Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean


  • This topic is locked This topic is locked
17 replies to this topic

#1 vernix

vernix

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 08 July 2009 - 11:21 PM

Hello, I've recently been getting redirected when i click on google links. I ran a scan with eset and this came up Operating memory - Win32/Rootkit.Agent.ODG trojan - unable to clean. Here is my Hijack log, please help me.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:38 PM, on 7/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5071006
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5071006
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {60270dc7-9ea0-472f-9b77-66652c06246e} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...20Installer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8770 bytes

BC AdBot (Login to Remove)

 


#2 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 12:12 AM

Here are some other logs

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

7/9/2009 12:50:53 AM
mbam-log-2009-07-09 (00-50-53).txt

Scan type: Quick Scan
Objects scanned: 157283
Time elapsed: 1 hour(s), 0 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\WINDOWS\Temp\erpavucbwc.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\igdsxxqmqy.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\kcijulbrqr.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\nikuwvdwvs.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\ppbwwvcuic.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\prexfyabvt.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\qailvcvxgp.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\rngqhggupd.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\spqhodxrpc.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\regx32.exe (Hacktool.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.




DDS (Ver_09-06-26.01) - NTFSx86
Run by Elvin at 0:32:44.76 on Thu 07/09/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.410 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Elvin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Elvin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Elvin\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.daemonsearch.com/intl/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5071006
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://dslstart.verizon.net/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {60270dc7-9ea0-472f-9b77-66652c06246e} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PMX Daemon] ICO.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\elvin\applic~1\mozilla\firefox\profiles\nxiiy9mm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://yandex.ru/yandsearch?stype=first&clid=43912&yasoft=barff&text=
FF - component: c:\documents and settings\elvin\application data\mozilla\firefox\profiles\nxiiy9mm.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\elvin\application data\mozilla\firefox\profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\elvin\application data\mozilla\firefox\profiles\nxiiy9mm.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\elvin\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-2-6 727720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-9 24652]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-18 38160]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-10-9 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-10-9 14336]
S3 XDva037;XDva037;\??\c:\windows\system32\xdva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\xdva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\xdva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\xdva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\xdva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\xdva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\xdva219.sys --> c:\windows\system32\XDva219.sys [?]
UnknownUnknown hglejjgdd;hglejjgdd; [x]

=============== Created Last 30 ================

2009-07-08 18:49 157,144 a------- c:\windows\system32\PubPlugin.dll
2009-07-08 18:49 58,800 a------- c:\windows\system32\ijjiPlugin2.dll
2009-07-08 18:49 710,064 a------- c:\windows\system32\ijjiSetup.exe
2009-07-08 18:49 58,800 a------- c:\windows\system32\ijjiProcessRestarter.exe
2009-07-08 18:49 <DIR> --d----- c:\program files\NHN USA
2009-07-04 15:51 2,870,429 a------- c:\windows\system32\GameMon.des
2009-07-04 15:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ijjigame
2009-07-03 22:39 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-03 22:39 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-03 22:39 74,752 a------- c:\windows\system32\drivers\lwqvxcrc.sys
2009-07-03 14:44 <DIR> --d----- c:\program files\TuneUpMedia
2009-07-03 14:44 <DIR> --d----- c:\docume~1\elvin\applic~1\TuneUpMedia
2009-07-03 14:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2009-07-02 16:59 <DIR> --d----- c:\windows\pss
2009-06-30 23:03 <DIR> --d----- c:\docume~1\elvin\applic~1\iTunes Agent
2009-06-30 23:03 <DIR> --d----- c:\program files\iTunes Agent
2009-06-30 21:58 <DIR> --d----- c:\docume~1\elvin\applic~1\Binary Fortress Software
2009-06-28 02:18 <DIR> --d----- c:\docume~1\elvin\applic~1\Damdai
2009-06-28 02:12 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-28 02:12 14,048 -------- c:\windows\system32\spmsg2.dll
2009-06-24 22:14 626,688 a------- c:\windows\system32\msvcr80.dll
2009-06-18 19:37 25 a------- c:\windows\popcinfot.dat
2009-06-12 18:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap Games

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-14 00:00 87,608 a------- c:\docume~1\elvin\applic~1\inst.exe
2009-04-14 00:00 47,360 a------- c:\docume~1\elvin\applic~1\pcouffin.sys
1999-07-06 20:00 6 ---shr-- c:\windows\@@desktop.dat
2008-08-23 00:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 0:34:41.68 ===============

#3 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 10:21 AM

It seems that there are a lot of people with this same problem. Can I apply the same methods you provide them with?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 09 July 2009 - 11:01 AM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log and Gmer's ark.txt as a reply to this topic.

