Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HelpAssistant in users


  • This topic is locked This topic is locked
3 replies to this topic

#1 jmpnjackflash

jmpnjackflash

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 24 December 2009 - 05:38 PM

Been having issues with the computer crashing, noticed a new user "helpassistant" in the users, deleted files and cleaned registry of helpassistant instances but problems persist. Help greatly appreciated =)
Other issues : Browser redirects from any links clicked (been manual hovering mouse over links to see link location and typing in the links)

Also : just noticed a new search yahoo looking bar on top of my firefox browser. unclickable but : has [ (yahoo symbol) Search web for %s Email this %t IM this %t (babelfish symbol) Translate to English Lookup %s in Dictionary]
Might be nothing but I've never allowed toolbars to be downloaded or installed.
Been unable to right click on firefox links for a few days now : to "open in new window/tab" or otherwise.

- Running windows XP Pro SP3

dxdiag included for further info

Another thing : been getting other user besides helpassistant : that being helpassistant.(machine name) files reappear as i delete them or while deleting them.

DDS report : saw other users posting it. Figured just in case: as follows. :(



DDS (Ver_09-12-01.01) - NTFSx86
Run by Hiag-The Fluffhe at 18:16:15.45 on Thu 12/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2136 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesCreativeSound Blaster X-FiVolume PanelVolPanlu.exe
C:Program FilesCreativeShared FilesModule LoaderDLLML.exe
C:WINDOWSCTHELPER.EXE
C:WINDOWSsystem32CTXFIHLP.EXE
C:PROGRA~1AVGavgtray.exe
C:Program FilesJavajre6binjusched.exe
C:WINDOWSSYSTEM32CTXFISPI.EXE
C:Program FilesSteelSeriesWorld of Warcraft MMO Gaming MouseWoWMHID.exe
C:Program FilesFree Download Managerfdm.exe
C:WINDOWSsystem32ctfmon.exe
C:PROGRA~1AVGavgwdsvc.exe
C:Program FilesJavajre6binjqs.exe
F:moka5Enginebinm5authd.exe
C:Program FilesSteelSeriesWorld of Warcraft MMO Gaming MouseWoWMTray.exe
C:WINDOWSsystem32nvsvc32.exe
C:PROGRA~1AVGavgrsx.exe
C:PROGRA~1AVGavgnsx.exe
C:Program FilesAlcohol SoftAlcohol 52StarWindStarWindServiceAE.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSsystem32vmnat.exe
F:VMwarevmware-authd.exe
C:WINDOWSsystem32vmnetdhcp.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesSkypeToolbarsSharedSkypeNames.exe
C:Documents and SettingsHiag-The FluffheMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpnyt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:progra~1yahoo!companioninstallscpnyt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre6binssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - f:babylonutilsBabylonIEPI.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:progra~1yahoo!companioninstallscpnYTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:progra~1yahoo!companioninstallscpnyt.dll
uRun: [Free Download Manager] "c:program filesfree download managerfdm.exe" -autorun
uRun: [igndlm.exe] c:program filesdownload managerDLM.exe /windowsstart /startifwork
uRun: [AlcoholAutomount] "c:program filesalcohol softalcohol 52axcmd.exe" /automount
uRun: [PlayNC Launcher]
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [VolPanel] "c:program filescreativesound blaster x-fivolume panelVolPanlu.exe" /r
mRun: [AudioDrvEmulator] "c:program filescreativeshared filesmodule loaderdllml.exe" -1 audiodrvemulator "c:program filescreativeshared filesmodule loaderaudio emulatorAudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:windowsUpdReg.EXE
mRun: [AVG8_TRAY] c:progra~1avgavgtray.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Babylon Client] f:babylonBabylon.exe -AutoStart
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [SteelSeries World of Warcraft MMO Gaming Mouse] c:program filessteelseriesworld of warcraft mmo gaming mouseWoWMHID.exe
dRun: [MySpaceIM] c:program filesmyspaceimMySpaceIM.exe
IE: Download all with Free Download Manager - file://c:program filesfree download managerdlall.htm
IE: Download selected with Free Download Manager - file://c:program filesfree download managerdlselected.htm
IE: Download video with Free Download Manager - file://c:program filesfree download managerdlfvideo.htm
IE: Download with Free Download Manager - file://c:program filesfree download managerdllink.htm
IE: Translate this web page with Babylon - f:babylonutilsBabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - f:babylonutilsBabylonIEPI.dll/Action.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://f:babylonutilsBabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
LSP: f:vmwarevsocklib.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1hiag-t~1applic~1mozillafirefoxprofilesbk7zp9b0.default
FF - component: c:program filesavgfirefoxcomponentsavgssff.dll
FF - component: c:program filesfree download managerfirefoxextensioncomponentsvmsfdmff.dll
FF - plugin: c:program filesdownload managernpfpdlm.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdnu.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpdnupdater2.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpPandoWebInst.dll
FF - plugin: c:program filesunitywebplayerloadernpUnity3D32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-3-3 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-3-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-3-3 108552]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1avgavgwdsvc.exe [2009-8-21 297752]
R2 duse;duse;c:windowssystem32duse.sys [2009-4-11 16896]
R2 m5authd;MokaFive Authorization Service;f:moka5enginebinm5authd.exe run --> f:moka5enginebinm5authd.exe run [?]
R2 StarWindServiceAE;StarWind AE Service;c:program filesalcohol softalcohol 52starwindStarWindServiceAE.exe [2007-5-28 275968]
R2 vmci;VMware vmci;c:windowssystem32driversvmci.sys [2008-10-28 54960]
R3 Mo3Fltr;MMO Mouse;c:windowssystem32driversMo3Fltr.sys [2009-8-26 11136]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:steamsteamappscommondragon age originsbin_shipdaupdatersvc.service.exe [2009-11-5 25832]
S3 npggsvc;nProtect GameGuard Service;c:windowssystem32gamemon.des -service --> c:windowssystem32GameMon.des -service [?]

