Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with rootkit


  • Please log in to reply
17 replies to this topic

#1 isis1671

isis1671

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 18 February 2010 - 12:46 PM

Thank you in advance for your assistance with this issue. I was unable to add DDS log. error message states application blocked by win/32.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-18 11:57:19
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.PAR\LOCALS~1\Temp\awtdrpog.sys


---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] eofwnjyxu <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@DisplayName ojnuof
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@Description Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu\Parameters@ServiceDll C:\WINDOWS\system32\mlrstgqq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@DisplayName ojnuof
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@Description Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu\Parameters@ServiceDll C:\WINDOWS\system32\mlrstgqq.dll

---- EOF - GMER 1.0.15 ----




BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 19 February 2010 - 11:52 AM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Drivers to disable:
eofwnjyxu

Drivers to delete:
eofwnjyxu

Files to delete:
C:\WINDOWS\system32\mlrstgqq.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.


Then run GMER once again and post the log here

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 19 February 2010 - 12:18 PM

Thank you so much for your help. As per your instructions I downloaded Avenger and everything work as you said. Until the restart, when it restarted no black window showed up.. no C:\avenger.txt. Should I run gmer again. What do suggest I do. Again thank you so much for taking the time.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 19 February 2010 - 12:24 PM

reboot the computer once again (you have to reboot the computer twice) and then run GMER once again.. post the log here smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 19 February 2010 - 03:19 PM

Sorry for the delay I had to run the gmer twice since my computer shut down. Thank you again for your help, here is the gmer log: Please advice busy.gif

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-19 15:08:32
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.PAR\LOCALS~1\Temp\awtdrpog.sys


---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] eofwnjyxu <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@DisplayName ojnuof
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu@Description Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\eofwnjyxu\Parameters@ServiceDll C:\WINDOWS\system32\mlrstgqq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@DisplayName ojnuof
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu@Description Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\eofwnjyxu\Parameters@ServiceDll C:\WINDOWS\system32\mlrstgqq.dll

---- EOF - GMER 1.0.15 ----


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 19 February 2010 - 09:02 PM


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 23 February 2010 - 12:02 PM

Thank you.. will do as you say right now!

#8 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 23 February 2010 - 12:34 PM

This is the log. Plese advice. Thank you again.