#5 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 12:23 PM

Ok here ya go.

ComboFix 09-07-08.A0 - Elvin 07/09/2009 12:52.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.651 [GMT -4:00]
Running from: c:\documents and settings\Elvin\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Elvin\Application Data\inst.exe
c:\documents and settings\Rafelito\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\Installer\2afd8d.msp
c:\windows\Installer\4bca38.msp
c:\windows\Installer\4fcea.msp
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\disk.dll
c:\windows\system32\drivers\hjgruiwospwsft.sys
c:\windows\system32\drivers\lwqvxcrc.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\hjgruiauwvbqil.dat
c:\windows\system32\hjgruiavlhpyyq.dat
c:\windows\system32\hjgruihesiwqqo.dll
c:\windows\system32\hjgruinpfdxbjt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruibfolextj
-------\Legacy_HGLEJJGDD


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-08-29 02:31 . 2009-08-29 02:31 -------- d-----w- c:\documents and settings\Elvin\Application Data\Canneverbe_Limited
2009-08-29 02:25 . 2009-08-29 19:35 -------- d-----w- c:\program files\Blaze Media Pro
2009-08-26 04:02 . 2009-02-23 18:42 652608 ----a-w- c:\documents and settings\Elvin\Application Data\GarageGames\IAPlayer\iaplugin.dll
2009-08-26 04:02 . 2009-08-26 04:02 -------- d-----w- c:\documents and settings\Elvin\Application Data\GarageGames
2009-08-26 04:02 . 2008-12-03 15:53 521472 ----a-w- c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
2009-08-24 01:25 . 2009-08-24 01:49 -------- d-----w- c:\documents and settings\Elvin\Local Settings\Application Data\MediaMonkey
2009-08-24 01:25 . 2009-08-24 01:49 -------- d-----w- c:\program files\MediaMonkey
2009-08-23 23:52 . 2009-08-23 23:52 152576 ----a-w- c:\documents and settings\Elvin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-08-22 22:46 . 2009-08-22 22:46 -------- d-----w- c:\documents and settings\Elvin\Application Data\ESET
2009-07-09 15:36 . 2009-07-09 15:37 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-08 22:50 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PurpleBean.exe
2009-07-03 18:44 . 2009-07-03 18:45 -------- d-----w- c:\program files\TuneUpMedia
2009-07-03 18:44 . 2009-07-09 02:38 -------- d-----w- c:\documents and settings\Elvin\Application Data\TuneUpMedia
2009-07-03 18:44 . 2009-07-03 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2009-07-01 03:03 . 2009-07-01 03:03 -------- d-----w- c:\documents and settings\Elvin\Application Data\iTunes Agent
2009-07-01 03:03 . 2009-07-01 03:07 -------- d-----w- c:\program files\iTunes Agent
2009-07-01 01:58 . 2009-07-01 01:58 -------- d-----w- c:\documents and settings\Elvin\Application Data\Binary Fortress Software
2009-06-28 06:18 . 2009-06-28 06:17 110592 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\kailleraclient.dll
2009-06-28 06:18 . 2009-06-28 06:17 81920 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\okai_recorder.dll
2009-06-28 06:18 . 2009-06-28 06:17 75264 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\zlib1.dll
2009-06-28 06:18 . 2009-06-28 06:18 6393344 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\freeplay_emu.exe
2009-06-28 06:18 . 2009-06-28 06:18 -------- d-----w- c:\documents and settings\Elvin\Application Data\Damdai
2009-06-28 06:14 . 2009-06-28 06:14 887592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\program files\Reference Assemblies
2009-06-28 06:12 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-06-25 02:14 . 2007-04-05 16:16 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-06-20 04:10 . 2009-06-20 04:11 152576 ----a-w- c:\documents and settings\Elvin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-18 23:37 . 2009-07-09 01:44 25 ----a-w- c:\windows\popcinfot.dat
2009-06-15 00:39 . 2009-06-15 23:16 -------- d-----w- c:\documents and settings\Rafelito\Local Settings\Application Data\1Click DVD Copy
2009-06-12 22:48 . 2009-06-12 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 22:43 . 2009-03-09 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-22 22:17 . 2009-03-09 20:35 -------- d-----w- c:\program files\ESET
2009-08-22 20:10 . 2009-03-09 20:37 159644 ----a-w- c:\windows\Marsu-Fix 2.5 Uninstaller.exe
2009-07-09 03:48 . 2008-10-18 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 03:48 . 2009-03-28 14:54 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-08 22:50 . 2009-07-04 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-07-08 22:49 . 2009-07-08 22:49 -------- d-----w- c:\program files\NHN USA
2009-07-08 22:49 . 2007-10-06 02:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 18:45 . 2008-05-12 16:22 -------- d-----w- c:\program files\iTunes
2009-07-02 21:03 . 2008-12-07 01:33 -------- d-----w- c:\documents and settings\Elvin\Application Data\DNA
2009-07-02 20:58 . 2008-12-07 01:33 -------- d-----w- c:\program files\DNA
2009-06-28 06:16 . 2007-10-09 21:15 571760 ----a-w- c:\documents and settings\Elvin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 06:13 . 2007-10-12 00:17 -------- d-----w- c:\program files\MSBuild
2009-06-20 04:12 . 2007-10-06 02:05 -------- d-----w- c:\program files\Java
2009-06-17 15:27 . 2008-10-18 19:30 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-10-18 19:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 23:21 . 2009-04-14 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-06-15 00:39 . 2007-10-13 17:47 571760 ----a-w- c:\documents and settings\Rafelito\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 18:29 . 2007-10-12 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-11 22:50 . 2007-10-06 02:20 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 01:34 . 2007-10-21 21:33 -------- d-----w- c:\program files\StepMania
2009-06-07 02:40 . 2008-12-27 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-27 22:08 . 2009-07-08 22:50 591320 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ExLauncher.exe
2009-05-27 00:34 . 2009-02-21 03:40 -------- d-----w- c:\documents and settings\Elvin\Application Data\U3
2009-05-26 21:31 . 2009-07-08 22:49 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-24 15:22 . 2009-05-24 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-05-21 15:33 . 2009-03-18 02:32 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 22:02 . 2009-03-18 02:43 -------- d-----w- c:\program files\Conduit
2009-05-13 00:48 . 2009-07-08 22:49 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-09 20:00 . 2009-05-09 20:00 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-05-07 15:32 . 2004-08-10 16:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 16:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 16:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 16:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 16:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\documents and settings\Elvin\Application Data\pcouffin.sys
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\documents and settings\Elvin\Application Data\pcouffin.sys
2009-04-13 04:16 . 2008-08-01 22:49 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-04-13 04:16 . 2008-08-01 22:49 520192 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-04-13 04:13 . 2008-08-01 22:49 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-04-13 04:13 . 2008-08-01 22:49 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-04-13 04:13 . 2008-08-01 22:49 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-04-13 04:13 . 2008-08-01 22:49 159744 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
1999-07-07 00:00 . 1999-07-07 00:00 6 --sh--r- c:\windows\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2007-03-08 49152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-16 16132608]