=============== Created Last 30 ================

2009-12-24 08:15:00 0 d-----w- c:program filesMicrosoft Games for Windows - LIVE
2009-12-15 03:28:05 0 d-----r- c:program filesSkype
2009-12-13 04:35:35 0 d-----w- c:program filesMicrosoft
2009-12-10 02:06:55 0 d-sh--w- c:docume~1alluse~1applic~1SecuROM
2009-12-02 02:57:30 991232 ----a-w- c:windowssystem32imageviewer2.ocx
2009-12-02 02:57:30 608448 ----a-w- c:windowssystem32comctl32.ocx
2009-12-02 02:57:30 224016 ----a-w- c:windowssystem32tabctl32.ocx
2009-12-02 02:57:30 200704 ----a-w- c:windowssystem32threed32.ocx
2009-12-02 02:57:30 1703936 ----a-w- c:windowssystem32gdiplus.dll
2009-12-02 02:57:30 164144 ----a-w- c:windowssystem32comct232.ocx
2009-12-02 02:57:30 151552 ----a-w- c:windowssystem32ccrpfd6.ocx
2009-12-02 02:57:30 110592 ----a-w- c:windowssystem32ccrpbds6.dll
2009-12-02 02:57:30 106496 ----a-w- c:windowssystem32mbprgbar.ocx
2009-12-02 02:57:30 0 d-----w- c:program filesPIXresizer

==================== Find3M ====================


============= FINISH: 18:16:26.90 ===============


// Root Repeal Report As Follows:

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/24 18:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xAEFFC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xBA60A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP2718
Image Path: DriverPCI_PNP2718
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xAD7ED000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spcs.sys
Image Path: spcs.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: Driversptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:
Status: MBR Rootkit Detected!

