Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Objects


  • This topic is locked This topic is locked
2 replies to this topic

#1 AviraHelp

AviraHelp

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 28 March 2010 - 04:37 PM

I was told to bring my thread here to see if i am actually infected with a rootkit or not, my original thread can be found at
http://www.bleepingcomputer.com/forums/t/305466/hidden-objects/

I will paraphrase it here though

Hi, i just updated the free avira personal edition version 9 to version 10.

During a complete scan it found several hidden processes. It starts as only 1 found being wgatray.exe, but as a use the computer more and do more scans the number of hidden processes increases to include other .exe's like firefox.exe, explorer.exe, and other programs i use. This previously never happened in avira personal edition version 9. If i restart the computer and run complete scan again it starts all over. It would found 1 hidden process then the number would increase again in later scans.

Avira AntiVir Personal
Report file date: Sunday, March 28, 2010 10:47

Scanning for 1931788 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Sythe
Computer name : SYTHEBOOK

Version information:
BUILD.DAT : 10.0.0.561 32098 Bytes 3/18/2010 15:46:00
AVSCAN.EXE : 10.0.2.3 433832 Bytes 3/7/2010 21:57:10
AVSCAN.DLL : 10.0.2.2 45928 Bytes 3/2/2010 16:48:47
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 15:29:03
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 15:29:03
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 15:29:03
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 15:29:03
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 15:29:03
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 15:29:03
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 15:29:03
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 15:29:03
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 15:29:03
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:43:21
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:24:21
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 21:41:40
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 13:25:53
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 13:39:58
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 17:01:24
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 21:15:25
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 21:15:26
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 21:15:27
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 21:15:28
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:34:47
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 04:31:20
VBASE025.VDF : 7.10.5.235 2048 Bytes 3/26/2010 04:31:20
VBASE026.VDF : 7.10.5.236 2048 Bytes 3/26/2010 04:31:20
VBASE027.VDF : 7.10.5.237 2048 Bytes 3/26/2010 04:31:21
VBASE028.VDF : 7.10.5.238 2048 Bytes 3/26/2010 04:31:21
VBASE029.VDF : 7.10.5.239 2048 Bytes 3/26/2010 04:31:21
VBASE030.VDF : 7.10.5.240 2048 Bytes 3/26/2010 04:31:21
VBASE031.VDF : 7.10.5.241 2048 Bytes 3/26/2010 04:31:21
Engineversion : 8.2.1.204
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 16:16:21
AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/27/2010 04:31:33
AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 22:38:41
AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 15:09:47
AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 15:09:47
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/24/2010 21:15:35
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 15:09:46
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/27/2010 04:31:30
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 15:09:46
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/24/2010 21:15:33
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 13:04:22
AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 15:09:45
AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 16:15:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40
AVREG.DLL : 10.0.1.2 52072 Bytes 1/29/2010 15:47:41
AVSCPLR.DLL : 10.0.2.3 83304 Bytes 3/7/2010 22:02:30
AVARKT.DLL : 10.0.0.13 227176 Bytes 3/7/2010 21:48:41
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
RCTEXT.DLL : 10.0.46.0 97128 Bytes 3/5/2010 14:09:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: d:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Sunday, March 28, 2010 10:47

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-854245398-1935655697-527237240-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\hrzr_ehacngu
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-854245398-1935655697-527237240-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\savedlegacysettings
[NOTE] The registry entry is invisible.
c:\windows\system32\wgatray.exe
c:\WINDOWS\system32\WgaTray.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'HitmanPro35.exe' - '71' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'avcenter.exe' - '93' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'TFService.exe' - '77' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'jqs.exe' - '36' Module(s) have been scanned
Scan process 'a2service.exe' - '32' Module(s) have been scanned
Scan process 'ffcntl.exe' - '24' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '28' Module(s) have been scanned
Scan process 'avgnt.exe' - '52' Module(s) have been scanned
Scan process 'jusched.exe' - '26' Module(s) have been scanned
Scan process 'TFTray.exe' - '37' Module(s) have been scanned
Scan process 'ETDDect.exe' - '24' Module(s) have been scanned
Scan process 'ETDCtrl.exe' - '35' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '42' Module(s) have been scanned
Scan process 'igfxext.exe' - '28' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '30' Module(s) have been scanned
Scan process 'hkcmd.exe' - '29' Module(s) have been scanned
Scan process 'igfxtray.exe' - '30' Module(s) have been scanned
Scan process 'AsTray.exe' - '35' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '23' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '40' Module(s) have been scanned
Scan process 'sched.exe' - '46' Module(s) have been scanned
Scan process 'spoolsv.exe' - '52' Module(s) have been scanned
Scan process 'Explorer.EXE' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '152' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'lsass.exe' - '54' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '75' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '323' files ).