c:\documents and settings\Rafelito\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Elvin\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"c:\\Documents and Settings\\Elvin\\Local Settings\\Apps\\2.0\\QWZ5JL5G.KZ6\\CYY7KXV8.KDQ\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Documents and Settings\\Elvin\\Application Data\\Damdai\\2DF\\FreePlay\\freeplay_emu.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 2:24 PM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/9/2007 6:02 PM 24652]
S2 hglejjgdd;hglejjgdd;\??\c:\windows\system32\drivers\lwqvxcrc.sys --> c:\windows\system32\drivers\lwqvxcrc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [10/9/2007 5:09 PM 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [10/9/2007 5:09 PM 14336]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122048304-745012476-860069125-1006Core.job
- c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 16:29]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122048304-745012476-860069125-1006UA.job
- c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 16:29]
.
- - - - ORPHANS REMOVED - - - -

BHO-{60270dc7-9ea0-472f-9b77-66652c06246e} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://dslstart.verizon.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.woot.com/Default.aspx
FF - prefs.js: keyword.URL - hxxp://yandex.ru/yandsearch?stype=first&clid=43912&yasoft=barff&text=
FF - component: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 13:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3960)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-09 13:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 17:19

Pre-Run: 132,676,022,272 bytes free
Post-Run: 136,951,443,456 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

310 --- E O F --- 2009-06-14 18:29

#6 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 12:28 PM

i cant post nor attach the ark.txt file, it says its too big.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 09 July 2009 - 01:36 PM

When you ran gmer did you make sure to do this?

