Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malfunctioning scanners, 2 possible malwares?


  • This topic is locked This topic is locked
14 replies to this topic

#1 Bourgeosie

Bourgeosie

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 07 August 2009 - 03:27 PM

Earlier today, my computer randomly rebooted, and now there appear to be two problems.
One is "PC Antispyware 2010", which continues to "scan" my system and try to update every 5 minutes. It even creates its own desktop icon.
The other is a nondescript red circle with a white X in the middle, looking very much like a Microsoft alert. It isn't however. Firstly, the warning window pops up every time the bubble is scrolled over. Secondly, the grammar and spelling in the warning message is terrible.
If I try to scan with Malwarebytes or Avira, then scan freezes halfway through and my computer reboots. Spybot won't even open. What should I do?


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bourgeosie at 15:20:35.45 on Fri 08/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1519 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\BOURGE~1\LOCALS~1\Temp\b.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RecvMessage.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Monopod] c:\docume~1\bourge~1\locals~1\temp\b.exe
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray2] c:\windows\system32\CML.exe
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [braviax] braviax.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: cru629.dat

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 15:21:25.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 07 August 2009 - 08:54 PM

{Self Update}

I was chatting with my tech-buddy about this problem, and he told me to rename my mbam.exe (Malwarebytes program) to something completely random and try running the new exe. He was guessing that the infection was programmed to block programs from running based on name, and I think he was right. Malwarebytes booted with this new .exe, and I was able to run a quick scan, detecting quite a few items (log attached).

After this scan and cleaning, I was able to run Spybot, which found quite a few problems on its own.

I subsequently ran a full system scan with Malwarebytes and Avira, and another scan with Spybot. All three scans came up blank! I have attached new logs, updated since the initial posting and these scans (The second, newer attach file is "Attach2"). Do I appear good to go?

Thank you for the help!


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bourgeosie at 20:50:43.84 on Fri 08/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1349 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RecvMessage.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [SpybotDeletingB7675] command.com /c del "c:\docume~1\bourge~1\locals~1\temp\b.exe"
uRunOnce: [SpybotDeletingD2648] cmd.exe /c del "c:\docume~1\bourge~1\locals~1\temp\b.exe"
uRunOnce: [SpybotDeletingB7899] command.com /c del "c:\windows\system32\drivers\UACqvdhbftapq.sys"
uRunOnce: [SpybotDeletingD4301] cmd.exe /c del "c:\windows\system32\drivers\UACqvdhbftapq.sys"
uRunOnce: [SpybotDeletingB2955] command.com /c del "c:\windows\temp\UAC6096.tmp_old"
uRunOnce: [SpybotDeletingD4776] cmd.exe /c del "c:\windows\temp\UAC6096.tmp_old"
uRunOnce: [SpybotDeletingB6559] command.com /c del "c:\windows\temp\UAC6096.tmp"
uRunOnce: [SpybotDeletingD4520] cmd.exe /c del "c:\windows\temp\UAC6096.tmp"
uRunOnce: [SpybotDeletingB6660] command.com /c del "c:\windows\system32\UACnkvvcvtbin.dat_old"
uRunOnce: [SpybotDeletingD8147] cmd.exe /c del "c:\windows\system32\UACnkvvcvtbin.dat_old"
uRunOnce: [SpybotDeletingB2635] command.com /c del "c:\windows\system32\UACnkvvcvtbin.dat"
uRunOnce: [SpybotDeletingD1979] cmd.exe /c del "c:\windows\system32\UACnkvvcvtbin.dat"
uRunOnce: [SpybotDeletingB7512] command.com /c del "c:\windows\system32\UACctoenffjkl.dll"
uRunOnce: [SpybotDeletingD6844] cmd.exe /c del "c:\windows\system32\UACctoenffjkl.dll"
uRunOnce: [SpybotDeletingB979] command.com /c del "c:\windows\system32\UACdegaoykxdj.dll"
uRunOnce: [SpybotDeletingD967] cmd.exe /c del "c:\windows\system32\UACdegaoykxdj.dll"
uRunOnce: [SpybotDeletingB5582] command.com /c del "c:\windows\system32\UACilhypfpkml.dll"
uRunOnce: [SpybotDeletingD1300] cmd.exe /c del "c:\windows\system32\UACilhypfpkml.dll"
uRunOnce: [SpybotDeletingB8293] command.com /c del "c:\windows\system32\uacinit.dll_old"
uRunOnce: [SpybotDeletingD3128] cmd.exe /c del "c:\windows\system32\uacinit.dll_old"
uRunOnce: [SpybotDeletingB2899] command.com /c del "c:\windows\system32\uacinit.dll"
uRunOnce: [SpybotDeletingD2959] cmd.exe /c del "c:\windows\system32\uacinit.dll"
uRunOnce: [SpybotDeletingB1754] command.com /c del "c:\windows\system32\UACjyoulqbrrn.dll"
uRunOnce: [SpybotDeletingD7591] cmd.exe /c del "c:\windows\system32\UACjyoulqbrrn.dll"
uRunOnce: [SpybotDeletingB837] command.com /c del "c:\windows\system32\UACusbkoxxlxl.dll"
uRunOnce: [SpybotDeletingD4645] cmd.exe /c del "c:\windows\system32\UACusbkoxxlxl.dll"
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray2] c:\windows\system32\CML.exe
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
mRunOnce: [SpybotDeletingA2937] command.com /c del "c:\docume~1\bourge~1\locals~1\temp\b.exe"
mRunOnce: [SpybotDeletingC2319] cmd.exe /c del "c:\docume~1\bourge~1\locals~1\temp\b.exe"
mRunOnce: [SpybotDeletingA9625] command.com /c del "c:\windows\system32\drivers\UACqvdhbftapq.sys"
mRunOnce: [SpybotDeletingC7978] cmd.exe /c del "c:\windows\system32\drivers\UACqvdhbftapq.sys"
mRunOnce: [SpybotDeletingA2963] command.com /c del "c:\windows\temp\UAC6096.tmp_old"
mRunOnce: [SpybotDeletingC9642] cmd.exe /c del "c:\windows\temp\UAC6096.tmp_old"
mRunOnce: [SpybotDeletingA1810] command.com /c del "c:\windows\temp\UAC6096.tmp"
mRunOnce: [SpybotDeletingC1246] cmd.exe /c del "c:\windows\temp\UAC6096.tmp"
mRunOnce: [SpybotDeletingA8718] command.com /c del "c:\windows\system32\UACnkvvcvtbin.dat_old"
mRunOnce: [SpybotDeletingC8602] cmd.exe /c del "c:\windows\system32\UACnkvvcvtbin.dat_old"
mRunOnce: [SpybotDeletingA7614] command.com /c del "c:\windows\system32\UACnkvvcvtbin.dat"
mRunOnce: [SpybotDeletingC1928] cmd.exe /c del "c:\windows\system32\UACnkvvcvtbin.dat"
mRunOnce: [SpybotDeletingA6062] command.com /c del "c:\windows\system32\UACctoenffjkl.dll"
mRunOnce: [SpybotDeletingC7233] cmd.exe /c del "c:\windows\system32\UACctoenffjkl.dll"
mRunOnce: [SpybotDeletingA5890] command.com /c del "c:\windows\system32\UACdegaoykxdj.dll"
mRunOnce: [SpybotDeletingC2945] cmd.exe /c del "c:\windows\system32\UACdegaoykxdj.dll"
mRunOnce: [SpybotDeletingA8764] command.com /c del "c:\windows\system32\UACilhypfpkml.dll"
mRunOnce: [SpybotDeletingC1865] cmd.exe /c del "c:\windows\system32\UACilhypfpkml.dll"
mRunOnce: [SpybotDeletingA1879] command.com /c del "c:\windows\system32\uacinit.dll_old"
mRunOnce: [SpybotDeletingC7753] cmd.exe /c del "c:\windows\system32\uacinit.dll_old"
mRunOnce: [SpybotDeletingA1864] command.com /c del "c:\windows\system32\uacinit.dll"
mRunOnce: [SpybotDeletingC8896] cmd.exe /c del "c:\windows\system32\uacinit.dll"
mRunOnce: [SpybotDeletingA5211] command.com /c del "c:\windows\system32\UACjyoulqbrrn.dll"
mRunOnce: [SpybotDeletingC9761] cmd.exe /c del "c:\windows\system32\UACjyoulqbrrn.dll"
mRunOnce: [SpybotDeletingA7937] command.com /c del "c:\windows\system32\UACusbkoxxlxl.dll"
mRunOnce: [SpybotDeletingC1087] cmd.exe /c del "c:\windows\system32\UACusbkoxxlxl.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: cru629.dat

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bourge~1\applic~1\mozilla\firefox\profiles\y6pulzqb.default\
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55656]
R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2009-4-13 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-13 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-4-13 35840]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-17 24652]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-4-13 24944]
RUnknown pmktx;pmktx; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-7 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-18 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-18 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-4-13 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-13 17408]

