:40 117760 ----a-w- c:\documents and settings\Hassaan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-05 09:13 . 2009-07-05 09:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-05 09:12 . 2009-07-05 09:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-05 09:12 . 2009-07-05 09:12 -------- d-----w- c:\documents and settings\Hassaan\Application Data\SUPERAntiSpyware.com
2009-07-05 09:11 . 2009-07-05 09:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-27 17:35 . 2009-06-27 17:35 -------- d-----w- c:\documents and settings\Hassaan\Application Data\Malwarebytes
2009-06-27 17:32 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 17:32 . 2009-06-27 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 17:32 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 17:32 . 2009-06-27 17:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 23:50 . 2009-06-14 23:49 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-14 23:49 . 2009-06-14 23:51 -------- d-----w- c:\documents and settings\Hassaan\.housecall6.6
2009-06-14 10:13 . 2009-06-14 10:16 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-06-14 09:51 . 2009-06-14 09:51 -------- d-----w- c:\documents and settings\Hassaan\Local Settings\Application Data\PCHealth
2009-06-10 16:00 . 2009-06-10 16:00 152576 ----a-w- c:\documents and settings\Hassaan\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 13:47 . 2009-02-25 20:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-05 13:47 . 2009-02-25 20:51 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 13:47 . 2009-02-25 20:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 17:49 . 2008-02-03 11:22 -------- d-----w- c:\documents and settings\Hassaan\Application Data\U3
2009-06-16 15:11 . 2009-01-13 20:45 -------- d-----w- c:\documents and settings\Hassaan\Application Data\Vso
2009-06-16 15:11 . 2009-01-13 20:45 47360 ----a-w- c:\documents and settings\Hassaan\Application Data\pcouffin.sys
2009-06-16 15:11 . 2009-01-13 20:45 47360 ----a-w- c:\documents and settings\Hassaan\Application Data\pcouffin.sys
2009-06-16 10:18 . 2009-03-02 15:42 -------- d-----w- c:\documents and settings\Najam\Application Data\AVGTOOLBAR
2009-06-14 22:19 . 2009-05-06 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-13 10:40 . 2002-12-28 21:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-10 16:11 . 2006-04-15 17:16 -------- d-----w- c:\program files\Java
2009-05-27 11:42 . 2009-05-27 11:42 3532 ----a-w- C:\drmHeader.bin
2009-05-21 10:33 . 2008-12-02 18:46 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 12:14 . 2002-12-28 22:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-20 12:13 . 2009-05-20 12:13 -------- d-----w- c:\documents and settings\Hassaan\Application Data\InstallShield
2009-05-18 18:26 . 2009-05-18 18:05 -------- d-----w- c:\documents and settings\Hassaan\Application Data\codeblocks
2009-05-17 18:13 . 2009-05-07 17:43 -------- d-----w- c:\program files\Windows Desktop Search
2009-05-15 23:03 . 2009-05-05 21:22 -------- d-----w- c:\documents and settings\Hassaan\Application Data\Ericom
2009-05-10 11:34 . 2009-05-06 17:23 -------- d-----w- c:\documents and settings\Hassaan\Application Data\uTorrent
2009-05-09 22:26 . 2008-04-24 18:07 -------- d-----w- c:\documents and settings\Hassaan\Application Data\Skype
2009-05-09 20:50 . 2008-04-24 18:11 -------- d-----w- c:\documents and settings\Hassaan\Application Data\skypePM
2009-05-08 15:14 . 2008-07-03 15:36 34 ----a-w- c:\documents and settings\Hassaan\jagex_runescape_preferences.dat
2009-05-08 15:01 . 2009-05-08 15:01 -------- d-----w- c:\documents and settings\Hassaan\Application Data\Windows Search
2009-05-07 17:19 . 2009-02-25 20:51 -------- d-----w- c:\documents and settings\Hassaan\Application Data\AVGTOOLBAR
2009-05-07 15:48 . 2006-01-10 17:44 75712 ----a-w- c:\documents and settings\Hassaan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 15:32 . 2005-10-25 02:47 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 20:45 . 2009-02-25 20:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2005-10-25 02:48 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-10-25 02:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 12:30 . 2008-05-22 07:23 26310 -c--a-w- c:\windows\system32\change.dat
2009-04-17 16:08 . 2009-04-17 16:08 152576 ----a-w- c:\documents and settings\Hassaan\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2005-10-25 02:48 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-10-25 02:48 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-02-19 20:54 . 2008-02-19 20:54 14290 ----a-w- c:\program files\settings.dat
2007-07-08 13:02 . 2007-07-08 13:02 3655608 ----a-w- c:\program files\FLV PlayerRCATSetup.exe
2007-07-08 13:02 . 2007-07-08 13:00 25990432 ----a-w- c:\program files\FLV PlayerRCSetup.exe
2006-07-31 11:02 . 2006-07-31 11:02 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
.