ComboFix 10-02-22.07 - Administrator 02/23/2010 12:10:37.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.250 [GMT -5:00]
Running from: c:\documents and settings\administrator.PARAMOUNT\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-19 16:51 . 2010-02-19 16:58 0 ----a-w- C:\backup.reg
2010-02-18 15:50 . 2010-02-18 15:50 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Microsoft Help
2010-02-16 20:37 . 2009-08-07 00:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-02-16 20:32 . 2010-02-16 20:32 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\AOL Toolbar
2010-02-16 20:08 . 2010-02-16 20:08 -------- d-----w- c:\program files\AOL Toolbar
2010-02-16 20:08 . 2010-02-16 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Toolbar
2010-02-16 20:08 . 2010-02-16 20:08 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-02-16 20:05 . 2010-02-16 20:15 -------- d-----w- c:\program files\AOL 9.5
2010-02-16 18:19 . 2010-02-16 18:19 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Application Data\Panda Security
2010-02-08 19:21 . 2010-02-08 19:44 -------- d-----w- c:\windows\SxsCaPendDel
2010-02-08 19:06 . 2010-02-08 19:06 -------- d-----w- c:\windows\system32\syncdb
2010-02-08 17:29 . 2010-02-08 17:29 69600 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-08 17:26 . 2010-02-08 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-08 17:10 . 2010-02-08 17:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-08 17:06 . 2010-02-08 17:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-08 17:06 . 2010-02-08 17:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-02-08 17:01 . 2010-02-08 17:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2010-02-08 17:01 . 2010-02-08 17:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-02-08 16:57 . 2010-02-08 16:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-05 21:27 . 2010-02-16 18:12 69600 ----a-w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 20:45 . 2010-02-05 20:45 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Mozilla
2010-02-05 20:31 . 2010-02-16 20:14 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Application Data\AOL
2010-02-05 20:31 . 2010-02-05 20:32 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\AOL
2010-02-05 18:31 . 2010-02-05 18:31 -------- d-----w- c:\program files\Alwil Software
2010-02-05 18:31 . 2010-02-05 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-05 18:07 . 2010-02-05 18:07 -------- d-----w- c:\documents and settings\ivonnee\Local Settings\Application Data\Mozilla
2010-02-05 18:07 . 2010-02-05 18:07 -------- d-sh--w- c:\documents and settings\ivonnee\IECompatCache
2010-02-05 18:06 . 2010-02-05 18:06 -------- d-sh--w- c:\documents and settings\ivonnee\PrivacIE
2010-02-05 18:06 . 2010-02-05 18:06 -------- d-----w- c:\documents and settings\ivonnee\Local Settings\Application Data\Google
2010-02-05 18:04 . 2010-02-05 18:04 -------- d-sh--w- c:\documents and settings\administrator.PARAMOUNT\IECompatCache
2010-02-05 18:03 . 2010-02-05 18:03 -------- d-sh--w- c:\documents and settings\administrator.PARAMOUNT\PrivacIE
2010-02-05 18:03 . 2010-02-05 20:46 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Google
2010-02-05 17:46 . 2010-01-14 18:17 -------- d-----w- c:\documents and settings\ivonnee\Local Settings\Application Data\Adobe
2010-02-05 17:41 . 2010-02-05 17:41 -------- d-----w- c:\windows\SchCache
2010-02-05 17:39 . 2010-02-05 17:39 -------- d-sh--w- c:\documents and settings\administrator.PARAMOUNT\IETldCache
2010-02-02 18:41 . 2010-02-02 18:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-02 17:39 . 2010-02-02 17:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-01 20:34 . 2010-02-01 20:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-01 17:31 . 2010-02-01 17:32 -------- d-----w- c:\documents and settings\Office use\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 17:08 . 2010-02-23 17:08 2 ----a-w- c:\windows\RAVTC.TMP
2010-02-19 16:58 . 2010-02-19 16:58 272 ----a-w- c:\program files\tbvagtys.txt
2010-02-16 20:08 . 2009-12-29 16:37 -------- d-----w- c:\program files\Common Files\aol
2010-02-16 20:05 . 2009-12-29 16:37 -------- d-----w- c:\program files\Common Files\aolshare
2010-02-16 20:05 . 2009-12-29 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-08 19:10 . 2010-01-11 20:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-02 17:39 . 2009-12-28 23:03 -------- d-----w- c:\program files\Google
2010-01-20 18:23 . 2010-01-13 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-15 21:46 . 2010-01-15 21:46 -------- d-----w- c:\program files\Trend Micro
2010-01-15 20:28 . 2010-01-15 18:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 20:25 . 2010-01-15 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-15 19:47 . 2010-01-15 19:43 720 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-15 19:30 . 2010-01-15 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-15 19:29 . 2010-01-15 19:29 -------- d-----w- c:\program files\Common Files\iS3
2010-01-15 19:00 . 2010-01-15 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 22:00 . 2010-01-13 18:21 -------- d-----w- c:\program files\Microsoft Small Business
2010-01-14 18:26 . 2010-01-14 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-14 18:09 . 2010-01-11 21:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-14 18:03 . 2010-01-14 18:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-13 20:01 . 2010-01-13 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 18:21 . 2010-01-13 18:16 -------- d-----w- c:\program files\Microsoft.NET
2010-01-13 18:19 . 2010-01-13 18:11 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-13 18:13 . 2010-01-13 18:13 -------- d-----w- c:\program files\MSXML 6.0
2010-01-13 17:47 . 2010-01-13 17:47 -------- d-----w- c:\program files\Microsoft Works
2010-01-12 17:34 . 2010-01-12 17:34 -------- d-----w- c:\documents and settings\Office use\Application Data\Panda Security
2010-01-11 21:11 . 2010-01-11 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-11 21:10 . 2010-01-11 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\espionServerData
2010-01-11 21:01 . 2010-01-13 20:44 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-11 21:00 . 2010-01-11 21:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-01-04 22:04 . 2010-01-04 22:03 -------- d-----w- c:\program files\Common Files\Real
2010-01-04 22:04 . 2010-01-04 22:04 -------- d-----w- c:\program files\Common Files\xing shared
2010-01-04 22:03 . 2010-01-04 22:03 -------- d-----w- c:\program files\Real
2010-01-04 14:50 . 2010-01-04 14:50 -------- d-----w- c:\documents and settings\Office use\Application Data\AOL
2009-12-30 17:10 . 2009-12-30 17:10 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2009-12-30 17:02 . 2009-12-28 22:08 -------- d-----w- c:\program files\microsoft frontpage
2009-12-29 21:49 . 2009-12-29 21:49 -------- d-----w- c:\program files\CCleaner
2009-12-29 16:38 . 2009-12-29 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-29 16:38 . 2009-12-29 16:38 -------- d-----w- c:\program files\Viewpoint
2009-12-29 16:37 . 2009-12-29 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-12-29 16:36 . 2009-12-29 16:31 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-12-29 16:31 . 2009-12-29 16:31 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-12-29 16:31 . 2009-12-29 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-12-29 16:31 . 2009-12-29 16:31 335 ----a-w- c:\windows\nsreg.dat
2009-12-28 23:23 . 2009-12-28 22:06 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-28 22:57 . 2009-12-28 22:57 -------- d-----w- c:\program files\Panda Security
2009-12-28 22:03 . 2009-12-28 22:03 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2004-08-04 12:00 . 2004-08-04 12:00 167403 --sha-r- c:\windows\system32\mlrstgqq.dll
.