Starting the file scan:

Begin scan in 'C:\'
Begin scan in 'D:\'


End of the scan: Sunday, March 28, 2010 10:59
Used time: 12:16 Minute(s)

The scan has been done completely.

2560 Scanned directories
104709 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
104709 Files not concerned
733 Archives were scanned
0 Warnings
0 Notes
174002 Objects were scanned with rootkit scan
3 Hidden objects were found


Hi after a bit of research I am not certain whether a tru roootkit exists. The last hidden fike leads me to a Gameguard or UEME_RUNPATH file. Both are rootkit type activity. one is game cheater protection and the latter Windows loggong.
I feel best to be sure and have proper tseting done thru DDS..

Post the DDS,GMER and your ComboFix log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create the 2 logs include your ComboFix log and post them in the new topic created from step 9, not here.
If Gmer won't run,skip it and move on.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Sythe at 16:57:01.56 on Sun 03/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1267 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Elantech\ETDDect.exe
D:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\FlashFire\ffcntl.exe
svchost.exe
D:\Program Files\Prevx\prevx.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sythe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ThreatFire] d:\program files\threatfire\TFTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\sythe\startm~1\programs\startup\ffcntl.lnk - c:\program files\flashfire\ffcntl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: HideRunAsVerb = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: StartMenuLogoff = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268638325578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268692028796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sythe\applic~1\mozilla\firefox\profiles\xz5b7ifp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\sythe\application data\mozilla\firefox\profiles\xz5b7ifp.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\sythe\application data\mozilla\firefox\profiles\xz5b7ifp.default\extensions\stratabuddy@reduxteam\components\dwmxpcom.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ffire;FlashFire;c:\windows\system32\drivers\ffire.sys [2009-12-19 10112]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-3-15 30280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-3-15 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-3-15 59664]
R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2010-3-24 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-3-3 224808]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-3-3 25160]
R2 a2free;a-squared Free Service;d:\program files\a-squared free\a2service.exe [2010-3-28 1858144]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2010-3-24 135336]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2010-3-24 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-15 60936]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2010-3-3 967888]
R2 CSIScanner;CSIScanner;d:\program files\prevx\prevx.exe [2010-3-15 6349008]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-3-15 53088]
R2 ThreatFire;ThreatFire;d:\program files\threatfire\tfservice.exe service --> d:\program files\threatfire\TFService.exe service [?]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-3-15 24368]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-3-15 33552]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\sythe\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\sythe\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\sythe\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\sythe\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2010-3-15 933504]
S3 SASENUM;SASENUM;\??\c:\docume~1\sythe\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\sythe\locals~1\temp\sas_selfextract\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-03-28 14:41:21 0 d-----w- c:\windows\system32\xircom
2010-03-28 14:41:21 0 d-----w- c:\windows\system32\wbem\snmp
2010-03-28 14:41:21 0 d-----w- c:\windows\system32\restore
2010-03-28 14:41:21 0 d-----w- c:\windows\system32\npp
2010-03-28 14:41:21 0 d-----w- c:\windows\system32\ime
2010-03-28 14:41:21 0 d-----w- c:\windows\srchasst
2010-03-28 14:41:21 0 d-----w- c:\windows\msagent
2010-03-28 14:41:21 0 d-----w- c:\program files\msn gaming zone
2010-03-28 14:41:21 0 d-----w- c:\program files\common files\speechengines
2010-03-28 13:50:29 0 d-sha-r- C:\cmdcons
2010-03-28 13:46:41 98816 ----a-w- c:\windows\sed.exe
2010-03-28 13:46:41 77312 ----a-w- c:\windows\MBR.exe
2010-03-28 13:46:41 261632 ----a-w- c:\windows\PEV.exe