=============== Created Last 30 ================

2009-08-07 19:51 21,860 a------- c:\windows\system32\jcsball.dat
2009-08-07 19:51 5,824 a------- c:\windows\system32\jcsb.new
2009-08-07 19:51 0 a------- c:\windows\system32\jerror.dat
2009-08-07 19:36 19,929 a------- c:\docume~1\bourge~1\applic~1\ofakene.com
2009-08-07 19:36 19,833 a------- c:\docume~1\alluse~1\applic~1\koqigefeh.bin
2009-08-07 19:36 19,482 a------- c:\windows\iliwugy.ban
2009-08-07 19:36 19,359 a------- c:\program files\common files\faqagekyb.sys
2009-08-07 19:36 19,194 a------- c:\windows\system32\mukahyfav._sy
2009-08-07 19:36 19,169 a------- c:\windows\ladofab.inf
2009-08-07 19:36 19,096 a------- c:\program files\common files\yzeregote.bin
2009-08-07 19:36 18,833 a------- c:\windows\system32\ejoni._dl
2009-08-07 19:36 18,467 a------- c:\windows\system32\pujiro.inf
2009-08-07 19:36 18,393 a------- c:\windows\konac.dll
2009-08-07 19:36 15,862 a------- c:\windows\ityvu.db
2009-08-07 19:36 15,677 a------- c:\docume~1\alluse~1\applic~1\nuwiqozyvu.dll
2009-08-07 19:36 15,429 a------- c:\program files\common files\zetofod.dll
2009-08-07 19:36 10,974 a------- c:\windows\kumatyfy.bat
2009-08-07 15:22 19,979 a------- c:\windows\balidav.bat
2009-08-07 15:22 18,373 a------- c:\docume~1\alluse~1\applic~1\rusuneni.com
2009-08-07 15:22 17,895 a------- c:\windows\system32\heru.bat
2009-08-07 15:22 17,891 a------- c:\docume~1\alluse~1\applic~1\qowudexify.exe
2009-08-07 15:22 17,629 a------- c:\windows\system32\ufuv._sy
2009-08-07 15:22 16,965 a------- c:\windows\system32\byto.ban
2009-08-07 15:22 16,078 a------- c:\docume~1\alluse~1\applic~1\kuwot.reg
2009-08-07 15:22 13,322 a------- c:\windows\ewavizimoz._sy
2009-08-07 15:22 13,263 a------- c:\windows\system32\atofyb.bin
2009-08-07 15:22 12,784 a------- c:\program files\common files\remok.vbs
2009-08-07 15:22 12,016 a------- c:\program files\common files\ukidagi.vbs
2009-08-07 15:22 11,815 a------- c:\program files\common files\pyxyva.scr
2009-08-07 14:47 19,906 a------- c:\windows\ezogijoxa.scr
2009-08-07 14:47 19,718 a------- c:\windows\system32\awunejesys.lib
2009-08-07 14:47 18,015 a------- c:\windows\system32\vovesuzury.sys
2009-08-07 14:47 17,268 a------- c:\docume~1\alluse~1\applic~1\aqusokyt.bat
2009-08-07 14:47 16,894 a------- c:\docume~1\bourge~1\applic~1\idyvygi.sys
2009-08-07 14:47 15,437 a------- c:\windows\yzeruqyfag.bat
2009-08-07 14:47 14,502 a------- c:\program files\common files\ocysepab.reg
2009-08-07 14:47 12,905 a------- c:\windows\bugivu.pif
2009-08-07 14:47 12,862 a------- c:\windows\system32\mikaq._dl
2009-08-07 14:47 12,812 a------- c:\windows\butu.dll
2009-08-07 14:47 12,521 a------- c:\program files\common files\kumosuc.bin
2009-08-07 14:47 11,778 a------- c:\windows\otac.db
2009-08-07 14:47 10,888 a------- c:\windows\system32\aqon.reg
2009-08-07 14:47 10,720 a------- c:\windows\asalut.exe
2009-08-07 14:47 10,256 a------- c:\windows\xosy.bat
2009-08-07 14:24 19,456 a------- C:\niawndos.exe
2009-08-07 14:24 190,307 a------- c:\windows\system32\wisdstr.exe
2009-08-07 14:11 1,234,895 a------- c:\windows\system32\xa.tmp
2009-08-07 14:09 <DIR> --dsh--- C:\found.000
2009-08-04 23:03 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-08-04 23:03 225,280 a------- c:\windows\system32\ReWire.dll
2009-08-04 23:03 <DIR> --d----- c:\docume~1\bourge~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\program files\Propellerhead
2009-08-04 19:34 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-04 19:34 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-04 19:33 <DIR> --d----- c:\program files\iPod
2009-08-04 19:33 <DIR> --d----- c:\program files\iTunes
2009-08-04 12:22 4 a------- c:\windows\system32\GVTunner.ref
2009-08-02 22:12 <DIR> --d----- C:\CrashReport
2009-07-28 22:29 <DIR> --d----- c:\program files\Defraggler
2009-07-28 15:14 <DIR> --d----- c:\program files\Runes of Magic
2009-07-28 14:52 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 14:52 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-23 17:44 <DIR> --d----- C:\Fraps
2009-07-23 15:49 <DIR> --d----- c:\docume~1\bourge~1\applic~1\fretsonfire
2009-07-23 12:31 <DIR> --d----- c:\docume~1\bourge~1\applic~1\fofix
2009-07-23 12:27 <DIR> --d----- c:\program files\Frets on Fire
2009-07-19 07:24 221,184 a------- c:\windows\system32\wmpns.dll
2009-07-19 07:01 <DIR> --d----- c:\windows\RegisteredPackages
2009-07-18 23:12 602 a---hr-- c:\windows\EPMBatch.ept
2009-07-18 18:37 <DIR> --d----- c:\windows\system32\NtmsData
2009-07-18 18:36 <DIR> --dsh--- c:\documents and settings\bourgeosie\PrivacIE
2009-07-18 18:36 1,663,488 a------- c:\windows\system32\BootMan.exe
2009-07-18 18:36 86,408 a------- c:\windows\system32\setupempdrv03.exe
2009-07-18 18:36 14,848 a------- c:\windows\system32\EuEpmGdi.dll
2009-07-18 18:36 8,704 a------- c:\windows\system32\epmntdrv.sys
2009-07-18 18:36 3,072 a------- c:\windows\system32\EuGdiDrv.sys
2009-07-18 18:36 <DIR> --d----- c:\program files\EASEUS
2009-07-17 00:29 <DIR> --d----- c:\program files\Viewpoint
2009-07-17 00:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-07-17 00:29 <DIR> --d----- c:\program files\common files\AOL
2009-07-17 00:29 461 a---h--- C:\IPH.PH
2009-07-11 16:02 <DIR> --d----- c:\docume~1\bourge~1\applic~1\mIRC
2009-07-10 20:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-07-10 20:22 <DIR> --d----- c:\program files\Hamachi
2009-07-09 23:31 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-09 23:31 <DIR> --d----- c:\program files\common files\BioWare

==================== Find3M ====================

2009-08-07 19:51 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-07 19:51 16,608 a------- c:\windows\gdrv.sys
2009-08-07 19:36 13,786 a------- c:\program files\common files\ymida.ban
2009-08-07 19:36 13,306 a------- c:\program files\common files\myrinywi._dl
2009-08-07 15:22 13,253 a------- c:\program files\common files\oxyfyrupo.dl
2009-08-05 21:45 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-23 21:30 45,088 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 21:30 4,896 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-23 21:30 1,604 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-23 21:30 1,532 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-17 18:56 81,920 a------- c:\docume~1\bourge~1\applic~1\ezpinst.exe
2009-06-17 18:56 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 18:56 47,360 a------- c:\docume~1\bourge~1\applic~1\pcouffin.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-10 11:10 35,382 a------- c:\windows\scunin.dat
2009-05-10 11:10 94,208 a------- c:\windows\ScUnin.exe

============= FINISH: 20:51:57.67 ===============

Hello Bourgeosie,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Attached Files


Edited by The weatherman, 08 August 2009 - 06:08 PM.


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 18 August 2009 - 05:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 20 August 2009 - 04:29 PM

Terribly sorry for the delay here, emergency trip for a family death. Here is the log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bourgeosie at 16:27:19.65 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1417 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RecvMessage.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray2] c:\windows\system32\CML.exe
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: cru629.dat

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bourge~1\applic~1\mozilla\firefox\profiles\y6pulzqb.default\
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55656]
R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2009-4-13 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-13 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-4-13 35840]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-17 24652]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-4-13 24944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-7 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-18 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-18 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-4-13 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-13 17408]