Path: c:documents and settingsall usersapplication dataavg8cfgmalrep.cfg
Status: Size mismatch (API: 30505, Raw: 30471)

Path: c:documents and settingsall usersapplication dataavg8cfgsched.cfg
Status: Size mismatch (API: 194453, Raw: 194385)

Path: c:documents and settingsall usersapplication dataavg8loghistory.xml
Status: Size mismatch (API: 281736, Raw: 281596)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spcs.sys" at address 0xb9ea80e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spcs.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spcs.sys" at address 0xb9ec7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spcs.sys" at address 0xb9ea80c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spcs.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spcs.sys" at address 0xb9ec6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spcs.sys" at address 0xb9ec719a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ae941f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8aac4500 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_CREATE]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_CLOSE]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_POWER]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: a05s4mwvȅః灐畳swenum, IRP_MJ_PNP]
Process: System Address: 0x8ab871f8 Size: 121

Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87f2b698 Size: 2409

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8ad2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8aac5500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8af071f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8ad131f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ae961f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x881491f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x881491f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x881491f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x881491f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x881491f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x881491f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8adc71f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x88124500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_CREATE]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_CLOSE]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_READ]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_CLEANUP]
Process: System Address: 0x8ac67500 Size: 121

Object: Hidden Code [Driver: CdfsЅᰇ⛸螺ꕠ��䫀, IRP_MJ_PNP]
Process: System Address: 0x8ac67500 Size: 121

==EOF==

Ran Combofix: Report as follows.

ComboFix 09-12-24.02 - Hiag-The Fluffhe 12/24/2009 21:12:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2396 [GMT -5:00]
Running from: c:documents and settingsHiag-The FluffheMy DocumentsDownloadsComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:Autorun.inf

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2009-11-25 to 2009-12-25 )))))))))))))))))))))))))))))))
.