2010-03-28 13:46:41 161792 ----a-w- c:\windows\SWREG.exe
2010-03-28 13:32:40 3904819 ----a-w- C:\ComboFix.exe
2010-03-28 08:23:15 0 d-----w- c:\docume~1\sythe\applic~1\SUPERAntiSpyware.com
2010-03-26 18:13:30 0 d-----w- c:\docume~1\sythe\applic~1\Malwarebytes
2010-03-26 18:12:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-26 18:12:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-26 18:12:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 16:22:19 0 d-----w- C:\VritualRoot
2010-03-24 21:19:20 0 d-----w- c:\docume~1\sythe\applic~1\Avira
2010-03-24 21:10:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-03-21 07:33:46 0 d-----w- c:\docume~1\sythe\applic~1\Foxit
2010-03-16 06:12:46 0 d-----w- c:\docume~1\sythe\applic~1\SPlayer
2010-03-16 06:07:28 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-16 06:06:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-03-16 06:06:47 0 d-----w- c:\program files\Hitman Pro 3.5
2010-03-16 04:43:16 0 d-----w- c:\docume~1\sythe\applic~1\OpenOffice.org
2010-03-16 04:06:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-16 04:06:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 02:38:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-16 02:38:37 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-03-15 22:29:37 1089593 ------w- c:\windows\system32\dllcache\ntprint.cat
2010-03-15 09:39:49 0 d--h--w- c:\windows\system32\GroupPolicy
2010-03-15 09:33:06 0 d-----w- c:\program files\FlashFire
2010-03-15 08:59:01 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-15 08:59:01 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-15 08:59:00 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-15 08:53:14 32 ----a-w- c:\windows\wininit.ini
2010-03-15 08:51:58 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-03-15 08:45:10 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-15 08:45:10 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-15 08:45:10 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-15 08:45:06 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-03-15 08:34:01 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-15 08:33:26 0 d-----w- c:\windows\ie8updates
2010-03-15 08:32:50 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-15 08:32:50 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-15 08:32:50 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-15 08:32:50 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-03-15 08:32:50 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-15 08:32:49 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-03-15 08:31:19 0 dc-h--w- c:\windows\ie8
2010-03-15 08:15:56 0 d-----w- C:\Sandbox
2010-03-15 08:15:44 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-03-15 08:15:01 0 d-----w- c:\windows\system32\XPSViewer
2010-03-15 08:13:31 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-15 08:13:31 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-15 08:13:31 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-15 08:13:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-15 08:13:30 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-15 08:13:29 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-15 08:13:29 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-15 08:10:59 0 d-----w- c:\windows\PCHEALTH
2010-03-15 08:09:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-03-15 07:59:46 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-15 07:59:39 0 d-----w- c:\program files\Windows Media Connect 2
2010-03-15 07:57:39 0 d-----w- c:\windows\system32\LogFiles
2010-03-15 07:54:26 0 d-----w- c:\windows\system32\URTTemp
2010-03-15 07:52:57 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-03-15 07:51:53 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-15 07:51:15 0 d-sh--w- c:\documents and settings\sythe\IECompatCache
2010-03-15 07:50:55 0 d-sh--w- c:\documents and settings\sythe\PrivacIE
2010-03-15 07:50:47 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-03-15 07:50:47 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-03-15 07:50:26 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-15 07:47:14 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-03-15 07:46:41 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-03-15 07:45:33 0 d-sh--w- c:\documents and settings\sythe\IETldCache
2010-03-15 07:45:14 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2010-03-15 07:39:32 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-03-15 07:39:22 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-03-15 07:39:15 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-03-15 07:37:49 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-03-15 07:37:49 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-03-15 07:37:41 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-03-15 07:34:50 0 d-----w- c:\windows\system32\PreInstall