=============== Created Last 30 ================

2009-08-20 15:06 23,423 a------- c:\windows\system32\jcsball.dat
2009-08-20 15:06 7,381 a------- c:\windows\system32\jcsb.new
2009-08-20 15:06 0 a------- c:\windows\system32\jerror.dat
2009-08-12 15:59 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 13:10 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-08-12 13:08 <DIR> --d--r-- c:\program files\Skype
2009-08-08 17:10 4 a------- c:\windows\system32\GVTunner.ref
2009-08-07 19:36 19,929 a------- c:\docume~1\bourge~1\applic~1\ofakene.com
2009-08-07 19:36 19,833 a------- c:\docume~1\alluse~1\applic~1\koqigefeh.bin
2009-08-07 19:36 19,482 a------- c:\windows\iliwugy.ban
2009-08-07 19:36 19,359 a------- c:\program files\common files\faqagekyb.sys
2009-08-07 19:36 19,194 a------- c:\windows\system32\mukahyfav._sy
2009-08-07 19:36 19,169 a------- c:\windows\ladofab.inf
2009-08-07 19:36 19,096 a------- c:\program files\common files\yzeregote.bin
2009-08-07 19:36 18,833 a------- c:\windows\system32\ejoni._dl
2009-08-07 19:36 18,467 a------- c:\windows\system32\pujiro.inf
2009-08-07 19:36 18,393 a------- c:\windows\konac.dll
2009-08-07 19:36 15,862 a------- c:\windows\ityvu.db
2009-08-07 19:36 15,677 a------- c:\docume~1\alluse~1\applic~1\nuwiqozyvu.dll
2009-08-07 19:36 15,429 a------- c:\program files\common files\zetofod.dll
2009-08-07 19:36 10,974 a------- c:\windows\kumatyfy.bat
2009-08-07 15:22 19,979 a------- c:\windows\balidav.bat
2009-08-07 15:22 18,373 a------- c:\docume~1\alluse~1\applic~1\rusuneni.com
2009-08-07 15:22 17,895 a------- c:\windows\system32\heru.bat
2009-08-07 15:22 17,891 a------- c:\docume~1\alluse~1\applic~1\qowudexify.exe
2009-08-07 15:22 17,629 a------- c:\windows\system32\ufuv._sy
2009-08-07 15:22 16,965 a------- c:\windows\system32\byto.ban
2009-08-07 15:22 16,078 a------- c:\docume~1\alluse~1\applic~1\kuwot.reg
2009-08-07 15:22 13,322 a------- c:\windows\ewavizimoz._sy
2009-08-07 15:22 13,263 a------- c:\windows\system32\atofyb.bin
2009-08-07 15:22 12,784 a------- c:\program files\common files\remok.vbs
2009-08-07 15:22 12,016 a------- c:\program files\common files\ukidagi.vbs
2009-08-07 15:22 11,815 a------- c:\program files\common files\pyxyva.scr
2009-08-07 14:47 19,906 a------- c:\windows\ezogijoxa.scr
2009-08-07 14:47 19,718 a------- c:\windows\system32\awunejesys.lib
2009-08-07 14:47 18,015 a------- c:\windows\system32\vovesuzury.sys
2009-08-07 14:47 17,268 a------- c:\docume~1\alluse~1\applic~1\aqusokyt.bat
2009-08-07 14:47 16,894 a------- c:\docume~1\bourge~1\applic~1\idyvygi.sys
2009-08-07 14:47 15,437 a------- c:\windows\yzeruqyfag.bat
2009-08-07 14:47 14,502 a------- c:\program files\common files\ocysepab.reg
2009-08-07 14:47 12,905 a------- c:\windows\bugivu.pif
2009-08-07 14:47 12,862 a------- c:\windows\system32\mikaq._dl
2009-08-07 14:47 12,812 a------- c:\windows\butu.dll
2009-08-07 14:47 12,521 a------- c:\program files\common files\kumosuc.bin
2009-08-07 14:47 11,778 a------- c:\windows\otac.db
2009-08-07 14:47 10,888 a------- c:\windows\system32\aqon.reg
2009-08-07 14:47 10,720 a------- c:\windows\asalut.exe
2009-08-07 14:47 10,256 a------- c:\windows\xosy.bat
2009-08-07 14:23 1,110,399 a------- c:\windows\system32\UACbitutdslqx.db
2009-08-07 14:09 <DIR> --dsh--- C:\found.000
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:03 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-08-04 23:03 225,280 a------- c:\windows\system32\ReWire.dll
2009-08-04 23:03 <DIR> --d----- c:\docume~1\bourge~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\program files\Propellerhead
2009-08-02 22:12 <DIR> --d----- C:\CrashReport
2009-07-28 22:29 <DIR> --d----- c:\program files\Defraggler
2009-07-28 15:14 <DIR> --d----- c:\program files\Runes of Magic
2009-07-28 14:52 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 14:52 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-23 17:44 <DIR> --d----- C:\Fraps
2009-07-23 15:49 <DIR> --d----- c:\docume~1\bourge~1\applic~1\fretsonfire
2009-07-23 12:31 <DIR> --d----- c:\docume~1\bourge~1\applic~1\fofix
2009-07-23 12:27 <DIR> --d----- c:\program files\Frets on Fire

==================== Find3M ====================

2009-08-20 15:06 16,608 a------- c:\windows\gdrv.sys
2009-08-20 15:06 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-07 19:36 13,786 a------- c:\program files\common files\ymida.ban
2009-08-07 19:36 13,306 a------- c:\program files\common files\myrinywi._dl
2009-08-07 15:22 13,253 a------- c:\program files\common files\oxyfyrupo.dl
2009-08-05 21:45 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 20:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-07-09 23:31 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-23 21:30 45,088 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 21:30 4,896 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-23 21:30 1,604 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-23 21:30 1,532 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-17 18:56 81,920 a------- c:\docume~1\bourge~1\applic~1\ezpinst.exe
2009-06-17 18:56 47,360 a------- c:\docume~1\bourge~1\applic~1\pcouffin.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 19:54 1,663,488 a------- c:\windows\system32\BootMan.exe
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 16:27:38.67 ===============

Attached Files



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 22 August 2009 - 08:38 AM

Hello, Bourgeosie.
Sorry to hear about the loss in your family.

You definitely have a lot of malware on your computer. Please follow the steps below:


Important Note

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Step 2

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.



Step 3

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Step 4

Please reply with the following:
  • C:\combofix.txt
  • RootRepeal Log
  • a new DDS log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 22 August 2009 - 12:08 PM

ComboFix Log here:
ComboFix 09-08-21.02 - Bourgeosie 08/22/2009 11:43.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1524 [GMT -5:00]
Running from: c:\documents and settings\Bourgeosie\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\96762646.ini
c:\documents and settings\Bourgeosie\Application Data\wiaserva.log
c:\documents and settings\Bourgeosie\Start Menu\Programs\Startup\ikowin32.exe
c:\windows\9129837.exe
c:\windows\asalut.exe
c:\windows\butu.dll
c:\windows\ezogijoxa.scr
c:\windows\konac.dll
c:\windows\system32\systeminfo3.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 05:08 . 2009-08-22 05:08 -------- d-----w- C:\f81d6470e582afc942
2009-08-17 01:36 . 2009-08-22 03:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Winamp
2009-08-17 01:36 . 2009-08-17 01:37 -------- d-----w- c:\program files\Winamp
2009-08-12 20:59 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 18:10 . 2009-08-21 18:55 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\skypePM
2009-08-12 18:10 . 2009-08-12 18:10 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-12 18:08 . 2009-08-21 19:27 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----w- c:\program files\Common Files\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----r- c:\program files\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-08 00:36 . 2009-08-08 00:36 19929 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ofakene.com
2009-08-08 00:36 . 2009-08-08 00:36 19359 ----a-w- c:\program files\Common Files\faqagekyb.sys
2009-08-08 00:36 . 2009-08-08 00:36 19308 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\ugidyqoge.sys
2009-08-08 00:36 . 2009-08-08 00:36 19096 ----a-w- c:\program files\Common Files\yzeregote.bin
2009-08-08 00:36 . 2009-08-08 00:36 15677 ----a-w- c:\documents and settings\All Users\Application Data\nuwiqozyvu.dll
2009-08-08 00:36 . 2009-08-08 00:36 15429 ----a-w- c:\program files\Common Files\zetofod.dll
2009-08-08 00:36 . 2009-08-08 00:36 10974 ----a-w- c:\windows\kumatyfy.bat
2009-08-08 00:20 . 2009-08-08 00:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-07 20:22 . 2009-08-07 20:22 19979 ----a-w- c:\windows\balidav.bat
2009-08-07 20:22 . 2009-08-07 20:22 18385 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\donoreduk.bin
2009-08-07 20:22 . 2009-08-07 20:22 18373 ----a-w- c:\documents and settings\All Users\Application Data\rusuneni.com
2009-08-07 20:22 . 2009-08-07 20:22 17895 ----a-w- c:\windows\system32\heru.bat
2009-08-07 20:22 . 2009-08-07 20:22 17891 ----a-w- c:\documents and settings\All Users\Application Data\qowudexify.exe
2009-08-07 20:22 . 2009-08-07 20:22 16337 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\exucihet.bat
2009-08-07 20:22 . 2009-08-07 20:22 15051 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\supelo.dll
2009-08-07 20:22 . 2009-08-07 20:22 13263 ----a-w- c:\windows\system32\atofyb.bin
2009-08-07 20:22 . 2009-08-07 20:22 12784 ----a-w- c:\program files\Common Files\remok.vbs
2009-08-07 20:22 . 2009-08-07 20:22 12016 ----a-w- c:\program files\Common Files\ukidagi.vbs
2009-08-07 20:22 . 2009-08-07 20:22 11815 ----a-w- c:\program files\Common Files\pyxyva.scr
2009-08-07 19:47 . 2009-08-07 19:47 18015 ----a-w- c:\windows\system32\vovesuzury.sys
2009-08-07 19:47 . 2009-08-07 19:47 17268 ----a-w- c:\documents and settings\All Users\Application Data\aqusokyt.bat
2009-08-07 19:47 . 2009-08-07 19:47 16894 ----a-w- c:\documents and settings\Bourgeosie\Application Data\idyvygi.sys
2009-08-07 19:47 . 2009-08-07 19:47 15437 ----a-w- c:\windows\yzeruqyfag.bat
2009-08-07 19:47 . 2009-08-07 19:47 15430 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\fahuw.vbs
2009-08-07 19:47 . 2009-08-07 19:47 14502 ----a-w- c:\program files\Common Files\ocysepab.reg
2009-08-07 19:47 . 2009-08-07 19:47 12905 ----a-w- c:\windows\bugivu.pif
2009-08-07 19:47 . 2009-08-07 19:47 12521 ----a-w- c:\program files\Common Files\kumosuc.bin
2009-08-07 19:47 . 2009-08-07 19:47 10888 ----a-w- c:\windows\system32\aqon.reg
2009-08-07 19:47 . 2009-08-07 19:47 10256 ----a-w- c:\windows\xosy.bat
2009-08-07 19:23 . 2009-08-07 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-07 19:09 . 2009-08-07 19:09 -------- d-sh--w- C:\found.000
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 04:03 . 2009-08-05 04:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Propellerhead Software
2009-08-05 04:03 . 2009-08-05 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-08-05 04:03 . 2009-08-05 04:03 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-08-05 04:03 . 2009-08-05 04:03 225280 ----a-w- c:\windows\system32\ReWire.dll
2009-08-05 04:03 . 2009-08-05 04:03 -------- d-----w- c:\program files\Propellerhead
2009-08-05 00:33 . 2009-08-05 00:33 -------- d-----w- c:\program files\QuickTime
2009-08-04 19:59 . 2009-08-04 19:59 152576 ----a-w- c:\documents and settings\Bourgeosie\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 03:12 . 2009-08-03 03:12 -------- d-----w- C:\CrashReport
2009-07-29 03:29 . 2009-07-29 03:29 -------- d-----w- c:\program files\Defraggler
2009-07-28 20:14 . 2009-08-05 15:15 -------- d-----w- c:\program files\Runes of Magic
2009-07-28 19:52 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 19:52 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-23 23:34 . 2009-08-11 14:44 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\vlc
2009-07-23 22:44 . 2009-07-23 22:44 -------- d-----w- C:\Fraps
2009-07-23 20:49 . 2009-07-23 20:49 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\fretsonfire
2009-07-23 17:31 . 2009-07-23 17:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\fofix
2009-07-23 17:27 . 2009-07-23 20:43 -------- d-----w- c:\program files\Frets on Fire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 16:52 . 2009-08-22 16:51 23276 ----a-w- c:\windows\system32\jcsball.dat
2009-08-22 16:52 . 2009-08-22 16:51 0 ----a-w- c:\windows\system32\jerror.dat
2009-08-22 16:51 . 2009-04-14 02:01 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-08-22 16:51 . 2009-04-14 00:59 16608 ----a-w- c:\windows\gdrv.sys
2009-08-22 16:41 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-22 16:38 . 2009-06-13 20:39 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-08-21 03:14 . 2009-04-20 00:56 1 ----a-w- c:\documents and settings\Bourgeosie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-17 00:49 . 2009-04-14 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-11 03:01 . 2009-04-15 23:47 -------- d-----w- c:\program files\Common Files\Apple
2009-08-08 01:42 . 2009-04-14 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 00:55 . 2009-04-14 01:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-08 00:36 . 2009-08-08 00:36 19833 ----a-w- c:\documents and settings\All Users\Application Data\koqigefeh.bin
2009-08-08 00:36 . 2009-08-08 00:36 13786 ----a-w- c:\program files\Common Files\ymida.ban
2009-08-08 00:36 . 2009-08-08 00:36 13306 ----a-w- c:\program files\Common Files\myrinywi._dl
2009-08-07 20:22 . 2009-08-07 20:22 16078 ----a-w- c:\documents and settings\All Users\Application Data\kuwot.reg
2009-08-07 20:22 . 2009-08-07 20:22 13253 ----a-w- c:\program files\Common Files\oxyfyrupo.dl
2009-08-06 02:45 . 2009-06-26 21:45 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:39 . 2009-06-29 23:11 -------- d-----w- c:\program files\Steam
2009-08-05 00:33 . 2009-04-15 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-04 19:59 . 2009-06-28 03:37 -------- d-----w- c:\program files\Java
2009-08-04 19:39 . 2009-04-25 16:33 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\AdobeUM
2009-07-25 10:23 . 2009-04-18 01:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 01:23 . 2009-07-18 02:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-23 23:33 . 2009-04-15 21:32 -------- d-----w- c:\program files\VideoLAN
2009-07-18 23:36 . 2009-07-18 23:36 -------- d-----w- c:\program files\EASEUS
2009-07-17 23:55 . 2009-07-17 23:55 -------- d-----w- c:\program files\7-Zip
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 05:37 . 2009-07-17 05:29 -------- d-----w- c:\program files\Common Files\AOL
2009-07-17 05:30 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-07-17 05:29 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-14 23:59 . 2009-07-11 21:02 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\mIRC
2009-07-12 17:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 20:30 . 2009-07-11 01:22 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Hamachi
2009-07-11 01:22 . 2009-07-11 01:22 -------- d-----w- c:\program files\Hamachi
2009-07-11 01:22 . 2009-07-11 01:22 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-07-10 04:31 . 2009-07-10 04:31 -------- d--h--r- c:\documents and settings\Bourgeosie\Application Data\SecuROM
2009-07-10 04:31 . 2009-07-10 04:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-10 04:31 . 2009-07-10 04:31 -------- d-----w- c:\program files\Common Files\BioWare
2009-07-09 21:50 . 2009-04-14 01:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 03:40 . 2009-04-14 01:00 -------- d-----w- c:\program files\GIGABYTE
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 20:06 . 2009-06-30 20:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Braid
2009-06-29 21:46 . 2009-06-17 23:56 10638 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-06-29 01:51 . 2009-04-16 01:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-29 01:51 . 2009-04-16 01:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-06-28 03:28 . 2009-06-28 03:28 -------- d-----w- c:\program files\CCleaner
2009-06-27 04:08 . 2009-06-27 03:44 -------- d-----w- c:\program files\Accessdiver
2009-06-26 21:45 . 2009-06-26 21:45 -------- d-----w- c:\program files\Avira
2009-06-26 21:45 . 2009-06-26 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-25 22:36 . 2009-06-25 22:36 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-24 02:30 . 2009-06-24 02:20 4896 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-24 02:30 . 2009-06-24 02:20 45088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-24 02:30 . 2009-06-24 02:20 1604 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-24 02:30 . 2009-06-24 02:20 1532 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-24 02:26 . 2009-06-24 02:10 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 16:27 . 2009-04-14 01:38 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-04-14 01:38 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 00:54 . 2009-07-18 23:36 1663488 ----a-w- c:\windows\system32\BootMan.exe
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-04-14 00:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-07 22:07 . 2009-04-14 01:26 17280 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 21:07 . 2009-06-07 21:07 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-07 21:07 . 2009-06-07 21:07 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m|\" [X]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"tray3"="c:\windows\system32\RecvMessage.exe" [2007-01-10 196608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-13 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\RecvMessage.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 4:45 PM 108289]
R2 COM Service;COM Service;c:\program files\GIGABYTE\G.O.M\GCSVR.exe [4/13/2009 8:55 PM 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [4/13/2009 8:00 PM 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/13/2009 8:59 PM 35840]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [4/13/2009 9:01 PM 24944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/7/2009 10:37 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 6:36 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 6:36 PM 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [4/13/2009 8:59 PM 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [4/13/2009 8:59 PM 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-tray2 - c:\windows\system32\CML.exe
HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Bourgeosie\Application Data\Mozilla\Firefox\Profiles\y6pulzqb.default\
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\GVTunner.ref 4 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1417001333-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d0,9b,ad,e3,52,1c,ca,4f,2a,eb,d7,81,f2,92,b1,48,15,5b,a6,ea,d7,
55,0e,c1,dd,b1,94,3e,64,69,29,55,c8,c7,67,f5,c8,27,ed,45,70,c9,36,0d,b9,47,\
"rkeysecu"=hex:e2,25,d7,02,ad,58,c1,fe,cf,f6,22,67,27,6b,87,2d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\snmp.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\GIGABYTE\GBTUpd\RunUpd.exe
c:\program files\GIGABYTE\ET6\GUI.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-22 11:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 16:54
ComboFix2.txt 2009-06-24 22:20

