Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware preventing countermeasures


  • Please log in to reply
7 replies to this topic

#1 AlfaWolf04

AlfaWolf04

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:06:45 AM

Posted 27 June 2009 - 08:13 PM

Seems I have a nasty virus/malware which is preventing just about everything I try to do to exterminate it, even in safe mode. Progress has been made, but it has been extremely slow and has hit a wall. It started with over half of the sites I tried to visit getting redirected to various sites claiming to be able to disinfect my computer and such, as well as several virus warnings from Symantec. After noticing this, I tried running Spybot, but it wouldn't open. After I renamed the executable file, it ran, but would not connect to the internet for updates. The same problem occurred with Malwarebytes' Anti-Malware and HijackThis. Also, the website for Spybot would always get redirected to another one of the above-mentioned fake sites.

I ran the scans without updates in safe mode hoping they would still be up to date enough to handle the problem. They did held to fix the problem of website redirection and updating Spybot and Anti-Malware, but they and HijackThis are still unable to run as their native (non-renamed) executables. I don't know if the more annoying problems will resurface later, but I want to be sure that the malware is off of my computer.

EDIT: This appears similar to be the Google hijacker that others on this forum are experiencing

ANOTHER EDIT: The main annoyance is back. Google search results are being redirected again. :-(


DDS (Ver_09-06-26.01) - NTFSx86
Run by Aaron at 20:52:13.84 on Sat 06/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1149 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SnapStream Media\Firefly\Firefly.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Weather Watcher Live\ww.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
C:\Program Files\STADS\SoundCardSwitcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThat.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Aaron\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
{bfd661cb-ad18-41d3-b5e0-8e4678869f73}
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [WeatherWatcherLive] "c:\program files\weather watcher live\ww.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Firefly] c:\program files\snapstream media\firefly\Firefly.exe
mRun: [NotebookHardwareControl] "c:\program files\notebook hardware control\nhc.exe" -quiet
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [WallpaperChanger] c:\program files\wallpaper master\Wallpaper.exe
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [<NO NAME>]
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\aaron\startm~1\programs\startup\system~1.lnk - c:\program files\stads\SoundCardSwitcher.exe
StartupFolder: c:\docume~1\aaron\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
uPolicies-explorer: NoActiveDesktop = 00000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159162763171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {9413D8DE-55B0-4F98-83EE-18E000C893B1} = 208.67.220.220,208.67.222.222
TCP: {B456C670-0FF8-46F3-B5BB-B65CD7E106F1} = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: prio.dll c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: boucicault - {0bad5052-665d-40d4-a9bd-a2891eaafb42} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\pm1l66ct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - isoHunt - BT search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-5-18 14976]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-3-17 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-8 101936]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [2006-9-25 25984]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090626.016\naveng.sys [2009-6-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090626.016\navex15.sys [2009-6-26 876144]
S2 gupdate1c9d64a26b1b838;Google Update Service (gupdate1c9d64a26b1b838);c:\program files\google\update\GoogleUpdate.exe [2009-5-16 133104]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\aaron\locals~1\temp\cel90xbe.sys --> c:\docume~1\aaron\locals~1\temp\cel90xbe.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\aaron\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\aaron\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-30 29744]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2006-9-28 1458688]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys --> c:\windows\system32\drivers\toywdm.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\drivers\LtcyCfgWDM.sys [2005-12-26 6656]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2007-6-26 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2007-6-26 85696]

=============== Created Last 30 ================

2009-06-27 19:24 <DIR> --d----- c:\program files\Trend Micro
2009-06-27 04:19 <DIR> --d----- c:\docume~1\aaron\applic~1\Malwarebytes
2009-06-27 04:17 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 04:17 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 04:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 04:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 04:05 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-24 18:34 <DIR> --d----- C:\pt
2009-06-19 09:04 <DIR> --d----- c:\program files\iPod
2009-06-19 09:04 <DIR> --d----- c:\program files\iTunes
2009-06-19 09:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 08:56 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-19 08:56 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-16 03:56 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-06-12 16:45 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-12 16:45 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 15:15 <DIR> --d----- c:\program files\Unity
2009-06-07 21:40 <DIR> --d----- c:\program files\Mad Scientist Productions
2009-06-02 18:36 <DIR> --dsh--- c:\documents and settings\aaron\IECompatCache
2009-06-02 18:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-06-02 18:06 <DIR> --d----- c:\program files\Microsoft WSE
2009-06-02 13:06 <DIR> --d----- c:\program files\SIW
2009-06-01 01:41 <DIR> --d----- c:\program files\MagicISO
2009-05-31 20:25 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-05-30 11:47 <DIR> --d----- c:\program files\Game Editors

==================== Find3M ====================

2009-06-27 19:19 22,528 a------- c:\windows\system32\drivers\nhcDriver.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 01:50 1,934 a------- c:\windows\system32\ealregsnapshot1.reg
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 11:42 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-05-11 21:55 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-22 00:20 14,311,680 a------- c:\windows\system32\xlive.dll
2009-04-22 00:20 13,642,496 a------- c:\windows\system32\xlivefnt.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-12-27 22:59 22,328 ac------ c:\docume~1\aaron\applic~1\PnkBstrK.sys
2008-02-14 19:08 23,480 ac------ c:\docume~1\aaron\applic~1\GDIPFONTCACHEV1.DAT
2005-07-14 15:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 18:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-22 01:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2006-11-28 03:27 735,611 ---sh--- c:\windows\system32\dfhkj.bak1
2006-11-28 20:23 763,222 ---sh--- c:\windows\system32\dfhkj.bak2
2006-09-26 00:40 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2005-02-28 16:16 240,128 a--shr-- c:\windows\system32\x.264.exe

============= FINISH: 20:53:13.01 ===============

Attached Files


Edited by AlfaWolf04, 27 June 2009 - 09:33 PM.


BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:45 AM

Posted 29 June 2009 - 10:37 PM

Hello AlfaWolf04,

Delete these old version of Java, as they are malware magnets.
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7


Please post the last Malwarebytes log so I can see what it is finding.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire MBAM report in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 AlfaWolf04

AlfaWolf04
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:06:45 AM

Posted 30 June 2009 - 02:01 PM

I have run two scans of MBAM, the first scan finding the most malware. I'll post both logs below.



Malwarebytes' Anti-Malware 1.38
Database version: 2340
Windows 5.1.2600 Service Pack 3

6/27/2009 3:35:43 PM
mbam-log-2009-06-27 (15-35-43).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 274700
Time elapsed: 41 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhoo32 (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.104,85.255.112.155 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{9413d8de-55b0-4f98-83ee-18e000c893b1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.104,85.255.112.155 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b456c670-0ff8-46f3-b5bb-b65cd7e106f1}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.104,85.255.112.155 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{b456c670-0ff8-46f3-b5bb-b65cd7e106f1}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.104,85.255.112.155 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\VSAdd-in (Adware.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ (Dialer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.



Malwarebytes' Anti-Malware 1.38
Database version: 2340
Windows 5.1.2600 Service Pack 3

6/27/2009 6:58:14 PM
mbam-log-2009-06-27 (18-58-14).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 274425
Time elapsed: 45 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:45 AM

Posted 30 June 2009 - 03:22 PM

Hi AlfaWolf04,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Symantec AntiVirus Corporate Edition Antivirus before running ComboFix, as it will prevent it from running.

NORTON ANTIVIRUS CORPORATE EDITION
Please refer to the instructions provided in the Norton AntiVirus Corporate Edition User's Guide http://csit.uniud.it/fileadmin/istruzioni/...li/navce76u.pdf under the section Turning File System System Protection off temporarily.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 AlfaWolf04

AlfaWolf04
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:06:45 AM

Posted 30 June 2009 - 06:30 PM

It had to be renamed like everything else that is counter-malware, but appears to have worked. Here is the log:



ComboFix 09-06-29.07 - Aaron 06/30/2009 18:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1562 [GMT -4:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFixx.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\windows\system32\components
c:\windows\system32\dfhkj.bak1
c:\windows\system32\dfhkj.bak2
c:\windows\system32\dfhkj.ini
c:\windows\system32\dfhkj.tmp
c:\windows\system32\drivers\MSIVXgotpklacvnsverspudtytitpxoxkntuy.sys
c:\windows\system32\guqbdwpw.dll
c:\windows\system32\Ijl11.dll
c:\windows\system32\lrpijgnb.dll
c:\windows\system32\MSIVXbwmhepjbecdncvxtniydsmwqnnalmbox.dll
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXhnxnaknnkmppvjmdacpykxjnvnvywqmv.dll
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-29 18:03 . 2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-06-29 18:03 . 2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2009-06-29 18:03 . 2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2009-06-29 18:03 . 2009-06-29 18:03 -------- d-----w- c:\program files\eRightSoft
2009-06-29 16:46 . 2009-06-29 16:46 -------- d-----w- c:\program files\Aimersoft
2009-06-28 01:18 . 2009-06-28 01:18 -------- d-s---w- C:\ComboFlix
2009-06-27 23:24 . 2009-06-27 23:24 -------- d-----w- c:\program files\Trend Micro
2009-06-27 08:19 . 2009-06-27 08:19 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-06-27 08:17 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 08:17 . 2009-06-27 08:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 08:17 . 2009-06-27 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 08:17 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 08:05 . 2009-06-27 08:05 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 07:22 . 2009-06-27 07:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-27 07:18 . 2009-06-27 07:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-24 22:34 . 2009-06-24 22:34 -------- d-----w- C:\pt
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_d.dll
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_c.dll
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_b.dll
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_a.dll
2009-06-19 13:04 . 2009-06-19 13:04 -------- d-----w- c:\program files\iPod
2009-06-19 13:04 . 2009-06-19 13:05 -------- d-----w- c:\program files\iTunes
2009-06-19 13:04 . 2009-06-19 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 13:01 . 2009-06-19 13:02 -------- d-----w- c:\program files\QuickTime
2009-06-19 12:56 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-19 12:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-19 12:52 . 2009-06-19 12:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-16 07:56 . 2009-06-16 07:56 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-13 17:24 . 2009-06-13 17:24 152576 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-12 20:45 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-12 20:45 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-09 19:15 . 2009-06-09 19:15 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\Unity
2009-06-09 19:15 . 2009-06-09 19:15 -------- d-----w- c:\program files\Unity
2009-06-08 01:40 . 2009-06-08 01:40 -------- d-----w- c:\program files\Mad Scientist Productions
2009-06-07 23:02 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\pm1l66ct.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-02 22:36 . 2009-06-02 22:36 -------- d-sh--w- c:\documents and settings\Aaron\IECompatCache
2009-06-02 22:07 . 2009-06-02 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-02 22:06 . 2009-06-02 22:06 10134 ----a-r- c:\documents and settings\Aaron\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-02 22:06 . 2009-06-02 22:06 -------- d-----w- c:\program files\Microsoft WSE
2009-06-02 17:06 . 2009-06-02 17:06 -------- d-----w- c:\program files\SIW
2009-06-01 05:41 . 2009-06-01 05:41 -------- d-----w- c:\program files\MagicISO
2009-06-01 00:25 . 2009-06-19 21:26 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-01 00:25 . 2009-06-19 21:26 -------- d-----w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 23:11 . 2008-05-22 08:19 -------- d-----w- c:\documents and settings\Aaron\Application Data\WeatherWatcherLive
2009-06-30 23:10 . 2007-02-05 20:57 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-30 23:09 . 2006-09-25 23:38 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2009-06-30 23:09 . 2008-09-13 02:10 -------- d-----w- c:\program files\DNA
2009-06-30 23:09 . 2008-09-13 02:10 -------- d-----w- c:\documents and settings\Aaron\Application Data\DNA
2009-06-30 22:17 . 2006-09-25 06:58 -------- d-----w- c:\program files\Trillian
2009-06-30 22:17 . 2009-01-04 08:24 -------- d-----w- c:\documents and settings\Aaron\Application Data\Xfire
2009-06-30 18:52 . 2006-10-22 02:33 -------- d-----w- c:\program files\Java
2009-06-29 20:35 . 2007-01-13 20:24 -------- d-----w- c:\documents and settings\Aaron\Application Data\BitTorrent
2009-06-29 02:29 . 2009-01-04 08:24 -------- d-----w- c:\program files\Xfire
2009-06-29 00:47 . 2007-07-22 03:31 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-28 03:42 . 2009-05-06 02:39 -------- d-----w- c:\program files\PowerISO
2009-06-27 20:00 . 2006-09-25 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 08:10 . 2006-09-25 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 14:28 . 2006-11-17 02:38 -------- d-----w- c:\documents and settings\Aaron\Application Data\tunebite
2009-06-19 13:27 . 2007-01-29 06:53 -------- d-----w- c:\documents and settings\Aaron\Application Data\Apple Computer
2009-06-19 13:08 . 2009-01-06 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-19 13:04 . 2009-01-06 06:54 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 12:51 . 2007-01-29 06:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-02 21:39 . 2006-10-17 18:41 -------- d-----w- c:\program files\Electronic Arts
2009-06-02 21:39 . 2006-09-25 05:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-30 15:47 . 2009-05-30 15:47 -------- d-----w- c:\program files\Game Editors
2009-05-28 21:09 . 2007-05-24 08:07 -------- d-----w- c:\program files\LucasArts
2009-05-21 15:33 . 2009-01-27 07:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 16:31 . 2007-06-27 02:43 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-05-20 06:06 . 2009-01-16 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-20 06:02 . 2006-10-04 01:46 -------- d-----w- c:\program files\palmOne
2009-05-20 05:57 . 2007-04-07 20:07 80896 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\LZMA.dll
2009-05-20 05:57 . 2007-04-07 20:07 5632 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Swap.dll
2009-05-20 05:57 . 2007-04-07 20:07 5120 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Copy.dll
2009-05-20 05:57 . 2007-04-07 20:07 32256 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Aes.dll
2009-05-20 05:57 . 2007-04-07 20:07 18944 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Branch.dll
2009-05-20 05:57 . 2007-04-07 20:07 13824 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\7zAes.dll
2009-05-20 05:57 . 2007-04-07 20:07 129024 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Formats\7z.dll
2009-05-20 05:56 . 2007-12-08 23:09 -------- d-----w- c:\program files\Karaoke Anything!
2009-05-20 05:54 . 2006-10-13 03:29 -------- d-----w- c:\program files\IGN
2009-05-20 05:53 . 2006-09-25 07:11 -------- d-----w- c:\documents and settings\Aaron\Application Data\Lavasoft
2009-05-20 05:51 . 2006-12-28 05:30 -------- d-----w- c:\program files\EA SPORTS
2009-05-20 05:50 . 2009-05-20 05:50 1934 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-05-20 05:50 . 2006-11-10 22:50 -------- d-----w- c:\program files\Common Files\DataViz
2009-05-20 05:50 . 2006-11-10 22:50 -------- d-----w- c:\program files\Documents To Go
2009-05-20 05:50 . 2006-09-25 07:10 -------- d-----w- c:\program files\Creative
2009-05-20 05:43 . 2009-01-11 02:54 -------- d-----w- c:\program files\SpeedFan
2009-05-20 05:43 . 2007-05-15 06:12 -------- d-----w- c:\program files\RivaTuner v2.01
2009-05-20 04:32 . 2009-01-16 12:03 -------- d-----w- c:\documents and settings\Aaron\Application Data\skypePM
2009-05-19 19:30 . 2009-05-12 05:01 -------- d-----w- c:\program files\BaldursGateTutu
2009-05-18 20:08 . 2007-10-25 20:03 -------- d-----w- c:\program files\Rhapsody
2009-05-16 17:17 . 2006-09-25 07:26 -------- d-----w- c:\program files\Google
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 15:42 . 2009-05-12 15:42 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-05-12 05:15 . 2009-05-12 02:56 -------- d-----w- c:\program files\Black Isle
2009-05-12 02:29 . 2009-05-12 02:29 -------- d-----w- c:\program files\FolderSize
2009-05-12 01:55 . 2006-10-11 04:12 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-11 17:26 . 2009-05-11 17:26 -------- d-----w- c:\program files\RADVideo
2009-05-10 19:47 . 2009-04-28 18:52 -------- d-----w- c:\program files\DOSBox-0.72
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:55 . 2008-12-28 02:30 -------- d-----w- c:\program files\Activision
2009-05-06 06:29 . 2009-05-06 06:28 -------- d-----w- c:\program files\The Learning Company
2009-05-02 17:22 . 2006-09-25 07:42 25888 -c--a-w- c:\documents and settings\Aaron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 06:18 . 2009-05-02 06:18 -------- d-----w- c:\program files\Xvid
2009-05-02 04:13 . 2009-05-02 04:13 -------- d-----w- c:\program files\CCleaner
2009-04-22 04:20 . 2009-04-22 04:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 04:20 . 2009-04-22 04:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 15:39 . 2009-04-17 15:39 152576 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-06 19:19 . 2007-11-30 06:43 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2009-06-29 18:03 163328 --sh--r- c:\windows\system32\flvDX.dll
2006-09-26 04:40 . 2006-09-26 04:39 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2009-06-29 18:03 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-06-29 18:03 216064 --sh--r- c:\windows\system32\nbDX.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-03-18 251240]
"WeatherWatcherLive"="c:\program files\Weather Watcher Live\ww.exe" [2008-08-21 1114112]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Firefly"="c:\program files\SnapStream Media\Firefly\Firefly.exe" [2006-06-05 180224]
"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]
"WallpaperChanger"="c:\program files\Wallpaper Master\Wallpaper.exe" [2004-11-16 322560]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-06 29744]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-27 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-27 1132056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-04 13537280]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-04 1630208]