------- Sigcheck -------

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\browser.dll

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\lsass.exe

[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\system32\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\netman.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\dllcache\qmgr.dll

[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\system32\rpcss.dll
[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\rpcss.dll

[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\spoolsv.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll

[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\cryptsvc.dll

[-] 2004-08-04 12:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\system32\es.dll
[-] 2004-08-04 12:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\system32\dllcache\es.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\imm32.dll

[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\system32\kernel32.dll
[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\system32\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\linkinfo.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\lpk.dll

[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\ie8\mshtml.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\dllcache\msvcrt.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\mswsock.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\netlogon.dll

[-] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\powrprof.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\scecli.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfc.dll

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\svchost.exe

[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\system32\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tapisrv.dll

[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\user32.dll

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe

[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\system32\wininet.dll
[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\wininet.dll
[-] 2004-08-04 . C0823FC5469663BA63E7DB88F9919D70 . 656384 . . [6.00.2900.2180] . . c:\windows\ie8\wininet.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ws2_32.dll

[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\srsvc.dll

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\xmlprov.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfcfiles.dll

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe

[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\system32\shsvcs.dll
[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\shsvcs.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\regsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\schedsvc.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ssdpsrv.dll

[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\termsrv.dll

[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll
[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\appmgmts.dll

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-03 22:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\system32\drivers\aec.sys

[-] 2004-08-03 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\AGP440.SYS

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll
[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\msgsvc.dll

[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\system32\ntkrnlpa.exe

[-] 2004-08-04 12:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll
[-] 2004-08-04 12:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\dllcache\ntmssvc.dll

[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\system32\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\upnphost.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\progra~1\AOL9~1.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1262104663\ee\AOLSoftware.exe" [2009-07-20 41264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2009-10-28 14:38 50536 ----a-w- c:\program files\AOL 9.5\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2009-07-20 19:52 41264 ----a-w- c:\program files\Common Files\aol\1262104663\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-04 22:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-01-04 22:03 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1262104663\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6036:TCP"= 6036:TCP:zknelu

S0 jnpr;jnpr;c:\windows\system32\drivers\etrmii.sys --> c:\windows\system32\drivers\etrmii.sys [?]
S0 mfypc;mfypc;c:\windows\system32\drivers\xwgeolxd.sys --> c:\windows\system32\drivers\xwgeolxd.sys [?]
S2 eofwnjyxu;ojnuof;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 12:39 PM 135664]

--- Other Services/Drivers In Memory ---

*Deregistered* - PSINAflt
*Deregistered* - PSINKNC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eofwnjyxu
.
Contents of the 'Scheduled Tasks' folder

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:39]

2010-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
mStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\administrator.PARAMOUNT\Application Data\Mozilla\Firefox\Profiles\6671qv26.default\
FF - prefs.js: browser.startup.homepage - www.avast.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eofwnjyxu]
"ServiceDll"="c:\windows\system32\mlrstgqq.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3182937187-2695636491-695382805-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,0a,24,56,0a,11,45,44,94,00,3c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,0a,24,56,0a,11,45,44,94,00,3c,\
.
Completion time: 2010-02-23 12:22:25
ComboFix-quarantined-files.txt 2010-02-23 17:22

Pre-Run: 225,880,809,472 bytes free
Post-Run: 226,119,458,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 618D32C7247B5104AFCEA16C08CEB443


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 February 2010 - 07:55 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KillAll::

NetSvc::
eofwnjyxu

Driver::
jnpr
mfypc
eofwnjyxu

Collect::
c:\windows\system32\drivers\etrmii.sys
c:\windows\system32\drivers\xwgeolxd.sys
C:\WINDOWS\system32\mlrstgqq.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6036:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eofwnjyxu]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.

Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 March 2010 - 12:09 PM

Thank you, I will do per your instructions.

#11 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 01 March 2010 - 12:30 PM

Combo fix and hijack log. Thank you so much

ComboFix 10-02-22.07 - Administrator 03/01/2010 12:08:54.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.213 [GMT -5:00]
Running from: c:\documents and settings\administrator.PARAMOUNT\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\administrator.PARAMOUNT\Desktop\CFScript.txt

file zipped: c:\windows\system32\mlrstgqq.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mlrstgqq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EOFWNJYXU
-------\Service_eofwnjyxu
-------\Service_jnpr
-------\Service_mfypc


((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-25 10:44 . 2010-02-25 10:44 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Temp
2010-02-19 16:51 . 2010-02-19 16:58 0 ----a-w- C:\backup.reg
2010-02-18 15:50 . 2010-02-18 15:50 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Microsoft Help
2010-02-16 20:37 . 2009-08-07 00:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-02-16 20:32 . 2010-02-16 20:32 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\AOL Toolbar
2010-02-16 20:08 . 2010-02-16 20:08 -------- d-----w- c:\program files\AOL Toolbar
2010-02-16 20:08 . 2010-02-16 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Toolbar
2010-02-16 20:08 . 2010-02-16 20:08 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-02-16 20:05 . 2010-02-16 20:15 -------- d-----w- c:\program files\AOL 9.5
2010-02-16 18:19 . 2010-02-16 18:19 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Application Data\Panda Security
2010-02-08 19:21 . 2010-02-08 19:44 -------- d-----w- c:\windows\SxsCaPendDel
2010-02-08 19:06 . 2010-02-08 19:06 -------- d-----w- c:\windows\system32\syncdb
2010-02-08 17:29 . 2010-02-08 17:29 69600 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-08 17:26 . 2010-02-08 18:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-08 17:10 . 2010-02-08 17:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-02-08 17:06 . 2010-02-08 17:06 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-08 17:06 . 2010-02-08 17:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-02-08 17:01 . 2010-02-08 17:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2010-02-08 17:01 . 2010-02-08 17:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2010-02-08 16:57 . 2010-02-08 16:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-05 21:27 . 2010-02-16 18:12 69600 ----a-w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 20:45 . 2010-02-05 20:45 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Mozilla
2010-02-05 20:31 . 2010-02-16 20:14 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Application Data\AOL
2010-02-05 20:31 . 2010-02-05 20:32 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\AOL
2010-02-05 18:31 . 2010-02-05 18:31 -------- d-----w- c:\program files\Alwil Software
2010-02-05 18:31 . 2010-02-05 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-05 18:07 . 2010-02-05 18:07 -------- d-----w- c:\documents and settings\ivonnee\Local Settings\Application Data\Mozilla
2010-02-05 18:07 . 2010-02-05 18:07 -------- d-sh--w- c:\documents and settings\ivonnee\IECompatCache
2010-02-05 18:06 . 2010-02-05 18:06 -------- d-sh--w- c:\documents and settings\ivonnee\PrivacIE
2010-02-05 18:06 . 2010-02-05 18:06 -------- d-----w- c:\documents and settings\ivonnee\Local Settings\Application Data\Google
2010-02-05 18:04 . 2010-02-05 18:04 -------- d-sh--w- c:\documents and settings\administrator.PARAMOUNT\IECompatCache
2010-02-05 18:03 . 2010-02-05 18:03 -------- d-sh--w- c:\documents and settings\administrator.PARAMOUNT\PrivacIE
2010-02-05 18:03 . 2010-02-05 20:46 -------- d-----w- c:\documents and settings\administrator.PARAMOUNT\Local Settings\Application Data\Google
2010-02-05 17:46 . 2010-01-14 18:17 -------- d-----w- c:\documents and settings\ivonnee\Local Settings\Application Data\Adobe
2010-02-05 17:41 . 2010-02-05 17:41 -------- d-----w- c:\windows\SchCache
2010-02-05 17:39 . 2010-02-05 17:39 -------- d-sh--w- c:\documents and settings\administrator.PARAMOUNT\IETldCache
2010-02-02 18:41 . 2010-02-02 18:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-02 17:39 . 2010-02-02 17:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-01 20:34 . 2010-02-01 20:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-01 17:31 . 2010-02-01 17:32 -------- d-----w- c:\documents and settings\Office use\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 16:58 . 2010-02-19 16:58 272 ----a-w- c:\program files\tbvagtys.txt
2010-02-16 20:08 . 2009-12-29 16:37 -------- d-----w- c:\program files\Common Files\aol
2010-02-16 20:05 . 2009-12-29 16:37 -------- d-----w- c:\program files\Common Files\aolshare
2010-02-16 20:05 . 2009-12-29 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-02-08 19:10 . 2010-01-11 20:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-02 17:39 . 2009-12-28 23:03 -------- d-----w- c:\program files\Google