Pre-Run: 451,271,000,064 bytes free
Post-Run: 451,328,884,736 bytes free

325 --- E O F --- 2009-08-22 05:12




Root Repeal log here:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/22 11:57
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xBA388000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xBA128000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6A11000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5DC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP4580
Image Path: \Driver\PCI_PNP4580
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBA646000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5CC4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwa.sys
Image Path: spwa.sys
Address: 0xB9EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Bourgeosie\Application Data\Mozilla\Firefox\Profiles\y6pulzqb.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\bourgeosie\application data\mozilla\firefox\profiles\y6pulzqb.default\cookies.sqlite-journal
Status: Allocation size mismatch (API: 512, Raw: 0)

Path: c:\documents and settings\bourgeosie\local settings\application data\mozilla\firefox\profiles\y6pulzqb.default\cache\_cache_002_
Status: Allocation size mismatch (API: 851968, Raw: 720896)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba68d33e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba68d334

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba68d343

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba68d34d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spwa.sys" at address 0xb9ec5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spwa.sys" at address 0xb9ec6032

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba68d352

#: 119 Function Name: NtOpenKey
Status: Hooked by "spwa.sys" at address 0xb9ea70c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba68d320

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba68d325

#: 160 Function Name: NtQueryKey
Status: Hooked by "spwa.sys" at address 0xb9ec610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spwa.sys" at address 0xb9ec5f8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba68d35c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba68d357

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba68d348

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba68d32f

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a3b31f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x890ed1f8 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_CREATE]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_CLOSE]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_POWER]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: a02flqsg؅剒敬؁ం扏楄膨ူ觻؂ఆ剒敬, IRP_MJ_PNP]
Process: System Address: 0x8a15b500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a2f9500 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System Address: 0x8a3b41f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a3b51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a1a11f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a4261f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8913b1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8913b1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8913b1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8913b1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8913b1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8913b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a1911f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8912c1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_CREATE]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_CLOSE]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_READ]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_CLEANUP]
Process: System Address: 0x890ea500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఅ瑎䱆䑐䐨ǐ, IRP_MJ_PNP]
Process: System Address: 0x890ea500 Size: 121

==EOF==



And the new DDS here:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bourgeosie at 12:04:39.10 on Sat 08/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1283 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RecvMessage.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bourge~1\applic~1\mozilla\firefox\profiles\y6pulzqb.default\
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55656]
R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2009-4-13 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-13 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-4-13 35840]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-4-13 24944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-7 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-18 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-18 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-4-13 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-13 17408]