c:\documents and settings\Aaron\Start Menu\Programs\Startup\
System Tray Audio Device Switcher.lnk - c:\program files\STADS\SoundCardSwitcher.exe [2007-8-26 102400]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2008-11-26 1873280]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Aaron^Start Menu^Programs^Startup^Beyond TV.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Aaron^Start Menu^Programs^Startup^IMVU.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccuWeatherDesktopAlerts
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVR
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"=
"c:\\Documents and Settings\\Aaron\\My Documents\\My Downloads\\TlkEdit-R13b\\TlkEdit2.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNotifierService.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Common Files\\aol\\1230272140\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\PPACalculator\\FB\\bin\\PokerServer-fb.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [5/18/2009 8:35 PM 14976]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/17/2009 8:03 PM 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/8/2009 8:04 PM 101936]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [9/25/2006 1:31 AM 25984]
S2 gupdate1c9d64a26b1b838;Google Update Service (gupdate1c9d64a26b1b838);c:\program files\Google\Update\GoogleUpdate.exe [5/16/2009 1:17 PM 133104]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\Aaron\LOCALS~1\Temp\cel90xbe.sys --> c:\docume~1\Aaron\LOCALS~1\Temp\cel90xbe.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\Aaron\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Aaron\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/30/2007 2:43 AM 29744]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [9/28/2006 4:52 PM 1458688]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\Drivers\toywdm.sys --> c:\windows\system32\Drivers\toywdm.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\drivers\LtcyCfgWDM.sys [12/26/2005 12:24 AM 6656]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [6/26/2007 9:39 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [6/26/2007 9:39 PM 85696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2007-04-30 c:\windows\Tasks\Alarm.job
- c:\documents and settings\Aaron\My Documents\My Music\My Playlists\Favorite Music.wpl [2006-09-25 22:41]

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 17:17]

2009-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 17:17]

2007-05-21 c:\windows\Tasks\System Shutdown.job
- c:\windows\system32\shutdown.exe [2004-08-04 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BFD661CB-AD18-41D3-B5E0-8E4678869F73} - (no file)
Notify-jkhfd - (no file)
Notify-jkklmml - (no file)
Notify-LBTWlgn - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Trusted Zone: aol.com\free
TCP: {9413D8DE-55B0-4F98-83EE-18E000C893B1} = 208.67.220.220,208.67.222.222
TCP: {B456C670-0FF8-46F3-B5BB-B65CD7E106F1} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\pm1l66ct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Aaron\LOCALS~1\Temp\WWL10.tmp
c:\docume~1\Aaron\LOCALS~1\Temp\WWLE.tmp