2010-01-20 18:23 . 2010-01-13 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-15 21:46 . 2010-01-15 21:46 -------- d-----w- c:\program files\Trend Micro
2010-01-15 20:28 . 2010-01-15 18:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 20:25 . 2010-01-15 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-15 19:47 . 2010-01-15 19:43 720 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-01-15 19:30 . 2010-01-15 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-15 19:29 . 2010-01-15 19:29 -------- d-----w- c:\program files\Common Files\iS3
2010-01-15 19:00 . 2010-01-15 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 22:00 . 2010-01-13 18:21 -------- d-----w- c:\program files\Microsoft Small Business
2010-01-14 18:26 . 2010-01-14 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-14 18:09 . 2010-01-11 21:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-14 18:03 . 2010-01-14 18:03 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-13 20:01 . 2010-01-13 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-13 18:21 . 2010-01-13 18:16 -------- d-----w- c:\program files\Microsoft.NET
2010-01-13 18:19 . 2010-01-13 18:11 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-13 18:13 . 2010-01-13 18:13 -------- d-----w- c:\program files\MSXML 6.0
2010-01-13 17:47 . 2010-01-13 17:47 -------- d-----w- c:\program files\Microsoft Works
2010-01-12 17:34 . 2010-01-12 17:34 -------- d-----w- c:\documents and settings\Office use\Application Data\Panda Security
2010-01-11 21:11 . 2010-01-11 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-11 21:10 . 2010-01-11 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\espionServerData
2010-01-11 21:01 . 2010-01-13 20:44 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-11 21:00 . 2010-01-11 21:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-01-04 22:04 . 2010-01-04 22:03 -------- d-----w- c:\program files\Common Files\Real
2010-01-04 22:04 . 2010-01-04 22:04 -------- d-----w- c:\program files\Common Files\xing shared
2010-01-04 22:03 . 2010-01-04 22:03 -------- d-----w- c:\program files\Real
2010-01-04 14:50 . 2010-01-04 14:50 -------- d-----w- c:\documents and settings\Office use\Application Data\AOL
2009-12-30 17:10 . 2009-12-30 17:10 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2009-12-29 16:36 . 2009-12-29 16:31 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-12-29 16:31 . 2009-12-29 16:31 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-12-29 16:31 . 2009-12-29 16:31 335 ----a-w- c:\windows\nsreg.dat
2009-12-28 23:23 . 2009-12-28 22:06 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-28 22:03 . 2009-12-28 22:03 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
.

------- Sigcheck -------

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\asyncmac.sys
[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ntfs.sys
[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\browser.dll
[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\browser.dll

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe
[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\lsass.exe

[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\system32\netman.dll
[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\netman.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll
[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\dllcache\qmgr.dll

[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\system32\rpcss.dll
[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\rpcss.dll

[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\services.exe
[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\spoolsv.exe
[-] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\spoolsv.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll

[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll
[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\cryptsvc.dll

[-] 2004-08-04 12:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\system32\es.dll
[-] 2004-08-04 12:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\system32\dllcache\es.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll
[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\imm32.dll

[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\system32\kernel32.dll
[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\system32\linkinfo.dll
[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\linkinfo.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll
[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\lpk.dll

[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\mshtml.dll
[-] 2009-03-08 . D469A0EBA2EF5C6BEE8065B7E3196E5E . 5937152 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\ie8\mshtml.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll
[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\dllcache\msvcrt.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\mswsock.dll
[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\mswsock.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll
[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\netlogon.dll