=============== Created Last 30 ================

2009-08-22 11:51 4 a------- c:\windows\system32\GVTunner.ref
2009-08-22 11:51 23,202 a------- c:\windows\system32\jcsball.dat
2009-08-22 11:51 7,481 a------- c:\windows\system32\jcsb.new
2009-08-22 11:51 0 a------- c:\windows\system32\jerror.dat
2009-08-22 11:42 228,864 a------- c:\windows\PEV.exe
2009-08-22 11:42 161,792 a------- c:\windows\SWREG.exe
2009-08-22 11:42 98,816 a------- c:\windows\sed.exe
2009-08-22 11:42 <DIR> --ds---- C:\ComboFix
2009-08-22 00:08 <DIR> --d----- C:\f81d6470e582afc942
2009-08-12 15:59 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 13:10 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-08-12 13:08 <DIR> --d--r-- c:\program files\Skype
2009-08-07 19:36 19,929 a------- c:\docume~1\bourge~1\applic~1\ofakene.com
2009-08-07 19:36 19,833 a------- c:\docume~1\alluse~1\applic~1\koqigefeh.bin
2009-08-07 19:36 19,482 a------- c:\windows\iliwugy.ban
2009-08-07 19:36 19,359 a------- c:\program files\common files\faqagekyb.sys
2009-08-07 19:36 19,194 a------- c:\windows\system32\mukahyfav._sy
2009-08-07 19:36 19,169 a------- c:\windows\ladofab.inf
2009-08-07 19:36 19,096 a------- c:\program files\common files\yzeregote.bin
2009-08-07 19:36 18,833 a------- c:\windows\system32\ejoni._dl
2009-08-07 19:36 18,467 a------- c:\windows\system32\pujiro.inf
2009-08-07 19:36 15,862 a------- c:\windows\ityvu.db
2009-08-07 19:36 15,677 a------- c:\docume~1\alluse~1\applic~1\nuwiqozyvu.dll
2009-08-07 19:36 15,429 a------- c:\program files\common files\zetofod.dll
2009-08-07 19:36 10,974 a------- c:\windows\kumatyfy.bat
2009-08-07 15:22 19,979 a------- c:\windows\balidav.bat
2009-08-07 15:22 18,373 a------- c:\docume~1\alluse~1\applic~1\rusuneni.com
2009-08-07 15:22 17,895 a------- c:\windows\system32\heru.bat
2009-08-07 15:22 17,891 a------- c:\docume~1\alluse~1\applic~1\qowudexify.exe
2009-08-07 15:22 17,629 a------- c:\windows\system32\ufuv._sy
2009-08-07 15:22 16,965 a------- c:\windows\system32\byto.ban
2009-08-07 15:22 16,078 a------- c:\docume~1\alluse~1\applic~1\kuwot.reg
2009-08-07 15:22 13,322 a------- c:\windows\ewavizimoz._sy
2009-08-07 15:22 13,263 a------- c:\windows\system32\atofyb.bin
2009-08-07 15:22 12,784 a------- c:\program files\common files\remok.vbs
2009-08-07 15:22 12,016 a------- c:\program files\common files\ukidagi.vbs
2009-08-07 15:22 11,815 a------- c:\program files\common files\pyxyva.scr
2009-08-07 14:47 19,718 a------- c:\windows\system32\awunejesys.lib
2009-08-07 14:47 18,015 a------- c:\windows\system32\vovesuzury.sys
2009-08-07 14:47 17,268 a------- c:\docume~1\alluse~1\applic~1\aqusokyt.bat
2009-08-07 14:47 16,894 a------- c:\docume~1\bourge~1\applic~1\idyvygi.sys
2009-08-07 14:47 15,437 a------- c:\windows\yzeruqyfag.bat
2009-08-07 14:47 14,502 a------- c:\program files\common files\ocysepab.reg
2009-08-07 14:47 12,905 a------- c:\windows\bugivu.pif
2009-08-07 14:47 12,862 a------- c:\windows\system32\mikaq._dl
2009-08-07 14:47 12,521 a------- c:\program files\common files\kumosuc.bin
2009-08-07 14:47 11,778 a------- c:\windows\otac.db
2009-08-07 14:47 10,888 a------- c:\windows\system32\aqon.reg
2009-08-07 14:47 10,256 a------- c:\windows\xosy.bat
2009-08-07 14:23 1,110,399 a------- c:\windows\system32\UACbitutdslqx.db
2009-08-07 14:09 <DIR> --dsh--- C:\found.000
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:03 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-08-04 23:03 225,280 a------- c:\windows\system32\ReWire.dll
2009-08-04 23:03 <DIR> --d----- c:\docume~1\bourge~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\program files\Propellerhead
2009-08-02 22:12 <DIR> --d----- C:\CrashReport
2009-07-28 22:29 <DIR> --d----- c:\program files\Defraggler
2009-07-28 15:14 <DIR> --d----- c:\program files\Runes of Magic
2009-07-28 14:52 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 14:52 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-23 17:44 <DIR> --d----- C:\Fraps
2009-07-23 15:49 <DIR> --d----- c:\docume~1\bourge~1\applic~1\fretsonfire
2009-07-23 12:31 <DIR> --d----- c:\docume~1\bourge~1\applic~1\fofix
2009-07-23 12:27 <DIR> --d----- c:\program files\Frets on Fire

==================== Find3M ====================

2009-08-22 11:51 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-22 11:51 16,608 a------- c:\windows\gdrv.sys
2009-08-07 19:36 13,786 a------- c:\program files\common files\ymida.ban
2009-08-07 19:36 13,306 a------- c:\program files\common files\myrinywi._dl
2009-08-07 15:22 13,253 a------- c:\program files\common files\oxyfyrupo.dl
2009-08-05 21:45 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 20:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-07-09 23:31 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-23 21:30 45,088 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 21:30 4,896 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-23 21:30 1,604 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-23 21:30 1,532 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-17 18:56 81,920 a------- c:\docume~1\bourge~1\applic~1\ezpinst.exe
2009-06-17 18:56 47,360 a------- c:\docume~1\bourge~1\applic~1\pcouffin.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 19:54 1,663,488 a------- c:\windows\system32\BootMan.exe
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 12:04:50.65 ===============

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 22 August 2009 - 02:55 PM

Hello, Bourgeosie.
OK, Combofix removed several pieces of malware. We still have important work to do. Please stick with me until I give the all clear.

Also, please refrain from any scans or other malware removal while we are working together. Otherwise, bad things can happen by accident.



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/247612/malfunctioning-scanners-2-possible-malwares/

DDS::
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File

Collect::
c:\docume~1\bourge~1\applic~1\ofakene.com
c:\docume~1\alluse~1\applic~1\koqigefeh.bin
c:\windows\iliwugy.ban
c:\program files\common files\faqagekyb.sys
c:\windows\system32\mukahyfav._sy
c:\windows\ladofab.inf
c:\program files\common files\yzeregote.bin
c:\windows\system32\ejoni._dl
c:\windows\system32\pujiro.inf
c:\windows\ityvu.db
c:\docume~1\alluse~1\applic~1\nuwiqozyvu.dll
c:\program files\common files\zetofod.dll
c:\windows\kumatyfy.bat
c:\windows\balidav.bat
c:\docume~1\alluse~1\applic~1\rusuneni.com
c:\windows\system32\heru.bat
c:\docume~1\alluse~1\applic~1\qowudexify.exe
c:\windows\system32\ufuv._sy
c:\windows\system32\byto.ban
c:\docume~1\alluse~1\applic~1\kuwot.reg
c:\windows\ewavizimoz._sy
c:\windows\system32\atofyb.bin
c:\program files\common files\remok.vbs
c:\windows\system32\CML.exe
c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box.


Step 2

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Step 3

In your reply, please post:
  • C:\combofix.txt
  • ESET log
  • fresh DDS log


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 22 August 2009 - 09:57 PM

ComboFix log:

ComboFix 09-08-21.02 - Bourgeosie 08/22/2009 16:57.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -5:00]
Running from: c:\documents and settings\Bourgeosie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bourgeosie\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\docume~1\alluse~1\applic~1\koqigefeh.bin
file zipped: c:\docume~1\alluse~1\applic~1\kuwot.reg
file zipped: c:\docume~1\alluse~1\applic~1\nuwiqozyvu.dll
file zipped: c:\docume~1\alluse~1\applic~1\qowudexify.exe
file zipped: c:\docume~1\alluse~1\applic~1\rusuneni.com
file zipped: c:\docume~1\bourge~1\applic~1\ofakene.com
file zipped: c:\program files\common files\faqagekyb.sys
file zipped: c:\program files\common files\remok.vbs
file zipped: c:\program files\common files\yzeregote.bin
file zipped: c:\program files\common files\zetofod.dll
file zipped: c:\windows\balidav.bat
file zipped: c:\windows\ewavizimoz._sy
file zipped: c:\windows\iliwugy.ban
file zipped: c:\windows\ityvu.db
file zipped: c:\windows\kumatyfy.bat
file zipped: c:\windows\ladofab.inf
file zipped: c:\windows\system32\atofyb.bin
file zipped: c:\windows\system32\byto.ban
file zipped: c:\windows\system32\ejoni._dl
file zipped: c:\windows\system32\heru.bat
file zipped: c:\windows\system32\mukahyfav._sy
file zipped: c:\windows\system32\pujiro.inf
file zipped: c:\windows\system32\ufuv._sy
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\koqigefeh.bin
c:\docume~1\alluse~1\applic~1\kuwot.reg
c:\docume~1\alluse~1\applic~1\nuwiqozyvu.dll
c:\docume~1\alluse~1\applic~1\qowudexify.exe
c:\docume~1\alluse~1\applic~1\rusuneni.com
c:\docume~1\bourge~1\applic~1\ofakene.com
c:\program files\common files\faqagekyb.sys
c:\program files\common files\remok.vbs
c:\program files\common files\yzeregote.bin
c:\program files\common files\zetofod.dll
c:\windows\balidav.bat
c:\windows\ewavizimoz._sy
c:\windows\iliwugy.ban
c:\windows\ityvu.db
c:\windows\kumatyfy.bat
c:\windows\ladofab.inf
c:\windows\system32\atofyb.bin
c:\windows\system32\byto.ban
c:\windows\system32\ejoni._dl
c:\windows\system32\heru.bat
c:\windows\system32\mukahyfav._sy
c:\windows\system32\pujiro.inf
c:\windows\system32\ufuv._sy