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1425521274-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ed,9c,1a,25,56,b5,3c,3f,7c,7b,2d,69,08,13,77,d7,df,67,66,53,41,cb,91,
c2,70,88,c6,1c,8c,4a,98,df,5b,d7,35,8b,53,17,8b,1b,a5,e3,6a,b9,4e,c7,1b,31,\
"??"=hex:a4,c9,af,b1,7a,dd,ee,bf,32,59,ce,5f,d1,3d,22,a7

[HKEY_USERS\S-1-5-21-1085031214-1425521274-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:0b,96,7c,54,3f,8d,33,8b,e8,92,e0,2a,74,5c,ac,31,af,03,c8,ef,5f,
32,5c,7d,e1,83,4b,7b,ab,42,52,db,2d,c1,32,20,d6,61,da,c4,78,34,74,bb,08,60,\
"rkeysecu"=hex:40,be,62,12,5a,e6,c7,82,6d,cc,fb,78,18,62,b3,21

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29D83109-D499-A3EF-54ABD4209B2D5F0C}\{354D4B2F-7299-D6B0-F9DE68C9556AEC8D}\{1096A586-413B-60D3-8347C002DC18071C}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A754038D-5461-C6FF-89A37522C498DE93}\{1089EA54-87DF-A583-56CE37BECDECB43B}\{5F10775F-480B-9EA7-99D54B1CB86EF9A3}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
c:\program files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
c:\progra~1\COMMON~1\SNAPST~1\Common\X10nets.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-06-30 19:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 23:20

Pre-Run: 3,982,983,168 bytes free
Post-Run: 3,933,233,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

407 --- E O F --- 2009-06-13 07:51

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:45 AM

Posted 30 June 2009 - 10:49 PM

Hi AlfaWolf04,

You need to disable your Symantec AntiVirus Corporate Edition Antivirus before running ComboFix, as it will prevent it from running.

To disable NORTON ANTIVIRUS CORPORATE EDITION
Please refer to the instructions provided in the Norton AntiVirus Corporate Edition User's Guide http://csit.uniud.it/fileadmin/istruzioni/...li/navce76u.pdf under the section Turning File System System Protection off temporarily.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\docume~1\Aaron\LOCALS~1\Temp\cel90xbe.sys 
c:\docume~1\Aaron\LOCALS~1\Temp\cpuz130\cpuz_x32.sys 

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
cel90xbe 
cpuz130


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 AlfaWolf04

AlfaWolf04
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:06:45 AM

Posted 01 July 2009 - 01:30 PM

Ran it with Symantec AV disabled and using the script.



ComboFix 09-07-01.01 - Aaron 07/01/2009 14:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1359 [GMT -4:00]
Running from: c:\documents and settings\Aaron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Aaron\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\docume~1\Aaron\LOCALS~1\Temp\cel90xbe.sys"
"c:\docume~1\Aaron\LOCALS~1\Temp\cpuz130\cpuz_x32.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CEL90XBE
-------\Legacy_CPUZ130
-------\Service_cel90xbe
-------\Service_cpuz130