In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:

* Sections
* IAT/EAT
* Drives/Partition other than Systemdrive (typically C:\)
* Show All (don't miss this one)

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 09 July 2009 - 01:48 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\@@desktop.dat

Driver::
hglejjgdd


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply


You should also know that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

#9 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 07:28 PM

ComboFix 09-07-08.A0 - Elvin 07/09/2009 19:54.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.584 [GMT -4:00]
Running from: c:\documents and settings\Elvin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elvin\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\@@desktop.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\@@desktop.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hglejjgdd


((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-08-29 02:31 . 2009-08-29 02:31 -------- d-----w- c:\documents and settings\Elvin\Application Data\Canneverbe_Limited
2009-08-29 02:25 . 2009-08-29 19:35 -------- d-----w- c:\program files\Blaze Media Pro
2009-08-26 04:02 . 2009-02-23 18:42 652608 ----a-w- c:\documents and settings\Elvin\Application Data\GarageGames\IAPlayer\iaplugin.dll
2009-08-26 04:02 . 2009-08-26 04:02 -------- d-----w- c:\documents and settings\Elvin\Application Data\GarageGames
2009-08-26 04:02 . 2008-12-03 15:53 521472 ----a-w- c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
2009-08-24 01:25 . 2009-08-24 01:49 -------- d-----w- c:\documents and settings\Elvin\Local Settings\Application Data\MediaMonkey
2009-08-24 01:25 . 2009-08-24 01:49 -------- d-----w- c:\program files\MediaMonkey
2009-08-23 23:52 . 2009-08-23 23:52 152576 ----a-w- c:\documents and settings\Elvin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-08-22 22:46 . 2009-08-22 22:46 -------- d-----w- c:\documents and settings\Elvin\Application Data\ESET
2009-07-09 15:36 . 2009-07-09 15:37 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-08 22:50 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PurpleBean.exe
2009-07-03 18:44 . 2009-07-03 18:45 -------- d-----w- c:\program files\TuneUpMedia
2009-07-03 18:44 . 2009-07-09 02:38 -------- d-----w- c:\documents and settings\Elvin\Application Data\TuneUpMedia
2009-07-03 18:44 . 2009-07-03 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2009-07-01 03:03 . 2009-07-01 03:03 -------- d-----w- c:\documents and settings\Elvin\Application Data\iTunes Agent
2009-07-01 03:03 . 2009-07-01 03:07 -------- d-----w- c:\program files\iTunes Agent
2009-07-01 01:58 . 2009-07-01 01:58 -------- d-----w- c:\documents and settings\Elvin\Application Data\Binary Fortress Software
2009-06-28 06:18 . 2009-06-28 06:17 110592 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\kailleraclient.dll
2009-06-28 06:18 . 2009-06-28 06:17 81920 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\okai_recorder.dll
2009-06-28 06:18 . 2009-06-28 06:17 75264 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\zlib1.dll
2009-06-28 06:18 . 2009-06-28 06:18 6393344 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\freeplay_emu.exe
2009-06-28 06:18 . 2009-06-28 06:18 -------- d-----w- c:\documents and settings\Elvin\Application Data\Damdai
2009-06-28 06:14 . 2009-06-28 06:14 887592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\program files\Reference Assemblies
2009-06-28 06:12 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-06-25 02:14 . 2007-04-05 16:16 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-06-20 04:10 . 2009-06-20 04:11 152576 ----a-w- c:\documents and settings\Elvin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-18 23:37 . 2009-07-09 01:44 25 ----a-w- c:\windows\popcinfot.dat
2009-06-15 00:39 . 2009-06-15 23:16 -------- d-----w- c:\documents and settings\Rafelito\Local Settings\Application Data\1Click DVD Copy
2009-06-12 22:48 . 2009-06-12 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 22:43 . 2009-03-09 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-22 22:17 . 2009-03-09 20:35 -------- d-----w- c:\program files\ESET
2009-08-22 20:10 . 2009-03-09 20:37 159644 ----a-w- c:\windows\Marsu-Fix 2.5 Uninstaller.exe
2009-07-09 03:48 . 2008-10-18 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 03:48 . 2009-03-28 14:54 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-08 22:50 . 2009-07-04 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-07-08 22:49 . 2009-07-08 22:49 -------- d-----w- c:\program files\NHN USA
2009-07-08 22:49 . 2007-10-06 02:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 18:45 . 2008-05-12 16:22 -------- d-----w- c:\program files\iTunes
2009-07-02 21:03 . 2008-12-07 01:33 -------- d-----w- c:\documents and settings\Elvin\Application Data\DNA
2009-07-02 20:58 . 2008-12-07 01:33 -------- d-----w- c:\program files\DNA
2009-06-28 06:16 . 2007-10-09 21:15 571760 ----a-w- c:\documents and settings\Elvin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 06:13 . 2007-10-12 00:17 -------- d-----w- c:\program files\MSBuild
2009-06-20 04:12 . 2007-10-06 02:05 -------- d-----w- c:\program files\Java
2009-06-17 15:27 . 2008-10-18 19:30 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-10-18 19:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 23:21 . 2009-04-14 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-06-15 00:39 . 2007-10-13 17:47 571760 ----a-w- c:\documents and settings\Rafelito\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 18:29 . 2007-10-12 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-11 22:50 . 2007-10-06 02:20 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 01:34 . 2007-10-21 21:33 -------- d-----w- c:\program files\StepMania
2009-06-07 02:40 . 2008-12-27 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-27 22:08 . 2009-07-08 22:50 591320 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ExLauncher.exe
2009-05-27 00:34 . 2009-02-21 03:40 -------- d-----w- c:\documents and settings\Elvin\Application Data\U3
2009-05-26 21:31 . 2009-07-08 22:49 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-24 15:22 . 2009-05-24 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-05-21 15:33 . 2009-03-18 02:32 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 22:02 . 2009-03-18 02:43 -------- d-----w- c:\program files\Conduit
2009-05-13 00:48 . 2009-07-08 22:49 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-09 20:00 . 2009-05-09 20:00 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-05-07 15:32 . 2004-08-10 16:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 16:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 16:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 16:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 16:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\documents and settings\Elvin\Application Data\pcouffin.sys
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\documents and settings\Elvin\Application Data\pcouffin.sys
2009-04-13 04:16 . 2008-08-01 22:49 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-04-13 04:16 . 2008-08-01 22:49 520192 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-04-13 04:13 . 2008-08-01 22:49 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-04-13 04:13 . 2008-08-01 22:49 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-04-13 04:13 . 2008-08-01 22:49 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-04-13 04:13 . 2008-08-01 22:49 159744 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_17.09.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 00:07 . 2009-07-10 00:07 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2007-03-08 49152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-16 16132608]