.
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 16:51 . 2009-08-22 16:53 23202 ----a-w- c:\windows\system32\jcsball.dat
2009-08-22 16:51 . 2009-08-22 16:53 0 ----a-w- c:\windows\system32\jerror.dat
2009-08-22 05:08 . 2009-08-22 05:08 -------- d-----w- C:\f81d6470e582afc942
2009-08-17 01:36 . 2009-08-22 03:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Winamp
2009-08-17 01:36 . 2009-08-17 01:37 -------- d-----w- c:\program files\Winamp
2009-08-12 20:59 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 18:10 . 2009-08-22 21:09 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\skypePM
2009-08-12 18:10 . 2009-08-12 18:10 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-12 18:08 . 2009-08-22 22:00 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----w- c:\program files\Common Files\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----r- c:\program files\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-08 00:36 . 2009-08-08 00:36 19308 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\ugidyqoge.sys
2009-08-08 00:20 . 2009-08-08 00:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-07 20:22 . 2009-08-07 20:22 18385 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\donoreduk.bin
2009-08-07 20:22 . 2009-08-07 20:22 16337 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\exucihet.bat
2009-08-07 20:22 . 2009-08-07 20:22 15051 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\supelo.dll
2009-08-07 20:22 . 2009-08-07 20:22 12016 ----a-w- c:\program files\Common Files\ukidagi.vbs
2009-08-07 20:22 . 2009-08-07 20:22 11815 ----a-w- c:\program files\Common Files\pyxyva.scr
2009-08-07 19:47 . 2009-08-07 19:47 18015 ----a-w- c:\windows\system32\vovesuzury.sys
2009-08-07 19:47 . 2009-08-07 19:47 17268 ----a-w- c:\documents and settings\All Users\Application Data\aqusokyt.bat
2009-08-07 19:47 . 2009-08-07 19:47 16894 ----a-w- c:\documents and settings\Bourgeosie\Application Data\idyvygi.sys
2009-08-07 19:47 . 2009-08-07 19:47 15437 ----a-w- c:\windows\yzeruqyfag.bat
2009-08-07 19:47 . 2009-08-07 19:47 15430 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\fahuw.vbs
2009-08-07 19:47 . 2009-08-07 19:47 14502 ----a-w- c:\program files\Common Files\ocysepab.reg
2009-08-07 19:47 . 2009-08-07 19:47 12905 ----a-w- c:\windows\bugivu.pif
2009-08-07 19:47 . 2009-08-07 19:47 12521 ----a-w- c:\program files\Common Files\kumosuc.bin
2009-08-07 19:47 . 2009-08-07 19:47 10888 ----a-w- c:\windows\system32\aqon.reg
2009-08-07 19:47 . 2009-08-07 19:47 10256 ----a-w- c:\windows\xosy.bat
2009-08-07 19:23 . 2009-08-07 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-07 19:09 . 2009-08-07 19:09 -------- d-sh--w- C:\found.000
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 04:03 . 2009-08-05 04:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Propellerhead Software
2009-08-05 04:03 . 2009-08-05 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-08-05 04:03 . 2009-08-05 04:03 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-08-05 04:03 . 2009-08-05 04:03 225280 ----a-w- c:\windows\system32\ReWire.dll
2009-08-05 04:03 . 2009-08-05 04:03 -------- d-----w- c:\program files\Propellerhead
2009-08-05 00:33 . 2009-08-05 00:33 -------- d-----w- c:\program files\QuickTime
2009-08-04 19:59 . 2009-08-04 19:59 152576 ----a-w- c:\documents and settings\Bourgeosie\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 03:12 . 2009-08-03 03:12 -------- d-----w- C:\CrashReport
2009-07-29 03:29 . 2009-07-29 03:29 -------- d-----w- c:\program files\Defraggler
2009-07-28 20:14 . 2009-08-05 15:15 -------- d-----w- c:\program files\Runes of Magic
2009-07-28 19:52 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 19:52 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-23 23:34 . 2009-08-11 14:44 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\vlc
2009-07-23 22:44 . 2009-07-23 22:44 -------- d-----w- C:\Fraps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 19:31 . 2009-06-13 20:39 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-08-22 16:51 . 2009-04-14 02:01 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-08-22 16:51 . 2009-04-14 00:59 16608 ----a-w- c:\windows\gdrv.sys
2009-08-22 16:41 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-21 03:14 . 2009-04-20 00:56 1 ----a-w- c:\documents and settings\Bourgeosie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-17 00:49 . 2009-04-14 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-11 03:01 . 2009-04-15 23:47 -------- d-----w- c:\program files\Common Files\Apple
2009-08-08 01:42 . 2009-04-14 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 00:55 . 2009-04-14 01:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-08 00:36 . 2009-08-08 00:36 13786 ----a-w- c:\program files\Common Files\ymida.ban
2009-08-08 00:36 . 2009-08-08 00:36 13306 ----a-w- c:\program files\Common Files\myrinywi._dl
2009-08-07 20:22 . 2009-08-07 20:22 13253 ----a-w- c:\program files\Common Files\oxyfyrupo.dl
2009-08-06 02:45 . 2009-06-26 21:45 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:39 . 2009-06-29 23:11 -------- d-----w- c:\program files\Steam
2009-08-05 00:33 . 2009-04-15 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-04 19:59 . 2009-06-28 03:37 -------- d-----w- c:\program files\Java
2009-08-04 19:39 . 2009-04-25 16:33 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\AdobeUM
2009-07-25 10:23 . 2009-04-18 01:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 01:23 . 2009-07-18 02:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-23 23:33 . 2009-04-15 21:32 -------- d-----w- c:\program files\VideoLAN
2009-07-23 20:49 . 2009-07-23 20:49 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\fretsonfire
2009-07-23 20:43 . 2009-07-23 17:27 -------- d-----w- c:\program files\Frets on Fire
2009-07-23 17:31 . 2009-07-23 17:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\fofix
2009-07-18 23:36 . 2009-07-18 23:36 -------- d-----w- c:\program files\EASEUS
2009-07-17 23:55 . 2009-07-17 23:55 -------- d-----w- c:\program files\7-Zip
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 05:37 . 2009-07-17 05:29 -------- d-----w- c:\program files\Common Files\AOL
2009-07-17 05:30 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-07-17 05:29 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-14 23:59 . 2009-07-11 21:02 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\mIRC
2009-07-12 17:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 20:30 . 2009-07-11 01:22 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Hamachi
2009-07-11 01:22 . 2009-07-11 01:22 -------- d-----w- c:\program files\Hamachi
2009-07-11 01:22 . 2009-07-11 01:22 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-07-10 04:31 . 2009-07-10 04:31 -------- d--h--r- c:\documents and settings\Bourgeosie\Application Data\SecuROM
2009-07-10 04:31 . 2009-07-10 04:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-10 04:31 . 2009-07-10 04:31 -------- d-----w- c:\program files\Common Files\BioWare
2009-07-09 21:50 . 2009-04-14 01:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 03:40 . 2009-04-14 01:00 -------- d-----w- c:\program files\GIGABYTE
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-30 20:06 . 2009-06-30 20:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Braid
2009-06-29 21:46 . 2009-06-17 23:56 10638 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-06-29 01:51 . 2009-04-16 01:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-29 01:51 . 2009-04-16 01:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-06-28 03:28 . 2009-06-28 03:28 -------- d-----w- c:\program files\CCleaner
2009-06-27 04:08 . 2009-06-27 03:44 -------- d-----w- c:\program files\Accessdiver
2009-06-26 21:45 . 2009-06-26 21:45 -------- d-----w- c:\program files\Avira
2009-06-26 21:45 . 2009-06-26 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-25 22:36 . 2009-06-25 22:36 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-24 02:30 . 2009-06-24 02:20 4896 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-24 02:30 . 2009-06-24 02:20 45088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-24 02:30 . 2009-06-24 02:20 1604 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-24 02:30 . 2009-06-24 02:20 1532 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-24 02:26 . 2009-06-24 02:10 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 16:27 . 2009-04-14 01:38 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-04-14 01:38 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 00:54 . 2009-07-18 23:36 1663488 ----a-w- c:\windows\system32\BootMan.exe
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-04-14 00:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-07 22:07 . 2009-04-14 01:26 17280 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 21:07 . 2009-06-07 21:07 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-07 21:07 . 2009-06-07 21:07 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m|\" [X]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"tray3"="c:\windows\system32\RecvMessage.exe" [2007-01-10 196608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-13 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\RecvMessage.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 4:45 PM 108289]
R2 COM Service;COM Service;c:\program files\GIGABYTE\G.O.M\GCSVR.exe [4/13/2009 8:55 PM 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [4/13/2009 8:00 PM 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/13/2009 8:59 PM 35840]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/7/2009 10:37 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 6:36 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 6:36 PM 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [4/13/2009 8:59 PM 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [4/13/2009 8:59 PM 17408]
SUnknown GVTDrv;GVTDrv; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Bourgeosie\Application Data\Mozilla\Firefox\Profiles\y6pulzqb.default\
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 17:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1417001333-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d0,9b,ad,e3,52,1c,ca,4f,2a,eb,d7,81,f2,92,b1,48,15,5b,a6,ea,d7,
55,0e,c1,dd,b1,94,3e,64,69,29,55,c8,c7,67,f5,c8,27,ed,45,70,c9,36,0d,b9,47,\
"rkeysecu"=hex:e2,25,d7,02,ad,58,c1,fe,cf,f6,22,67,27,6b,87,2d
.
Completion time: 2009-08-22 17:02
ComboFix-quarantined-files.txt 2009-08-22 22:02
ComboFix2.txt 2009-08-22 16:54
ComboFix3.txt 2009-06-24 22:20

Pre-Run: 451,238,850,560 bytes free
Post-Run: 451,221,045,248 bytes free

314 --- E O F --- 2009-08-22 05:12
Upload was successful




New DDS Log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bourgeosie at 21:55:55.15 on Sat 08/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1217 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RecvMessage.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bourge~1\applic~1\mozilla\firefox\profiles\y6pulzqb.default\
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55656]
R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2009-4-13 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-13 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-4-13 35840]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-7 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-18 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-18 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-4-13 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-13 17408]
SUnknown GVTDrv;GVTDrv; [x]