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-07-01 06:52 . 2009-07-01 06:52 -------- d-----w- c:\documents and settings\Aaron\Application Data\AVS4YOU
2009-07-01 06:52 . 2009-07-01 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-07-01 06:50 . 2009-07-01 06:51 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-01 06:50 . 2009-07-01 06:51 -------- d-----w- c:\program files\AVS4YOU
2009-07-01 06:07 . 2009-07-01 06:18 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\49399F88-1BAF-4f24-88E7-54290E077D15
2009-07-01 05:46 . 2009-03-21 19:59 146904 ----a-w- c:\windows\system32\drivers\cbfs_32.sys
2009-07-01 05:46 . 2009-07-01 05:46 -------- d-----w- c:\program files\SoftLayer
2009-06-29 18:03 . 2008-03-16 12:30 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-06-29 18:03 . 2007-02-21 10:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2009-06-29 18:03 . 2006-05-03 09:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2009-06-29 18:03 . 2009-06-29 18:03 -------- d-----w- c:\program files\eRightSoft
2009-06-29 16:46 . 2009-06-29 16:46 -------- d-----w- c:\program files\Aimersoft
2009-06-27 23:24 . 2009-06-27 23:24 -------- d-----w- c:\program files\Trend Micro
2009-06-27 08:19 . 2009-06-27 08:19 -------- d-----w- c:\documents and settings\Aaron\Application Data\Malwarebytes
2009-06-27 08:17 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 08:17 . 2009-06-27 08:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 08:17 . 2009-06-27 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 08:17 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 08:05 . 2009-06-27 08:05 -------- dc----w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 07:22 . 2009-06-27 07:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-06-27 07:18 . 2009-06-27 07:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-24 22:34 . 2009-06-24 22:34 -------- d-----w- C:\pt
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_d.dll
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_c.dll
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_b.dll
2009-06-19 21:26 . 2009-06-19 21:26 255488 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_a.dll
2009-06-19 13:04 . 2009-06-19 13:04 -------- d-----w- c:\program files\iPod
2009-06-19 13:04 . 2009-06-19 13:05 -------- d-----w- c:\program files\iTunes
2009-06-19 13:04 . 2009-06-19 13:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-19 13:01 . 2009-06-19 13:02 -------- d-----w- c:\program files\QuickTime
2009-06-19 12:56 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-19 12:56 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-19 12:52 . 2009-06-19 12:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-16 07:56 . 2009-06-16 07:56 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-06-13 17:24 . 2009-06-13 17:24 152576 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-12 20:45 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-12 20:45 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 22:29 . 2009-06-11 22:29 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-06-09 19:15 . 2009-06-09 19:15 -------- d-----w- c:\documents and settings\Aaron\Local Settings\Application Data\Unity
2009-06-09 19:15 . 2009-06-09 19:15 -------- d-----w- c:\program files\Unity
2009-06-08 01:40 . 2009-06-08 01:40 -------- d-----w- c:\program files\Mad Scientist Productions
2009-06-07 23:02 . 2008-12-04 05:25 120832 ----a-w- c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\pm1l66ct.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-02 22:36 . 2009-06-02 22:36 -------- d-sh--w- c:\documents and settings\Aaron\IECompatCache
2009-06-02 22:07 . 2009-06-02 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-02 22:06 . 2009-06-02 22:06 10134 ----a-r- c:\documents and settings\Aaron\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-02 22:06 . 2009-06-02 22:06 -------- d-----w- c:\program files\Microsoft WSE
2009-06-02 17:06 . 2009-06-02 17:06 -------- d-----w- c:\program files\SIW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 18:19 . 2007-02-05 20:57 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-01 18:19 . 2008-05-22 08:19 -------- d-----w- c:\documents and settings\Aaron\Application Data\WeatherWatcherLive
2009-07-01 18:18 . 2006-09-25 23:38 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2009-07-01 18:16 . 2008-09-13 02:10 -------- d-----w- c:\program files\DNA
2009-07-01 18:16 . 2008-09-13 02:10 -------- d-----w- c:\documents and settings\Aaron\Application Data\DNA
2009-07-01 04:13 . 2007-07-22 03:31 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-30 23:12 . 2006-09-25 06:58 -------- d-----w- c:\program files\Trillian
2009-06-30 22:17 . 2009-01-04 08:24 -------- d-----w- c:\documents and settings\Aaron\Application Data\Xfire
2009-06-30 18:52 . 2006-10-22 02:33 -------- d-----w- c:\program files\Java
2009-06-29 20:35 . 2007-01-13 20:24 -------- d-----w- c:\documents and settings\Aaron\Application Data\BitTorrent
2009-06-29 02:29 . 2009-01-04 08:24 -------- d-----w- c:\program files\Xfire
2009-06-28 03:42 . 2009-05-06 02:39 -------- d-----w- c:\program files\PowerISO
2009-06-27 20:00 . 2006-09-25 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 08:10 . 2006-09-25 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-19 21:26 . 2009-06-01 00:25 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-19 21:26 . 2009-06-01 00:25 -------- d-----w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab
2009-06-19 14:28 . 2006-11-17 02:38 -------- d-----w- c:\documents and settings\Aaron\Application Data\tunebite
2009-06-19 13:27 . 2007-01-29 06:53 -------- d-----w- c:\documents and settings\Aaron\Application Data\Apple Computer
2009-06-19 13:08 . 2009-01-06 06:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-19 13:04 . 2009-01-06 06:54 -------- d-----w- c:\program files\Common Files\Apple
2009-06-19 12:51 . 2007-01-29 06:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-02 21:39 . 2006-10-17 18:41 -------- d-----w- c:\program files\Electronic Arts
2009-06-02 21:39 . 2006-09-25 05:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 05:41 . 2009-06-01 05:41 -------- d-----w- c:\program files\MagicISO
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-06-01 00:25 . 2009-06-01 00:25 207872 ----a-w- c:\documents and settings\Aaron\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-05-30 15:47 . 2009-05-30 15:47 -------- d-----w- c:\program files\Game Editors
2009-05-28 21:09 . 2007-05-24 08:07 -------- d-----w- c:\program files\LucasArts
2009-05-21 15:33 . 2009-01-27 07:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 16:31 . 2007-06-27 02:43 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-05-20 06:06 . 2009-01-16 11:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-05-20 06:02 . 2006-10-04 01:46 -------- d-----w- c:\program files\palmOne
2009-05-20 05:57 . 2007-04-07 20:07 80896 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\LZMA.dll
2009-05-20 05:57 . 2007-04-07 20:07 5632 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Swap.dll
2009-05-20 05:57 . 2007-04-07 20:07 5120 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Copy.dll
2009-05-20 05:57 . 2007-04-07 20:07 32256 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Aes.dll
2009-05-20 05:57 . 2007-04-07 20:07 18944 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\Branch.dll
2009-05-20 05:57 . 2007-04-07 20:07 13824 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Codecs\7zAes.dll
2009-05-20 05:57 . 2007-04-07 20:07 129024 ----a-w- c:\documents and settings\Aaron\Application Data\Seven Zip\Formats\7z.dll
2009-05-20 05:56 . 2007-12-08 23:09 -------- d-----w- c:\program files\Karaoke Anything!
2009-05-20 05:54 . 2006-10-13 03:29 -------- d-----w- c:\program files\IGN
2009-05-20 05:53 . 2006-09-25 07:11 -------- d-----w- c:\documents and settings\Aaron\Application Data\Lavasoft
2009-05-20 05:51 . 2006-12-28 05:30 -------- d-----w- c:\program files\EA SPORTS
2009-05-20 05:50 . 2009-05-20 05:50 1934 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-05-20 05:50 . 2006-11-10 22:50 -------- d-----w- c:\program files\Common Files\DataViz
2009-05-20 05:50 . 2006-11-10 22:50 -------- d-----w- c:\program files\Documents To Go
2009-05-20 05:50 . 2006-09-25 07:10 -------- d-----w- c:\program files\Creative
2009-05-20 05:43 . 2009-01-11 02:54 -------- d-----w- c:\program files\SpeedFan
2009-05-20 05:43 . 2007-05-15 06:12 -------- d-----w- c:\program files\RivaTuner v2.01
2009-05-20 04:32 . 2009-01-16 12:03 -------- d-----w- c:\documents and settings\Aaron\Application Data\skypePM
2009-05-19 19:30 . 2009-05-12 05:01 -------- d-----w- c:\program files\BaldursGateTutu
2009-05-18 20:08 . 2007-10-25 20:03 -------- d-----w- c:\program files\Rhapsody
2009-05-16 17:17 . 2006-09-25 07:26 -------- d-----w- c:\program files\Google
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 15:42 . 2009-05-12 15:42 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-05-12 05:15 . 2009-05-12 02:56 -------- d-----w- c:\program files\Black Isle
2009-05-12 02:29 . 2009-05-12 02:29 -------- d-----w- c:\program files\FolderSize
2009-05-12 01:55 . 2006-10-11 04:12 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-05-11 17:26 . 2009-05-11 17:26 -------- d-----w- c:\program files\RADVideo
2009-05-10 19:47 . 2009-04-28 18:52 -------- d-----w- c:\program files\DOSBox-0.72
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 17:55 . 2008-12-28 02:30 -------- d-----w- c:\program files\Activision
2009-05-06 06:29 . 2009-05-06 06:28 -------- d-----w- c:\program files\The Learning Company
2009-05-02 17:22 . 2006-09-25 07:42 25888 -c--a-w- c:\documents and settings\Aaron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 04:20 . 2009-04-22 04:20 14311680 ----a-w- c:\windows\system32\xlive.dll
2009-04-22 04:20 . 2009-04-22 04:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll
2009-04-17 15:39 . 2009-04-17 15:39 152576 ----a-w- c:\documents and settings\Aaron\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-06 19:19 . 2007-11-30 06:43 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-06-26 22:32 . 2005-06-26 22:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 05:37 . 2005-06-22 05:37 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06 . 2009-06-29 18:03 163328 --sh--r- c:\windows\system32\flvDX.dll
2006-09-26 04:40 . 2006-09-26 04:39 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2009-06-29 18:03 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-06-29 18:03 216064 --sh--r- c:\windows\system32\nbDX.dll
2005-02-28 20:16 . 2005-02-28 20:16 240128 --sha-r- c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_23.07.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 23:31 . 2009-06-30 23:31 16384 c:\windows\Temp\Perflib_Perfdata_d4.dat
+ 2009-07-01 18:16 . 2009-07-01 18:16 16384 c:\windows\Temp\Perflib_Perfdata_578.dat
+ 2009-07-01 18:16 . 2009-07-01 18:16 16384 c:\windows\Temp\Perflib_Perfdata_564.dat
+ 2006-12-02 02:36 . 2006-12-02 02:36 796672 c:\windows\WinSxS\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_9d1c6ce0\msvcr80.dll
+ 2006-12-02 02:37 . 2006-12-02 02:37 516096 c:\windows\WinSxS\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_9d1c6ce0\msvcm80.dll
+ 2009-03-21 20:12 . 2009-03-21 20:12 110848 c:\windows\system32\redirect_32.dll
+ 2009-03-21 20:11 . 2009-03-21 20:11 110848 c:\windows\system32\notify_32.dll
+ 2009-07-01 05:46 . 2009-07-01 05:46 204748 c:\windows\Installer\{CCA96171-603C-42D9-B256-AE23B3C32F76}\_B71C35221E9709F6C7D14B.exe
+ 2009-07-01 05:46 . 2009-07-01 05:46 204748 c:\windows\Installer\{CCA96171-603C-42D9-B256-AE23B3C32F76}\_6FEFF9B68218417F98F549.exe
+ 2009-07-01 05:46 . 2009-07-01 05:46 204748 c:\windows\Installer\{CCA96171-603C-42D9-B256-AE23B3C32F76}\_323879C6C5C3774296B923.exe
+ 2009-07-01 05:46 . 2009-07-01 05:46 204748 c:\windows\Installer\{CCA96171-603C-42D9-B256-AE23B3C32F76}\_0D8815C0225B7BE62D4737.exe
+ 2006-12-02 02:39 . 2006-12-02 02:39 1061376 c:\windows\WinSxS\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_9d1c6ce0\msvcp80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-03-18 251240]
"WeatherWatcherLive"="c:\program files\Weather Watcher Live\ww.exe" [2008-08-21 1114112]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Firefly"="c:\program files\SnapStream Media\Firefly\Firefly.exe" [2006-06-05 180224]
"NotebookHardwareControl"="c:\program files\Notebook Hardware Control\nhc.exe" [2007-05-04 2629632]
"WallpaperChanger"="c:\program files\Wallpaper Master\Wallpaper.exe" [2004-11-16 322560]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-06 29744]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-27 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-27 1132056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-04 13537280]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-04 1630208]