2009-12-25 02:01 . 2009-12-25 02:01 -------- d-----w- c:documents and settingsHelpAssistantUserData
2009-12-25 02:01 . 2009-12-25 02:01 -------- d-----w- c:documents and settingsHelpAssistantTracing
2009-12-24 08:15 . 2009-12-24 08:15 -------- d-----w- c:program filesMicrosoft Games for Windows - LIVE
2009-12-15 03:28 . 2009-12-15 03:28 -------- d-----r- c:program filesSkype
2009-12-13 04:35 . 2009-12-13 04:35 -------- d-----w- c:program filesMicrosoft
2009-12-11 21:06 . 2009-12-11 21:06 2065688 ----a-w- c:documents and settingsAll UsersApplication Dataavg8updatebackupavgcorex.dll
2009-12-11 21:06 . 2009-11-27 16:52 3514648 ----a-w- c:documents and settingsAll UsersApplication Dataavg8updatebackupavgui.exe
2009-12-11 21:06 . 2009-11-27 16:52 2029336 ----a-w- c:documents and settingsAll UsersApplication Dataavg8updatebackupavgtray.exe
2009-12-10 02:06 . 2009-12-10 02:06 -------- d-sh--w- c:documents and settingsAll UsersApplication DataSecuROM
2009-12-02 02:57 . 2009-12-02 02:57 -------- d-----w- c:program filesPIXresizer
2009-12-02 02:57 . 2002-08-30 00:00 1703936 ----a-w- c:windowssystem32gdiplus.dll
2009-12-02 02:57 . 2000-05-02 04:02 110592 ----a-w- c:windowssystem32ccrpbds6.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 02:16 . 2009-04-12 02:36 -------- d-----w- c:documents and settingsAll UsersApplication DataVMware
2009-12-25 02:11 . 2009-04-12 02:37 -------- d-----w- c:documents and settingsLocalServiceApplication DataVMware
2009-12-25 02:04 . 2009-03-11 08:47 -------- d-----w- c:documents and settingsHiag-The FluffheApplication DataFree Download Manager
2009-12-24 21:55 . 2009-04-12 02:44 -------- d-----w- c:documents and settingsHiag-The FluffheApplication DataVMware
2009-12-24 19:46 . 2009-03-01 17:07 14080 ----a-w- c:documents and settingsHiag-The FluffheLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-12-24 19:25 . 2009-11-09 20:57 79488 ----a-w- c:documents and settingsHiag-The FluffheApplication DataSunJavajre1.6.0_17gtapi.dll
2009-12-24 08:17 . 2009-09-28 23:05 68144 ----a-w- c:documents and settingsLocalServiceLocal SettingsApplication DataFontCache3.0.0.0.dat
2009-12-23 13:04 . 2009-03-03 08:10 -------- d-----w- c:program filesAVG
2009-12-18 10:58 . 2009-03-28 04:49 -------- d-----w- c:documents and settingsHiag-The FluffheApplication DataSkype
2009-12-13 04:34 . 2009-03-07 07:09 317568 ----a-w- c:documents and settingsHiag-The FluffheApplication DataMobMapUpdaterMobMapUpdaterExternals.dll
2009-11-24 01:01 . 2009-11-24 01:01 -------- d-----w- c:documents and settingsHiag-The FluffheApplication DataSumatraPDF
2009-11-20 00:49 . 2009-11-20 00:49 -------- d-----w- c:program filesMicrosoft Silverlight
2009-11-12 01:28 . 2009-03-28 18:47 -------- d-----w- c:documents and settingsHiag-The FluffheApplication DataLimeWire
2009-11-09 00:28 . 2009-11-09 00:25 -------- d-----w- c:documents and settingsHiag-The FluffheApplication Datadvdcss
2009-11-06 00:01 . 2009-11-06 00:01 -------- d-----w- c:documents and settingsAll UsersApplication DataBioWare
2009-10-30 02:45 . 2009-10-30 02:41 -------- d-----w- c:documents and settingsHiag-The FluffheApplication DataNotepad++
2009-10-30 02:41 . 2009-10-30 02:41 -------- d-----w- c:program filesNotepad++
2009-10-27 22:21 . 2009-10-27 22:21 -------- d-----w- c:documents and settingsHiag-The FluffheApplication Dataacccore
2009-10-27 22:21 . 2009-10-27 22:21 -------- d-----w- c:documents and settingsAll UsersApplication DataAIM
2009-10-27 22:21 . 2009-10-27 22:21 -------- d-----w- c:program filesAIM
2009-10-27 22:20 . 2009-10-27 22:20 -------- d-----w- c:program filesCommon FilesSoftware Update Utility
2009-10-27 22:20 . 2009-10-27 22:20 -------- d-----w- c:program filesCommon FilesAOL
2009-10-15 23:25 . 2009-10-15 23:25 281760 ----a-w- c:windowssystem32driversatksgt.sys
2009-10-15 23:25 . 2009-10-15 23:25 25888 ----a-w- c:windowssystem32driverslirsgt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Free Download Manager"="c:program filesFree Download Managerfdm.exe" [2009-01-31 3399727]
"igndlm.exe"="c:program filesDownload ManagerDLM.exe" [2009-02-25 1103216]
"AlcoholAutomount"="c:program filesAlcohol SoftAlcohol 52axcmd.exe" [2009-03-17 203416]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2009-02-09 86016]
"VolPanel"="c:program filesCreativeSound Blaster X-FiVolume PanelVolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:program filesCreativeShared FilesModule LoaderDLLML.exe" [2005-11-04 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 18944]
"UpdReg"="c:windowsUpdReg.EXE" [2000-05-11 90112]
"AVG8_TRAY"="c:progra~1AVGavgtray.exe" [2009-12-11 2043160]
"SunJavaUpdateSched"="c:program filesJavajre6binjusched.exe" [2009-03-28 136600]
"Babylon Client"="f:babylonBabylon.exe" [2009-05-24 4096912]
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" [2009-05-26 413696]
"SteelSeries World of Warcraft MMO Gaming Mouse"="c:program filesSteelSeriesWorld of Warcraft MMO Gaming MouseWoWMHID.exe" [2009-05-13 414720]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"MySpaceIM"="c:program filesMySpaceIMMySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyavgrsstarter]
2009-08-21 19:57 11952 ----a-w- c:windowssystem32avgrsstx.dll