2010-03-15 07:34:48 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-15 07:34:46 0 d--h--w- c:\windows\$hf_mig$
2010-03-15 07:32:07 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-03-15 07:32:03 0 d-sh--w- c:\documents and settings\sythe\UserData
2010-03-15 07:30:37 933504 ----a-w- c:\windows\system32\drivers\rt2860.sys
2010-03-15 07:30:37 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2010-03-15 07:30:37 14713 ----a-w- c:\windows\system32\RaCoInst.dat
2010-03-15 07:30:35 0 d-----w- c:\program files\RALINK
2010-03-15 07:29:13 0 d-----w- c:\program files\ASUS
2010-03-15 07:26:59 0 d-----w- c:\program files\Elantech
2010-03-15 07:26:54 0 d-----w- c:\windows\system32\ReinstallBackups
2010-03-15 07:25:49 192512 ----a-w- c:\windows\system32\ETDCoinst.dll
2010-03-15 07:25:48 26112 ----a-w- c:\windows\system32\drivers\ETD.sys
2010-03-15 07:24:16 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2010-03-15 07:24:16 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2010-03-15 07:23:27 553 ----a-w- c:\windows\USetup.iss
2010-03-15 07:23:23 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-03-15 07:23:21 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-03-15 07:23:20 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2010-03-15 07:23:19 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-03-15 07:23:17 142592 ------w- c:\windows\system32\drivers\aec.sys
2010-03-15 07:23:16 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-03-15 07:23:13 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-03-15 07:23:10 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-03-15 07:23:00 0 d-----w- c:\windows\system32\RTCOM
2010-03-15 07:22:33 0 d-----w- c:\program files\Realtek
2010-03-15 07:20:26 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-15 07:13:33 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-03-15 07:12:06 1205 ----a-w- c:\windows\system32\drivers\AsusACPI.inf
2010-03-15 07:12:06 10752 ----a-w- c:\windows\system32\drivers\ASUSACPI.SYS
2010-03-15 07:12:05 21864 ----a-w- c:\windows\AsAcpiSvrLang.ini
2010-03-15 07:12:05 12208 ----a-w- c:\windows\AsTrayLang.ini
2010-03-15 07:12:05 0 d-----w- c:\program files\EeePC
2010-03-15 07:12:02 1746 ----a-w- c:\windows\Language_trs.ini
2010-03-15 06:46:04 0 d-s---w- c:\windows\system32\Microsoft
2010-03-15 06:35:18 2577 ----a-w- c:\windows\system32\CONFIG.NT
2010-03-15 06:35:18 0 ----a-w- c:\windows\control.ini
2010-03-15 06:35:10 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-03-15 06:35:10 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-03-15 06:35:08 316640 ----a-w- c:\windows\WMSysPr9.prx
2010-03-15 06:34:58 0 d-----w- c:\windows\system32\dllcache
2010-03-15 06:34:14 0 d-sh--w- c:\documents and settings\all users\DRM
2010-03-15 06:33:26 0 d--h--w- c:\program files\WindowsUpdate
2010-03-15 06:33:12 0 d-----w- c:\program files\common files\MSSoap
2010-03-15 06:32:42 23040 ----a-w- c:\windows\system32\fltMc.exe
2010-03-15 06:32:42 16896 ----a-w- c:\windows\system32\fltlib.dll
2010-03-15 06:32:42 129792 ----a-w- c:\windows\system32\drivers\fltMgr.sys
2010-03-15 06:32:00 0 d-----w- c:\windows\system32\wbem\AutoRecover
2010-03-15 06:31:57 0 d-----w- c:\windows\system32\wbem\Performance
2010-03-15 06:31:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-15 06:31:35 37 ----a-w- c:\windows\vbaddin.ini
2010-03-15 06:31:35 36 ----a-w- c:\windows\vb.ini
2010-03-15 06:31:17 0 d-----w- c:\windows\Registration
2010-03-15 06:30:30 0 d-----w- c:\program files\Windows NT
2010-03-15 01:28:26 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2010-03-15 01:28:05 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-03-15 01:26:52 74240 ----a-w- c:\windows\system32\usbui.dll
2010-03-15 01:26:46 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-03-15 01:26:45 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2010-03-15 01:26:45 13952 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2010-03-15 01:25:28 0 d-----w- c:\program files\common files\ODBC
2010-03-15 01:25:01 0 d-----r- c:\documents and settings\all users\Documents
2010-03-15 01:24:54 16535 ----a-r- c:\windows\SET6.tmp
2010-03-15 01:24:50 1088840 ----a-r- c:\windows\SET4.tmp
2010-03-15 01:24:47 1296669 ----a-r- c:\windows\SET3.tmp
2010-03-15 01:24:38 0 d-----w- c:\windows\system32\CatRoot2
2010-03-15 01:24:38 0 d-----w- c:\windows\system32\CatRoot
2010-03-15 01:24:12 0 d-----w- C:\Documents and Settings
2010-03-15 01:23:42 1086 ----a-w- c:\windows\system32\$winnt$.inf