c:\documents and settings\Aaron\Start Menu\Programs\Startup\
System Tray Audio Device Switcher.lnk - c:\program files\STADS\SoundCardSwitcher.exe [2007-8-26 102400]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2008-11-26 1873280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CloudLayer Storage.lnk - c:\windows\Installer\{CCA96171-603C-42D9-B256-AE23B3C32F76}\_B71C35221E9709F6C7D14B.exe [2009-7-1 204748]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Aaron^Start Menu^Programs^Startup^Beyond TV.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Aaron^Start Menu^Programs^Startup^IMVU.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\EXCEL.EXE"=
"c:\\Documents and Settings\\Aaron\\My Documents\\My Downloads\\TlkEdit-R13b\\TlkEdit2.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNotifierService.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Common Files\\aol\\1230272140\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\PPACalculator\\FB\\bin\\PokerServer-fb.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs_32.sys [7/1/2009 1:46 AM 146904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [5/18/2009 8:35 PM 14976]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [3/17/2009 8:03 PM 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/8/2009 8:04 PM 101936]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [9/25/2006 1:31 AM 25984]
S2 gupdate1c9d64a26b1b838;Google Update Service (gupdate1c9d64a26b1b838);c:\program files\Google\Update\GoogleUpdate.exe [5/16/2009 1:17 PM 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/30/2007 2:43 AM 29744]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [9/28/2006 4:52 PM 1458688]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\Drivers\toywdm.sys --> c:\windows\system32\Drivers\toywdm.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\drivers\LtcyCfgWDM.sys [12/26/2005 12:24 AM 6656]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [6/26/2007 9:39 PM 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [6/26/2007 9:39 PM 85696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2007-04-30 c:\windows\Tasks\Alarm.job
- c:\documents and settings\Aaron\My Documents\My Music\My Playlists\Favorite Music.wpl [2006-09-25 22:41]