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"e:CurseCurseClient.exe"=
"e:World of WarcraftLauncher.exe"=
"e:Steamsteamappscommonprince of persiaLauncherLauncher.exe"=
"c:WINDOWSsystem32dpvsetup.exe"=
"e:Steamsteamappshiagfluffykittycounter-strike sourcehl2.exe"=
"c:Program FilesAVGavgupd.exe"=
"c:Program FilesAVGavgnsx.exe"=
"e:Steamsteamappscommonlost planet extreme conditionLostPlanetDX9.exe"=
"e:Steamsteamappscommonlost planet extreme conditionLostPlanetDX10.exe"=
"e:Steamsteamappscommonthief deadly shadowsSystemrunme.exe"=
"e:Steamsteamappscommoncall of duty 4iw3sp.exe"=
"e:Steamsteamappscommoncall of duty 4iw3mp.exe"=
"e:Steamsteamappscommondrakensangdrakensang.exe"=
"e:World of WarcraftBackgroundDownloader.exe"=
"e:FFXISquareEnixPlayOnlineViewerpol.exe"=
"c:Program FilesWindows LiveMessengerwlcsdk.exe"=
"c:Program FilesMessengermsmsgs.exe"=
"c:Program FilesVentriloVentrilo.exe"=
"c:Program FilesFree Download Managerfdm.exe"=
"c:Program FilesMozilla Firefoxfirefox.exe"=
"e:Steamsteamappscommonspaceforce rogue universeSystemStart.exe"=
"c:Program FilesYahoo!MessengerYahooMessenger.exe"=
"c:WINDOWSsystem32dplaysvr.exe"=
"c:Program FilesuTorrentuTorrent.exe"=
"c:Program FilesMySpaceIMMySpaceIM.exe"=
"e:Steamsteamappscommonlast remnant - demo seiBinariesTLRDemo.exe"=
"e:Steamsteamappscommondark sectorDS.exe"=
"f:VMwarevmware-authd.exe"=
"e:HellGateLLauncher.exe"=
"e:Steamsteamappscommonprototypeprototypef.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"e:Steamsteamappscommonoverlord iiOverlord2.exe"=
"e:Steamsteamappscommonoverlord iiConfig.exe"=
"e:Steamsteamappscommonvelvet assassinLauncher.exe"=
"e:Steamsteamappscommonstalker clear skybinxrEngine.exe"=
"e:SteamsteamappscommoncrimecraftSteamLauncher.exe"=
"e:Steamsteamappscommonarma 2arma2.exe"=
"c:Program FilesPando NetworksMedia BoosterPMB.exe"=
"e:SteamsteamappscommonrisenbinRisen.exe"=
"e:ace onlineLauncher.atm"= e:ace onlineLauncher.atm:Enabled:GameExe2
"e:ace onlineRes-VoipSCVoIP.exe"= e:ace onlineRes-VoipSCVoIP.exe:Enabled:GameVoIP
"c:Program FilesAIMaim.exe"=
"e:Steamsteamappscommondragon age originsbin_shipdaupdatersvc.service.exe"=
"e:Steamsteamappscommonfallen earthFEUpdater.exe"=
"e:SteamsteamappscommonborderlandsBinariesBorderlands.exe"=
"e:Steamsteamappscommonmedieval ii total warLauncher.exe"=
"c:Program FilesWindows LiveMessengermsnmsgr.exe"=
"c:Program FilesSkypePhoneSkype.exe"=
"e:Steamsteamappscommonfallout 3 gotyFalloutLauncher.exe"=
"e:Steamsteamappscommondragon age originsbin_shipDAOrigins.exe"=
"e:Steamsteamappscommondragon age originsDAOriginsLauncher.exe"=
"e:Steamsteamappscommoncall of duty modern warfare 2iw4sp.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57862:TCP"= 57862:TCP:Pando Media Booster
"57862:UDP"= 57862:UDP:Pando Media Booster
"56767:TCP"= 56767:TCP:Pando Media Booster
"56767:UDP"= 56767:UDP:Pando Media Booster
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [3/3/2009 3:10 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [3/3/2009 3:10 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:progra~1AVGavgwdsvc.exe [8/21/2009 2:57 PM 297752]
R2 duse;duse;c:windowssystem32duse.sys [4/11/2009 9:37 PM 16896]
R2 m5authd;MokaFive Authorization Service;f:moka5Enginebinm5authd.exe run --> f:moka5Enginebinm5authd.exe run [?]
R2 vmci;VMware vmci;c:windowssystem32driversvmci.sys [10/28/2008 10:08 PM 54960]
R3 Mo3Fltr;MMO Mouse;c:windowssystem32driversMo3Fltr.sys [8/26/2009 6:55 PM 11136]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:steamsteamappscommondragon age originsbin_shipdaupdatersvc.service.exe [11/5/2009 8:16 AM 25832]
S3 npggsvc;nProtect GameGuard Service;c:windowssystem32GameMon.des -service --> c:windowssystem32GameMon.des -service [?]
S4 sptd;sptd;c:windowssystem32driverssptd.sys [3/29/2009 10:27 AM 717296]