=============== Created Last 30 ================

2009-08-22 17:08 <DIR> --d----- c:\program files\ESET
2009-08-22 11:51 23,202 a------- c:\windows\system32\jcsball.dat
2009-08-22 11:51 7,481 a------- c:\windows\system32\jcsb.new
2009-08-22 11:51 0 a------- c:\windows\system32\jerror.dat
2009-08-22 11:42 228,864 a------- c:\windows\PEV.exe
2009-08-22 11:42 161,792 a------- c:\windows\SWREG.exe
2009-08-22 11:42 98,816 a------- c:\windows\sed.exe
2009-08-22 00:08 <DIR> --d----- C:\f81d6470e582afc942
2009-08-12 15:59 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 13:10 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-08-12 13:08 <DIR> --d--r-- c:\program files\Skype
2009-08-07 15:22 12,016 a------- c:\program files\common files\ukidagi.vbs
2009-08-07 15:22 11,815 a------- c:\program files\common files\pyxyva.scr
2009-08-07 14:47 19,718 a------- c:\windows\system32\awunejesys.lib
2009-08-07 14:47 18,015 a------- c:\windows\system32\vovesuzury.sys
2009-08-07 14:47 17,268 a------- c:\docume~1\alluse~1\applic~1\aqusokyt.bat
2009-08-07 14:47 16,894 a------- c:\docume~1\bourge~1\applic~1\idyvygi.sys
2009-08-07 14:47 15,437 a------- c:\windows\yzeruqyfag.bat
2009-08-07 14:47 14,502 a------- c:\program files\common files\ocysepab.reg
2009-08-07 14:47 12,905 a------- c:\windows\bugivu.pif
2009-08-07 14:47 12,862 a------- c:\windows\system32\mikaq._dl
2009-08-07 14:47 12,521 a------- c:\program files\common files\kumosuc.bin
2009-08-07 14:47 11,778 a------- c:\windows\otac.db
2009-08-07 14:47 10,888 a------- c:\windows\system32\aqon.reg
2009-08-07 14:47 10,256 a------- c:\windows\xosy.bat
2009-08-07 14:23 1,110,399 a------- c:\windows\system32\UACbitutdslqx.db
2009-08-07 14:09 <DIR> --dsh--- C:\found.000
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:03 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-08-04 23:03 225,280 a------- c:\windows\system32\ReWire.dll
2009-08-04 23:03 <DIR> --d----- c:\docume~1\bourge~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\program files\Propellerhead
2009-08-02 22:12 <DIR> --d----- C:\CrashReport
2009-07-28 22:29 <DIR> --d----- c:\program files\Defraggler
2009-07-28 15:14 <DIR> --d----- c:\program files\Runes of Magic
2009-07-28 14:52 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 14:52 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll

==================== Find3M ====================

2009-08-22 11:51 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-22 11:51 16,608 a------- c:\windows\gdrv.sys
2009-08-07 19:36 13,786 a------- c:\program files\common files\ymida.ban
2009-08-07 19:36 13,306 a------- c:\program files\common files\myrinywi._dl
2009-08-07 15:22 13,253 a------- c:\program files\common files\oxyfyrupo.dl
2009-08-05 21:45 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 20:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-07-09 23:31 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-17 18:56 81,920 a------- c:\docume~1\bourge~1\applic~1\ezpinst.exe
2009-06-17 18:56 47,360 a------- c:\docume~1\bourge~1\applic~1\pcouffin.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 19:54 1,663,488 a------- c:\windows\system32\BootMan.exe
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 21:56:09.18 ===============




The ESET Scan produced no malicious items, and I therefore couldn't get a log out of it, please let me know if I should run it again and retrieve a log somehow. Thanks for everything, and thanks for the future too!

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 23 August 2009 - 07:08 AM

Hello, Bourgeosie.
We're looking better with no active infections. There still some malware files present on your machine, so let's take care of those. Once that's done, we'll fix a few security holes then clean up our mess in the next few posts.


Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/t/247612/malfunctioning-scanners-2-possible-malwares/

collect::
c:\program files\common files\ukidagi.vbs
c:\program files\common files\pyxyva.scr
c:\windows\system32\awunejesys.lib
c:\windows\system32\vovesuzury.sys
c:\docume~1\alluse~1\applic~1\aqusokyt.bat
c:\docume~1\bourge~1\applic~1\idyvygi.sys
c:\windows\yzeruqyfag.bat
c:\program files\common files\ocysepab.reg
c:\windows\bugivu.pif
c:\windows\system32\mikaq._dl
c:\program files\common files\kumosuc.bin
c:\windows\otac.db
c:\windows\system32\aqon.reg
c:\windows\xosy.bat
c:\windows\system32\UACbitutdslqx.db


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Step 2

In your reply, please post C:\combofix.txt.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 24 August 2009 - 12:19 PM

New ComboFix log:

ComboFix 09-08-21.02 - Bourgeosie 08/24/2009 12:11.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1637 [GMT -5:00]
Running from: c:\documents and settings\Bourgeosie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bourgeosie\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\docume~1\alluse~1\applic~1\aqusokyt.bat
file zipped: c:\docume~1\bourge~1\applic~1\idyvygi.sys
file zipped: c:\program files\common files\kumosuc.bin
file zipped: c:\program files\common files\ocysepab.reg
file zipped: c:\program files\common files\pyxyva.scr
file zipped: c:\program files\common files\ukidagi.vbs
file zipped: c:\windows\bugivu.pif
file zipped: c:\windows\otac.db
file zipped: c:\windows\system32\aqon.reg
file zipped: c:\windows\system32\awunejesys.lib
file zipped: c:\windows\system32\mikaq._dl
file zipped: c:\windows\system32\UACbitutdslqx.db
file zipped: c:\windows\system32\vovesuzury.sys
file zipped: c:\windows\xosy.bat
file zipped: c:\windows\yzeruqyfag.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\aqusokyt.bat
c:\docume~1\bourge~1\applic~1\idyvygi.sys
c:\program files\common files\kumosuc.bin
c:\program files\common files\ocysepab.reg
c:\program files\common files\pyxyva.scr
c:\program files\common files\ukidagi.vbs
c:\windows\bugivu.pif
c:\windows\otac.db
c:\windows\system32\aqon.reg
c:\windows\system32\awunejesys.lib
c:\windows\system32\mikaq._dl
c:\windows\system32\UACbitutdslqx.db
c:\windows\system32\vovesuzury.sys
c:\windows\xosy.bat
c:\windows\yzeruqyfag.bat