c:\documents and settings\Rafelito\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Elvin\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"c:\\Documents and Settings\\Elvin\\Local Settings\\Apps\\2.0\\QWZ5JL5G.KZ6\\CYY7KXV8.KDQ\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Documents and Settings\\Elvin\\Application Data\\Damdai\\2DF\\FreePlay\\freeplay_emu.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 2:24 PM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/9/2007 6:02 PM 24652]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [10/9/2007 5:09 PM 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [10/9/2007 5:09 PM 14336]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122048304-745012476-860069125-1006Core.job
- c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 16:29]

2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122048304-745012476-860069125-1006UA.job
- c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 16:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://dslstart.verizon.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.woot.com/Default.aspx
FF - prefs.js: keyword.URL - hxxp://yandex.ru/yandsearch?stype=first&clid=43912&yasoft=barff&text=
FF - component: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3508)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-07-10 20:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 00:22
ComboFix2.txt 2009-07-09 17:19

Pre-Run: 137,187,360,768 bytes free
Post-Run: 137,167,024,128 bytes free

290 --- E O F --- 2009-06-14 18:29

#10 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 07:46 PM

Also heres the new gmer log

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 20:45:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 86349630 ZwAssignProcessToJobObject
SSDT sptd.sys ZwCreateKey [0xF73180D0]
SSDT sptd.sys ZwEnumerateKey [0xF731DFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF731E340]
SSDT sptd.sys ZwOpenKey [0xF73180B0]
SSDT 86348A60 ZwOpenProcess
SSDT 86348E80 ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xF731E418]
SSDT sptd.sys ZwQueryValueKey [0xF731E298]
SSDT sptd.sys ZwSetValueKey [0xF731E4AA]
SSDT 86349460 ZwSuspendProcess
SSDT 86349280 ZwSuspendThread
SSDT 86348C90 ZwTerminateProcess
SSDT 863490B0 ZwTerminateThread