.
------- Supplementary Scan -------
.
IE: Download all with Free Download Manager - file://c:program filesFree Download Managerdlall.htm
IE: Download selected with Free Download Manager - file://c:program filesFree Download Managerdlselected.htm
IE: Download video with Free Download Manager - file://c:program filesFree Download Managerdlfvideo.htm
IE: Download with Free Download Manager - file://c:program filesFree Download Managerdllink.htm
IE: Translate this web page with Babylon - f:babylonUtilsBabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - f:babylonUtilsBabylonIEPI.dll/Action.htm
IE: {{F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://f:babylonUtilsBabylonIEPI.dll/ActionTU.htm
LSP: f:vmwarevsocklib.dll
FF - ProfilePath - c:documents and settingsHiag-The FluffheApplication DataMozillaFirefoxProfilesbk7zp9b0.default
FF - component: c:program filesAVGFirefoxcomponentsavgssff.dll
FF - component: c:program filesFree Download ManagerFirefoxExtensioncomponentsvmsfdmff.dll
FF - component: c:program filesMozilla Firefoxextensions{B13721C7-F507-4982-B2E5-502A71474FED}componentsNPComponent.dll
FF - plugin: c:program filesDownload Managernpfpdlm.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpdnupdater2.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpPandoWebInst.dll
FF - plugin: c:program filesUnityWebPlayerloadernpUnity3D32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
AddRemove-15b35190-c6f9-11d9-9669-0800200c9a66_is1 - e:dndouunins000.exe
AddRemove-Messiah - e:Uninst.isu
AddRemove-Plants vs. Zombies - e:plants vs. zombiesUninstall.exe
AddRemove-RYL2 - e:ryl2Uninstal.exe
AddRemove-{B47B025C-11F5-498A-8C90-0B487C78B58C}_is1 - e:rappelzunins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 21:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesnpggsvc]
"ImagePath"="c:windowssystem32GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERSS-1-5-21-823518204-616249376-839522115-1003SoftwareSecuROMLicense information*]
"datasecu"=hex:23,00,8d,7e,a6,b2,82,7d,73,11,5c,56,b2,55,71,86,4b,fa,ac,76,6f,
26,5b,c1,27,c4,06,84,f8,ed,84,b3,ce,22,c2,f0,74,45,ad,3a,ca,3e,4f,49,8a,80,
"rkeysecu"=hex:e6,0b,cf,9d,d3,83,e9,01,cc,63,28,ed,52,3a,aa,95
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3860)
c:windowssystem32WPDShServiceObj.dll
c:program filesMicrosoft Virtual PCVPCShExH.DLL
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:program filesJavajre6binjqs.exe
f:moka5Enginebinm5authd.exe
c:windowsRTHDCPL.EXE
c:windowssystem32RUNDLL32.EXE
c:windowsSYSTEM32CTXFISPI.EXE
c:windowssystem32nvsvc32.exe
c:progra~1AVGavgrsx.exe
c:progra~1AVGavgnsx.exe
c:program filesAlcohol SoftAlcohol 52StarWindStarWindServiceAE.exe
c:windowssystem32vmnat.exe
c:windowssystem32vmnetdhcp.exe
c:windowssystem32wscntfy.exe
c:program filesSteelSeriesWorld of Warcraft MMO Gaming MouseWoWMTray.exe
.
**************************************************************************
.
Completion time: 2009-12-24 21:18:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-25 02:18

Pre-Run: 72,276,078,592 bytes free
Post-Run: 75,504,173,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 8229497CE07E6795D9574CDB5CAC6216

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 25 December 2009 - 03:03 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:55 AM

Posted 05 January 2010 - 06:58 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 jmpnjackflash

jmpnjackflash
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 07 January 2010 - 04:47 PM

Fixed the problem myself, thanks for the response though.

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:55 AM

Posted 07 January 2010 - 05:19 PM

Thanks for letting us know :(

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users