.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 17:09 . 2009-08-24 17:10 5496 ----a-w- c:\windows\system32\jerror.dat
2009-08-24 17:09 . 2009-08-24 17:10 23336 ----a-w- c:\windows\system32\jcsball.dat
2009-08-24 04:40 . 2009-08-24 04:40 -------- d-----w- c:\documents and settings\Bourgeosie\dwhelper
2009-08-24 00:46 . 2009-08-24 00:46 -------- d-----w- c:\program files\IObit
2009-08-23 18:25 . 2008-04-13 18:45 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-23 18:25 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-22 22:08 . 2009-08-22 22:08 -------- d-----w- c:\program files\ESET
2009-08-22 05:08 . 2009-08-22 05:08 -------- d-----w- C:\f81d6470e582afc942
2009-08-17 01:36 . 2009-08-22 03:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Winamp
2009-08-17 01:36 . 2009-08-17 01:37 -------- d-----w- c:\program files\Winamp
2009-08-12 20:59 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 18:10 . 2009-08-22 21:09 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\skypePM
2009-08-12 18:10 . 2009-08-12 18:10 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-12 18:08 . 2009-08-22 22:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----w- c:\program files\Common Files\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----r- c:\program files\Skype
2009-08-12 18:08 . 2009-08-12 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-08 00:36 . 2009-08-08 00:36 19308 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\ugidyqoge.sys
2009-08-08 00:20 . 2009-08-08 00:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-07 20:22 . 2009-08-07 20:22 18385 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\donoreduk.bin
2009-08-07 20:22 . 2009-08-07 20:22 16337 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\exucihet.bat
2009-08-07 20:22 . 2009-08-07 20:22 15051 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\supelo.dll
2009-08-07 19:47 . 2009-08-07 19:47 15430 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\fahuw.vbs
2009-08-07 19:23 . 2009-08-07 19:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-07 19:09 . 2009-08-07 19:09 -------- d-sh--w- C:\found.000
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 04:03 . 2009-08-05 04:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Propellerhead Software
2009-08-05 04:03 . 2009-08-05 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-08-05 04:03 . 2009-08-05 04:03 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-08-05 04:03 . 2009-08-05 04:03 225280 ----a-w- c:\windows\system32\ReWire.dll
2009-08-05 04:03 . 2009-08-05 04:03 -------- d-----w- c:\program files\Propellerhead
2009-08-05 00:33 . 2009-08-05 00:33 -------- d-----w- c:\program files\QuickTime
2009-08-04 19:59 . 2009-08-04 19:59 152576 ----a-w- c:\documents and settings\Bourgeosie\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 03:12 . 2009-08-03 03:12 -------- d-----w- C:\CrashReport
2009-07-29 03:29 . 2009-07-29 03:29 -------- d-----w- c:\program files\Defraggler
2009-07-28 20:14 . 2009-08-05 15:15 -------- d-----w- c:\program files\Runes of Magic
2009-07-28 19:52 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 19:52 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 17:13 . 2009-07-23 23:34 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\vlc
2009-08-24 17:10 . 2009-06-13 20:39 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-08-24 17:09 . 2009-04-14 00:59 16608 ----a-w- c:\windows\gdrv.sys
2009-08-24 17:09 . 2009-04-14 02:01 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-08-23 20:49 . 2009-06-29 23:11 -------- d-----w- c:\program files\Steam
2009-08-22 16:41 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-21 03:14 . 2009-04-20 00:56 1 ----a-w- c:\documents and settings\Bourgeosie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-17 00:49 . 2009-04-14 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-11 03:01 . 2009-04-15 23:47 -------- d-----w- c:\program files\Common Files\Apple
2009-08-08 01:42 . 2009-04-14 01:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 00:55 . 2009-04-14 01:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-08 00:36 . 2009-08-08 00:36 13786 ----a-w- c:\program files\Common Files\ymida.ban
2009-08-08 00:36 . 2009-08-08 00:36 13306 ----a-w- c:\program files\Common Files\myrinywi._dl
2009-08-07 20:22 . 2009-08-07 20:22 13253 ----a-w- c:\program files\Common Files\oxyfyrupo.dl
2009-08-06 02:45 . 2009-06-26 21:45 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:33 . 2009-04-15 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-04 19:59 . 2009-06-28 03:37 -------- d-----w- c:\program files\Java
2009-08-04 19:39 . 2009-04-25 16:33 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\AdobeUM
2009-07-25 10:23 . 2009-04-18 01:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 01:23 . 2009-07-18 02:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-23 23:33 . 2009-04-15 21:32 -------- d-----w- c:\program files\VideoLAN
2009-07-23 20:49 . 2009-07-23 20:49 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\fretsonfire
2009-07-23 20:43 . 2009-07-23 17:27 -------- d-----w- c:\program files\Frets on Fire
2009-07-23 17:31 . 2009-07-23 17:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\fofix
2009-07-18 23:36 . 2009-07-18 23:36 -------- d-----w- c:\program files\EASEUS
2009-07-17 23:55 . 2009-07-17 23:55 -------- d-----w- c:\program files\7-Zip
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 05:37 . 2009-07-17 05:29 -------- d-----w- c:\program files\Common Files\AOL
2009-07-17 05:30 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-07-17 05:29 . 2009-07-17 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-14 23:59 . 2009-07-11 21:02 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\mIRC
2009-07-12 17:21 . 2004-08-04 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 20:30 . 2009-07-11 01:22 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Hamachi
2009-07-11 01:22 . 2009-07-11 01:22 -------- d-----w- c:\program files\Hamachi
2009-07-11 01:22 . 2009-07-11 01:22 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-07-10 04:31 . 2009-07-10 04:31 -------- d--h--r- c:\documents and settings\Bourgeosie\Application Data\SecuROM
2009-07-10 04:31 . 2009-07-10 04:31 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-10 04:31 . 2009-07-10 04:31 -------- d-----w- c:\program files\Common Files\BioWare
2009-07-09 21:50 . 2009-04-14 01:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 03:40 . 2009-04-14 01:00 -------- d-----w- c:\program files\GIGABYTE
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-30 20:06 . 2009-06-30 20:06 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Braid
2009-06-29 21:46 . 2009-06-17 23:56 10638 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-06-29 01:51 . 2009-04-16 01:12 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-06-29 01:51 . 2009-04-16 01:12 -------- d-----w- c:\program files\DVDVideoSoft
2009-06-28 03:28 . 2009-06-28 03:28 -------- d-----w- c:\program files\CCleaner
2009-06-27 04:08 . 2009-06-27 03:44 -------- d-----w- c:\program files\Accessdiver
2009-06-26 21:45 . 2009-06-26 21:45 -------- d-----w- c:\program files\Avira
2009-06-26 21:45 . 2009-06-26 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-25 22:36 . 2009-06-25 22:36 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-24 02:30 . 2009-06-24 02:20 4896 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-24 02:30 . 2009-06-24 02:20 45088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 16:27 . 2009-04-14 01:38 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-04-14 01:38 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 00:54 . 2009-07-18 23:36 1663488 ----a-w- c:\windows\system32\BootMan.exe
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2009-04-14 00:51 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-07 22:07 . 2009-04-14 01:26 17280 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 21:07 . 2009-06-07 21:07 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-07 21:07 . 2009-06-07 21:07 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_16.51.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-24 17:09 . 2009-08-24 17:09 16384 c:\windows\Temp\Perflib_Perfdata_fc.dat
+ 2009-08-24 17:08 . 2009-08-24 17:08 16384 c:\windows\Temp\Perflib_Perfdata_7b0.dat
+ 2009-08-24 17:08 . 2009-08-24 17:08 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-17 03:10 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m|\" [X]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"tray3"="c:\windows\system32\RecvMessage.exe" [2007-01-10 196608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-13 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\RecvMessage.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/26/2009 4:45 PM 108289]
R2 COM Service;COM Service;c:\program files\GIGABYTE\G.O.M\GCSVR.exe [4/13/2009 8:55 PM 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [4/13/2009 8:00 PM 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/13/2009 8:59 PM 35840]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/7/2009 10:37 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/18/2009 6:36 PM 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/18/2009 6:36 PM 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [4/13/2009 8:59 PM 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [4/13/2009 8:59 PM 17408]
SUnknown GVTDrv;GVTDrv; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Bourgeosie\Application Data\Mozilla\Firefox\Profiles\y6pulzqb.default\
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 12:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1417001333-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:d0,9b,ad,e3,52,1c,ca,4f,2a,eb,d7,81,f2,92,b1,48,15,5b,a6,ea,d7,
55,0e,c1,dd,b1,94,3e,64,69,29,55,c8,c7,67,f5,c8,27,ed,45,70,c9,36,0d,b9,47,\
"rkeysecu"=hex:e2,25,d7,02,ad,58,c1,fe,cf,f6,22,67,27,6b,87,2d
.
Completion time: 2009-08-24 12:18
ComboFix-quarantined-files.txt 2009-08-24 17:18
ComboFix2.txt 2009-08-22 22:05
ComboFix3.txt 2009-08-22 16:54
ComboFix4.txt 2009-06-24 22:20

Pre-Run: 445,481,672,704 bytes free
Post-Run: 445,422,002,176 bytes free

312 --- E O F --- 2009-08-24 06:17
Upload was successful

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 25 August 2009 - 06:56 AM

Hello, Bourgeosie.
Ok, so the malware is gone, but we have a few more things to do. In this post, I'll suggest critical upgrades to your software to help prevent malware from infecting in the future. Once you reply, there will be one final post with critical instructions to ensure we properly delete the malware we've quarantined and purge your system restore so you can't get reinfected from THIS infection.

Below are 4 optional steps. While optional, I strongly suggest you follow them to help prevent reinfection. These programs have known security holes that malware exploits.




Step 1

Please now install a third-party firewall. Here are some free ones that work very well.
The main reason to use a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop programs (possibly ones that could intrude your privacy) from sending outgoing signals to the Internet or to other networks.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.



Step 2

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 16 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.


Step 3

You are using Adobe Reader 7.0. Adobe has since been updated to Version 9.1.2 which closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.
Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 4

Please reply with an updated DDS log and an update on how your computer is running.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 28 August 2009 - 08:02 PM

Hi Bourgeosie, have you had a chance to do the steps? If you don't reply in 2 days, this thread may be closed.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 30 August 2009 - 10:45 PM

Hello, terribly sorry for the delay, the computer is running much smoother. Here is the updated log (I haven't had a chance to update my Java yet, I'm working on that now):


DDS (Ver_09-07-30.01) - NTFSx86
Run by Bourgeosie at 22:44:30.48 on Sun 08/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1412 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RecvMessage.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bourgeosie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bourge~1\applic~1\mozilla\firefox\profiles\y6pulzqb.default\
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npPandoWebInst.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-26 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-26 55656]
R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2009-4-13 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-13 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-4-13 35840]
R3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-26 185089]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-4-13 24944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-7 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-7-18 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-7-18 3072]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-4-13 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-13 17408]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-08-30 20:27 23,823 a------- c:\windows\system32\jcsball.dat
2009-08-30 20:27 7,633 a------- c:\windows\system32\jcsb.new
2009-08-30 20:27 0 a------- c:\windows\system32\jerror.dat
2009-08-30 15:46 14 a------- c:\windows\system32\systeminfo3.dll
2009-08-25 18:02 14,568 a------- c:\windows\system32\drivers\wg6n.sys
2009-08-25 18:02 14,568 a------- c:\windows\system32\drivers\wg5n.sys
2009-08-25 18:02 14,568 a------- c:\windows\system32\drivers\wg4n.sys
2009-08-25 18:02 14,568 a------- c:\windows\system32\drivers\wg3n.sys
2009-08-25 18:02 60,496 a------- c:\windows\system32\drivers\Teefer.sys
2009-08-25 18:02 21,075 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-08-25 18:02 83,096 a------- c:\windows\system32\SSSensor.dll
2009-08-25 18:02 <DIR> --d----- c:\program files\Sygate
2009-08-25 12:10 4 a------- c:\windows\system32\GVTunner.ref
2009-08-24 12:10 <DIR> --ds---- C:\ComboFix
2009-08-23 23:40 <DIR> --d----- c:\documents and settings\bourgeosie\dwhelper
2009-08-23 19:46 <DIR> --d----- c:\program files\IObit
2009-08-23 13:25 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-08-23 13:25 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-08-22 17:08 <DIR> --d----- c:\program files\ESET
2009-08-22 11:42 228,864 a------- c:\windows\PEV.exe
2009-08-22 11:42 161,792 a------- c:\windows\SWREG.exe
2009-08-22 11:42 98,816 a------- c:\windows\sed.exe
2009-08-22 08:55 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-22 00:08 <DIR> --d----- C:\f81d6470e582afc942
2009-08-12 15:59 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 15:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 13:10 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-08-12 13:08 <DIR> --d--r-- c:\program files\Skype
2009-08-07 14:09 <DIR> --dsh--- C:\found.000
2009-08-05 04:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:03 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-08-04 23:03 225,280 a------- c:\windows\system32\ReWire.dll
2009-08-04 23:03 <DIR> --d----- c:\docume~1\bourge~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-08-04 23:03 <DIR> --d----- c:\program files\Propellerhead
2009-08-02 22:12 <DIR> --d----- C:\CrashReport

==================== Find3M ====================

2009-08-30 20:27 16,608 a------- c:\windows\gdrv.sys
2009-08-30 20:27 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-08-07 19:36 13,786 a------- c:\program files\common files\ymida.ban
2009-08-07 19:36 13,306 a------- c:\program files\common files\myrinywi._dl
2009-08-07 15:22 13,253 a------- c:\program files\common files\oxyfyrupo.dl
2009-08-05 21:45 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 20:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-07-09 23:31 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-07-03 12:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-17 18:56 81,920 a------- c:\docume~1\bourge~1\applic~1\ezpinst.exe
2009-06-17 18:56 47,360 a------- c:\docume~1\bourge~1\applic~1\pcouffin.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-13 19:54 1,663,488 a------- c:\windows\system32\BootMan.exe
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 22:44:50.18 ===============

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:02 PM

Posted 31 August 2009 - 08:12 PM

Hello, Bourgeosie.

Your log looks clean. We need to clean up our mess.


Uninstall ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Delete other tools
You can now manually delete DDS and RootRepeal.



Please take the time to read below to secure your machine and take the necessary steps to keep it that way.

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware


Please considering downloading HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:02 AM

Posted 05 September 2009 - 08:30 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send us a PM and we will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users