Code \??\C:\DOCUME~1\Elvin\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FD11E8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\usbuhci \Device\USBPDO-0 86DA51E8
Device \Driver\usbuhci \Device\USBPDO-1 86DA51E8
Device \Driver\usbehci \Device\USBPDO-2 86D835D0
Device \Driver\usbuhci \Device\USBPDO-3 86DA51E8
Device \Driver\usbuhci \Device\USBPDO-4 86DA51E8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\usbehci \Device\USBPDO-5 86D835D0
Device \Driver\PCI_NTPNP7670 \Device\00000056 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-6 86DA51E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD31E8
Device \Driver\usbuhci \Device\USBPDO-7 86DA51E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD31E8
Device \Driver\Cdrom \Device\CdRom0 86D41790
Device \Driver\Cdrom \Device\CdRom1 86D41790
Device \Driver\Ftdisk \Device\HarddiskVolume3 86FD31E8
Device \Driver\Cdrom \Device\CdRom2 86D41790
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B45790
Device \Driver\NetBT \Device\NetbiosSmb 86B45790
Device \Driver\NetBT \Device\NetBT_Tcpip_{8210681F-E446-4222-8CFA-1C7396B9EF66} 86B45790
Device \Driver\usbuhci \Device\USBFDO-0 86DA51E8
Device \Driver\usbuhci \Device\USBFDO-1 86DA51E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B2F450
Device \Driver\usbuhci \Device\USBFDO-2 86DA51E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86B2F450
Device \Driver\usbehci \Device\USBFDO-3 86D835D0
Device \Driver\usbuhci \Device\USBFDO-4 86DA51E8
Device \Driver\Ftdisk \Device\FtControl 86FD31E8
Device \Driver\usbuhci \Device\USBFDO-5 86DA51E8
Device \Driver\usbuhci \Device\USBFDO-6 86DA51E8
Device \Driver\usbehci \Device\USBFDO-7 86D835D0
Device \Driver\a7brxxse \Device\Scsi\a7brxxse1 86CE31E8
Device \Driver\a7brxxse \Device\Scsi\a7brxxse1Port4Path0Target0Lun0 86CE31E8
Device \FileSystem\Fastfat \Fat 86B79790
Device \FileSystem\Fastfat \Fat A8EFE297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 86BB9790

---- Threads - GMER 1.0.15 ----

Thread System [4:476] 86347790

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x60 0x2B 0x9E 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x72 0xC2 0x84 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x39 0xED 0x62 0xDB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x60 0x2B 0x9E 0x5D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x72 0xC2 0x84 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x39 0xED 0x62 0xDB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x60 0x2B 0x9E 0x5D ...

---- EOF - GMER 1.0.15 ----

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 09 July 2009 - 08:46 PM

Looks good. I assume the redirects are gone and eset is no longer reporting the rootkit?

Let's do a last scan with MBAM. As you have it installed, just do an update and post its log please.

#12 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 08:49 PM

Thank you very much Grinler, im scanning as we speak. I've decided to wait until the rootkit left so that i can back up my files and then reformat after. Will post log in a few minutes. Again, many thanks.

#13 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 09:24 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

7/9/2009 10:20:07 PM
mbam-log-2009-07-09 (22-20-07).txt

Scan type: Quick Scan
Objects scanned: 133585
Time elapsed: 34 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


do i erase all the earlier used programs you gave me?

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 09 July 2009 - 09:45 PM

First,

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 14' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.
Then, I Missed one other thing:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Firefox::
FireFox -: Profile - C:\Documents and Settings\elvin\Application Data\mozilla\firefox\profiles\nxiiy9mm.default\
FireFox -: prefs.js: keyword.URL - http://www.google.com/search?ie=UTF-8&...p;gfns=1&q=


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#15 vernix

vernix
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 July 2009 - 10:36 PM