------- Sigcheck -------

[7] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 04:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 04:42 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 04:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 04:42 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[7] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 04:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 04:42 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-09-02 23:53 660480 97A6FD7CAFD688CF2C78939EBAF0CD0C c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2007-03-07 17:40 823296 B8F4DB39CA7353752F245379D285C80E c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[7] 2007-04-25 09:08 823808 431DEFBB4A3D7B0DC062C1B064623A2F c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[7] 2007-06-27 14:40 824320 D6ED5E042C5207553E7F5E842918137F c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[7] 2007-08-20 10:02 825344 357D54BF94FE9D6D8505A96B5C2A3BCA c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-12-07 02:01 825344 B5B411BB229AE6EAD7652A32ED47BFB9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[7] 2008-03-01 13:03 827392 6316C2F0C61271C8ABDFF7429174879E c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB896688$\wininet.dll
[-] 2005-09-02 23:52 658432 AF61EBB1F550175EFF406D545D6AB086 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912812$\wininet.dll
[-] 2006-03-04 03:58 663552 C0845ECBF4F9164E618EE381B79C9032 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-06-23 11:25 664576 64CE26DB72810B30F7855EA51E1DF836 c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-09-14 08:31 664576 D207370287CF769AEBEBF03837784963 c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-10-23 15:34 664576 231EF4179ACABE486376B5CA893F1076 c:\windows\ie7\wininet.dll
[7] 2006-11-07 21:03 818688 92995334F993E6E49C25C6D02EC04401 c:\windows\ie7updates\KB928090-IE7\wininet.dll
[7] 2007-01-12 09:27 822784 BE43D00D802C92F01C8CC952C6F483F8 c:\windows\ie7updates\KB931768-IE7\wininet.dll
[7] 2007-03-07 17:45 822784 5B35DAE6E4886F64D1DA58C4E3E01EB9 c:\windows\ie7updates\KB933566-IE7\wininet.dll
[7] 2007-04-25 08:41 822784 0586A7F0B2FDB94D624F399D4728E7C8 c:\windows\ie7updates\KB937143-IE7\wininet.dll
[7] 2007-06-27 14:34 823808 8068CBB58FE60CC95AEB2CFF70178208 c:\windows\ie7updates\KB939653-IE7\wininet.dll
[7] 2007-08-20 10:04 824832 774435E499D8E9643EC961A6103C361F c:\windows\ie7updates\KB942615-IE7\wininet.dll
[7] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[7] 2007-12-07 02:21 824832 806D274C9A6C3AAEA5EAE8E4AF841E04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[7] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[7] 2008-04-23 04:16 826368 F6589BE784647CFDBC22EA51CCB1A57A c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[7] 2008-04-14 04:42 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB889527$\tcpip.sys
[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 23:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 23:50 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-25 16:46 502784 B4592FCE66AB5CEFCAFB9FA0D8A04D24 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtUninstallKB883529$\winlogon.exe
[7] 2008-04-14 04:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 04:42 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[7] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 23:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 23:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 23:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 23:23 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-01 15:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 14:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 12:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 12:55 2057600 1D659BFB788ED2BA45075624B748D249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 23:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-07 18:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 23:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-07 18:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 18:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-07 18:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 15:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 12:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 14:17 2180352 8F0DEAB1F81FB83F9C5995853CE48B9F c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 23:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 23:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 04:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB884883$\explorer.exe
[-] 2005-04-07 09:33 1032192 45757077A47C68A603A79B03A1A836AB c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 04:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-04 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 04:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 04:42 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[7] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 04:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 04:42 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[7] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 04:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 04:42 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 04:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 04:42 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 04:42 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 14:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 14:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 04:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 04:42 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[7] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 04:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 04:42 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 04:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 04:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[7] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 04:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 04:42 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[7] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 04:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 04:41 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[7] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 04:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 04:42 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll


[7] 2004-08-04 12:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 23:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 23:09 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SAS.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-17 729178]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"VC7Player"="c:\program files\HHVcdV7Sys\VC7Play.exe" [2005-11-24 237568]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-05 1948440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-19 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-10-14 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-10-14 167936]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-17 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless Card Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe [2006-8-2 630872]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-05 13:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\PowerTerm WebConnect 5.5\\portal.arthurterry.bham.sch.uk\\PtRdp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56906:TCP"= 56906:TCP:Pando Media Booster
"56906:UDP"= 56906:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/02/2009 21:51 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/02/2009 21:51 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R1 vdrv7000;vdrv7000;c:\windows\system32\drivers\vdrv7000.sys [13/07/2008 16:24 76672]
S3 BTCAMDRV;Mobiola Web Camera driver;c:\windows\system32\drivers\BTCamDrv.sys [18/03/2008 10:00 219136]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [02/08/2006 11:36 17149]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.SYS [14/05/2007 11:26 508288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 scrcap;scrcap; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2009-06-28 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8146771622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]

2008-04-20 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-05-17 21:45]

2008-06-27 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2008-04-20 21:46]

2009-07-06 c:\windows\Tasks\User_Feed_Synchronization-{4782CFCC-9DA2-4044-A5D9-771860F4C3AC}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-GrooveMonitor - f:\users\Programs\Microsoft Office\Office12\GrooveMonitor.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - f:\users\Programs\MICROS~1\Office12\EXCEL.EXE/3000
IE: Link to &MidpX - f:\users\Programs\midpX\JadInvoker\Extent\jad_wrap.htm
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
FF - ProfilePath - c:\documents and settings\Hassaan\Application Data\Mozilla\Firefox\Profiles\mnpqpjuc.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://uk.ask.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3574062589-648083258-4160866680-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7E1FAF86-5694-A7CE-E09C-A656DE7C83F6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaaehggmgbccbchjjg"=hex:6a,61,62,62,62,6d,6b,67,6c,61,6d,64,70,68,61,70,6b,63,
64,6e,00,f0
"hagdbmhdkccpnhin"=hex:6a,61,62,62,62,6d,6b,67,6c,61,6d,64,70,68,61,70,6b,63,
64,6e,00,f0
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-06 16:51
ComboFix-quarantined-files.txt 2009-07-06 15:50

Pre-Run: 15,819,378,688 bytes free
Post-Run: 17,199,869,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
414 --- E O F --- 2009-06-12 16:17
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users