2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 17:17]

2009-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-16 17:17]

2007-05-21 c:\windows\Tasks\System Shutdown.job
- c:\windows\system32\shutdown.exe [2004-08-04 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BFD661CB-AD18-41D3-B5E0-8E4678869F73} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Trusted Zone: aol.com\free
TCP: {9413D8DE-55B0-4F98-83EE-18E000C893B1} = 208.67.220.220,208.67.222.222
TCP: {B456C670-0FF8-46F3-B5BB-B65CD7E106F1} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\Aaron\Application Data\Mozilla\Firefox\Profiles\pm1l66ct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 14:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\si3.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1425521274-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ed,9c,1a,25,56,b5,3c,3f,7c,7b,2d,69,08,13,77,d7,df,67,66,53,41,cb,91,
c2,70,88,c6,1c,8c,4a,98,df,5b,d7,35,8b,53,17,8b,1b,a5,e3,6a,b9,4e,c7,1b,31,\
"??"=hex:a4,c9,af,b1,7a,dd,ee,bf,32,59,ce,5f,d1,3d,22,a7

[HKEY_USERS\S-1-5-21-1085031214-1425521274-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:0b,96,7c,54,3f,8d,33,8b,e8,92,e0,2a,74,5c,ac,31,af,03,c8,ef,5f,
32,5c,7d,e1,83,4b,7b,ab,42,52,db,2d,c1,32,20,d6,61,da,c4,78,34,74,bb,08,60,\
"rkeysecu"=hex:40,be,62,12,5a,e6,c7,82,6d,cc,fb,78,18,62,b3,21

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{29D83109-D499-A3EF-54ABD4209B2D5F0C}\{354D4B2F-7299-D6B0-F9DE68C9556AEC8D}\{1096A586-413B-60D3-8347C002DC18071C}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A754038D-5461-C6FF-89A37522C498DE93}\{1089EA54-87DF-A583-56CE37BECDECB43B}\{5F10775F-480B-9EA7-99D54B1CB86EF9A3}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4812)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\FolderSize\FolderSizeColumn.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\nvshell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\notify_32.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\redirect_32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
c:\program files\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\SNAPST~1\Common\X10nets.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-07-01 14:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 18:26
ComboFix2.txt 2009-06-30 23:20

Pre-Run: 3,921,182,720 bytes free
Post-Run: 3,906,228,224 bytes free

410 --- E O F --- 2009-06-13 07:51

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:45 AM

Posted 01 July 2009 - 02:06 PM

Hi,

Now we will look for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users