ComboFix 09-07-08.A0 - Elvin 07/09/2009 23:19.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.472 [GMT -4:00]
Running from: c:\documents and settings\Elvin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elvin\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-08-29 02:31 . 2009-08-29 02:31 -------- d-----w- c:\documents and settings\Elvin\Application Data\Canneverbe_Limited
2009-08-29 02:25 . 2009-08-29 19:35 -------- d-----w- c:\program files\Blaze Media Pro
2009-08-26 04:02 . 2009-02-23 18:42 652608 ----a-w- c:\documents and settings\Elvin\Application Data\GarageGames\IAPlayer\iaplugin.dll
2009-08-26 04:02 . 2009-08-26 04:02 -------- d-----w- c:\documents and settings\Elvin\Application Data\GarageGames
2009-08-26 04:02 . 2008-12-03 15:53 521472 ----a-w- c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
2009-08-24 01:25 . 2009-08-24 01:49 -------- d-----w- c:\documents and settings\Elvin\Local Settings\Application Data\MediaMonkey
2009-08-24 01:25 . 2009-08-24 01:49 -------- d-----w- c:\program files\MediaMonkey
2009-08-23 23:52 . 2009-08-23 23:52 152576 ----a-w- c:\documents and settings\Elvin\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-08-22 22:46 . 2009-08-22 22:46 -------- d-----w- c:\documents and settings\Elvin\Application Data\ESET
2009-07-10 03:11 . 2009-07-10 03:11 -------- d-----w- c:\program files\Sun
2009-07-09 15:36 . 2009-07-09 15:37 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-08 22:50 . 2009-06-03 21:48 779720 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\PurpleBean.exe
2009-07-03 18:44 . 2009-07-03 18:45 -------- d-----w- c:\program files\TuneUpMedia
2009-07-03 18:44 . 2009-07-10 02:45 -------- d-----w- c:\documents and settings\Elvin\Application Data\TuneUpMedia
2009-07-03 18:44 . 2009-07-03 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2009-07-01 03:03 . 2009-07-01 03:03 -------- d-----w- c:\documents and settings\Elvin\Application Data\iTunes Agent
2009-07-01 03:03 . 2009-07-01 03:07 -------- d-----w- c:\program files\iTunes Agent
2009-07-01 01:58 . 2009-07-01 01:58 -------- d-----w- c:\documents and settings\Elvin\Application Data\Binary Fortress Software
2009-06-28 06:18 . 2009-06-28 06:17 110592 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\kailleraclient.dll
2009-06-28 06:18 . 2009-06-28 06:17 81920 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\okai_recorder.dll
2009-06-28 06:18 . 2009-06-28 06:17 75264 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\zlib1.dll
2009-06-28 06:18 . 2009-06-28 06:18 6393344 ----a-w- c:\documents and settings\Elvin\Application Data\Damdai\2DF\FreePlay\freeplay_emu.exe
2009-06-28 06:18 . 2009-06-28 06:18 -------- d-----w- c:\documents and settings\Elvin\Application Data\Damdai
2009-06-28 06:14 . 2009-06-28 06:14 887592 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-28 06:12 . 2009-06-28 06:12 -------- d-----w- c:\program files\Reference Assemblies
2009-06-28 06:12 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-06-25 02:14 . 2007-04-05 16:16 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-06-20 04:10 . 2009-06-20 04:11 152576 ----a-w- c:\documents and settings\Elvin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-18 23:37 . 2009-07-09 01:44 25 ----a-w- c:\windows\popcinfot.dat
2009-06-15 00:39 . 2009-06-15 23:16 -------- d-----w- c:\documents and settings\Rafelito\Local Settings\Application Data\1Click DVD Copy
2009-06-12 22:48 . 2009-06-12 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 22:43 . 2009-03-09 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-22 22:17 . 2009-03-09 20:35 -------- d-----w- c:\program files\ESET
2009-08-22 20:10 . 2009-03-09 20:37 159644 ----a-w- c:\windows\Marsu-Fix 2.5 Uninstaller.exe
2009-07-10 03:09 . 2007-10-06 02:05 -------- d-----w- c:\program files\Java
2009-07-09 03:48 . 2008-10-18 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 03:48 . 2009-03-28 14:54 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-08 22:50 . 2009-07-04 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-07-08 22:49 . 2009-07-08 22:49 -------- d-----w- c:\program files\NHN USA
2009-07-08 22:49 . 2007-10-06 02:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-03 18:45 . 2008-05-12 16:22 -------- d-----w- c:\program files\iTunes
2009-07-02 21:03 . 2008-12-07 01:33 -------- d-----w- c:\documents and settings\Elvin\Application Data\DNA
2009-07-02 20:58 . 2008-12-07 01:33 -------- d-----w- c:\program files\DNA
2009-06-28 06:16 . 2007-10-09 21:15 571760 ----a-w- c:\documents and settings\Elvin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-28 06:13 . 2007-10-12 00:17 -------- d-----w- c:\program files\MSBuild
2009-06-17 15:27 . 2008-10-18 19:30 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-10-18 19:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 23:21 . 2009-04-14 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-06-15 00:39 . 2007-10-13 17:47 571760 ----a-w- c:\documents and settings\Rafelito\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-14 18:29 . 2007-10-12 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-11 22:50 . 2007-10-06 02:20 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 01:34 . 2007-10-21 21:33 -------- d-----w- c:\program files\StepMania
2009-06-07 02:40 . 2008-12-27 23:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-27 22:08 . 2009-07-08 22:50 591320 ----a-w- c:\documents and settings\All Users\Application Data\ijjigame\ExLauncher.exe
2009-05-27 00:34 . 2009-02-21 03:40 -------- d-----w- c:\documents and settings\Elvin\Application Data\U3
2009-05-26 21:31 . 2009-07-08 22:49 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2009-05-24 15:22 . 2009-05-24 15:22 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-05-21 15:33 . 2009-03-18 02:32 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 22:02 . 2009-03-18 02:43 -------- d-----w- c:\program files\Conduit
2009-05-13 00:48 . 2009-07-08 22:49 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2009-05-09 20:00 . 2009-05-09 20:00 8673792 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-05-07 15:32 . 2004-08-10 16:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-10 16:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-10 16:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-10 16:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 16:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\documents and settings\Elvin\Application Data\pcouffin.sys
2009-04-14 04:00 . 2009-04-14 04:00 47360 ----a-w- c:\documents and settings\Elvin\Application Data\pcouffin.sys
2009-04-13 04:16 . 2008-08-01 22:49 335872 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-04-13 04:16 . 2008-08-01 22:49 520192 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-04-13 04:13 . 2008-08-01 22:49 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-04-13 04:13 . 2008-08-01 22:49 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-04-13 04:13 . 2008-08-01 22:49 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-04-13 04:13 . 2008-08-01 22:49 159744 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-09_17.09.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-10 03:11 . 2009-07-10 03:11 873472 c:\windows\Installer\9a5308.msi
+ 2009-07-10 03:09 . 2009-07-10 03:09 417792 c:\windows\Installer\9a52fd.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-02-06 2021400]
"PMX Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2007-03-08 49152]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-16 16132608]