[-] 2004-08-04 . CE218BC7088681FAA06633E218596CA7 . 2180992 . . [5.1.2600.2180] . . c:\windows\system32\ntoskrnl.exe

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll
[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\powrprof.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll
[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\scecli.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll
[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfc.dll

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe
[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\svchost.exe

[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\system32\tapisrv.dll
[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tapisrv.dll

[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\user32.dll

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe

[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\system32\wininet.dll
[-] 2009-03-08 . 6CE32F7778061CCC5814D5E0F282D369 . 914944 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\wininet.dll
[-] 2004-08-04 . C0823FC5469663BA63E7DB88F9919D70 . 656384 . . [6.00.2900.2180] . . c:\windows\ie8\wininet.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ws2_32.dll

[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\explorer.exe
[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\explorer.exe

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll
[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\srsvc.dll

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\wscntfy.exe

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll
[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\xmlprov.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll
[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\eventlog.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfcfiles.dll

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe

[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\system32\shsvcs.dll
[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\shsvcs.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll
[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\regsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll
[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\schedsvc.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll
[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ssdpsrv.dll

[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\termsrv.dll
[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\termsrv.dll

[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\appmgmts.dll
[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\appmgmts.dll

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-03 22:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\system32\drivers\aec.sys

[-] 2004-08-03 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\AGP440.SYS

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ip6fw.sys
[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll
[-] 2004-08-04 12:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll
[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\msgsvc.dll

[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-04 . 947FB1D86D14AFCFFDB54BF837EC25D0 . 2056832 . . [5.1.2600.2180] . . c:\windows\system32\ntkrnlpa.exe

[-] 2004-08-04 12:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll
[-] 2004-08-04 12:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\dllcache\ntmssvc.dll

[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\system32\upnphost.dll
[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\upnphost.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-23_17.19.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-25 10:44 . 2010-02-25 10:44 22528 c:\windows\Installer\1c737581.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\progra~1\AOL9~1.5\AOL.EXE" [2009-10-28 50536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2009-10-28 14:38 50536 ----a-w- c:\progra~1\AOL9~1.5\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2009-07-20 19:52 41264 ----a-w- c:\program files\Common Files\aol\1262104663\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-01-04 22:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-01-04 22:03 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1262104663\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 12:39 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:39]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
mStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\administrator.PARAMOUNT\Application Data\Mozilla\Firefox\Profiles\6671qv26.default\
FF - prefs.js: browser.startup.homepage - www.avast.com
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 12:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3182937187-2695636491-695382805-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,0a,24,56,0a,11,45,44,94,00,3c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,0a,24,56,0a,11,45,44,94,00,3c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\progra~1\AOL9~1.5\waol.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\progra~1\AOL9~1.5\shellmon.exe
.
**************************************************************************
.
Completion time: 2010-03-01 12:21:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 17:21
ComboFix2.txt 2010-02-23 17:22

Pre-Run: 225,846,091,776 bytes free
Post-Run: 225,843,965,952 bytes free

- - End Of File - - 91F733D365B6DADA0140A27834F59E10



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:38 PM, on 3/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AOL9~1.5\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AOL9~1.5\shellmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AOL9~1.5\AOL.EXE" -b
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1266352579189
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = paramount.local
O17 - HKLM\Software\..\Telephony: DomainName = paramount.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = paramount.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = paramount.local
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3608 bytes


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 02 March 2010 - 05:37 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 02 March 2010 - 03:00 PM

Unfortunately, the virus won't allow me to get on the eset site or any antivirus site. What do you advise?

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 02 March 2010 - 09:38 PM

Please run GMER again and post the report here smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 isis1671

isis1671
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 03 March 2010 - 02:13 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 14:05:06
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.PAR\LOCALS~1\Temp\awtdrpog.sys


---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] vmmlmcucm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@DisplayName asakft
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm@Description Provides automatic configuration for the 802.11 adapters
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\vmmlmcucm\Parameters@ServiceDll C:\WINDOWS\system32\nkzzh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@DisplayName asakft
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm@Description Provides automatic configuration for the 802.11 adapters
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vmmlmcucm\Parameters@ServiceDll C:\WINDOWS\system32\nkzzh.dll

---- EOF - GMER 1.0.15 ----





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users