c:\documents and settings\Rafelito\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Elvin\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\alaplaya\\S4League\\S4Client.exe"=
"c:\\Documents and Settings\\Elvin\\Local Settings\\Apps\\2.0\\QWZ5JL5G.KZ6\\CYY7KXV8.KDQ\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Documents and Settings\\Elvin\\Application Data\\Damdai\\2DF\\FreePlay\\freeplay_emu.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 2:24 PM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/9/2007 6:02 PM 24652]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [10/9/2007 5:09 PM 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [10/9/2007 5:09 PM 14336]
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys --> c:\windows\system32\XDva037.sys [?]
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys --> c:\windows\system32\XDva119.sys [?]
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys --> c:\windows\system32\XDva121.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys --> c:\windows\system32\XDva202.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122048304-745012476-860069125-1006Core.job
- c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 16:29]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-122048304-745012476-860069125-1006UA.job
- c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-06 16:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.daemonsearch.com/intl/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://dslstart.verizon.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.woot.com/Default.aspx
FF - prefs.js: keyword.URL - hxxp://yandex.ru/yandsearch?stype=first&clid=43912&yasoft=barff&text=
FF - component: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Elvin\Application Data\Mozilla\Firefox\Profiles\nxiiy9mm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Elvin\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 23:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1064)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
.
Completion time: 2009-07-10 23:33
ComboFix-quarantined-files.txt 2009-07-10 03:33
ComboFix2.txt 2009-07-10 00:22
ComboFix3.txt 2009-07-09 17:19

Pre-Run: 139,323,396,096 bytes free
Post-Run: 139,305,738,240 bytes free

267 --- E O F --- 2009-06-14 18:29




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users