==================== Find3M ====================

2010-03-24 20:56:51 224808 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-03-15 07:22:28 319488 ----a-w- c:\windows\HideWin.exe
2010-03-03 23:54:42 276648 ----a-w- c:\windows\system32\guard32.dll
2010-03-03 23:54:14 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-03-03 23:54:12 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys

============= FINISH: 17:01:42.43 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-28 17:15:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Sythe\LOCALS~1\Temp\uwrdipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAB288212]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xAAE21464]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xAB2877CA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xAB287E78]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF72ADA1C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xAB2876A6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xAB28A7A6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAB28AA44]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xAAE2149E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xAAE21290]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xAAE21302]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xAB28701C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xAB289118]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xAB289356]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xAB28A3E2]
SSDT F7A9603A ZwLoadKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xAB287A66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xAB288054]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF72AD90C]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xAAE217B2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xAB287D02]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xAAE2168E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xAAE2152A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xAB28953E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xAB289902]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xAB28971A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xAB288F30]
SSDT F7A96044 ZwReplaceKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAB289E76]
SSDT F7A9603F ZwRestoreKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xAB28A12A]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xAAE21426]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xAB28882E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xAB28A5AE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xAAE2138E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xAB287A00]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xAB287BEE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xAAE218E6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xAAE215AE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xAAE215E6]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- EOF - GMER 1.0.15 ----

ComboFix 10-03-27.03 - Sythe 03/28/2010 9:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1464 [GMT -4:00]
Running from: c:\documents and settings\Sythe\Desktop\combo-fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msconfig.exe
c:\windows\system32\PxSecure.dll

c:\windows\system32\srsvc.dll . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 13:32 . 2010-03-28 09:08 3904819 ----a-w- C:\ComboFix.exe
2010-03-28 08:23 . 2010-03-28 08:23 -------- d-----w- c:\documents and settings\Sythe\Application Data\SUPERAntiSpyware.com
2010-03-26 18:13 . 2010-03-26 18:13 -------- d-----w- c:\documents and settings\Sythe\Application Data\Malwarebytes
2010-03-26 18:12 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-26 18:12 . 2010-03-26 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-26 18:12 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 16:22 . 2010-03-26 16:22 -------- d-----w- C:\VritualRoot
2010-03-26 15:29 . 2010-03-26 15:29 -------- d-----w- c:\windows\Sun
2010-03-24 21:19 . 2010-03-24 21:19 -------- d-----w- c:\documents and settings\Sythe\Application Data\Avira
2010-03-24 21:10 . 2010-03-01 13:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-24 21:10 . 2009-05-11 15:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-24 21:10 . 2009-05-11 15:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-24 21:10 . 2010-03-24 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-24 07:47 . 2010-03-28 07:51 926552 ----a-w- c:\documents and settings\All Users\Application Data\PrevxCSI\~PrevxCSIUpdate.exe
2010-03-23 15:56 . 2010-02-02 19:19 90112 ----a-w- c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\entbcompose.dll
2010-03-23 15:56 . 2010-02-02 19:19 241664 ----a-w- c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enclip.dll
2010-03-23 15:56 . 2010-02-02 19:19 167936 ----a-w- c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
2010-03-23 15:56 . 2010-02-02 19:19 114688 ----a-w- c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\ENImaDLL.dll
2010-03-21 07:33 . 2010-03-21 07:33 -------- d-----w- c:\documents and settings\Sythe\Application Data\Foxit
2010-03-19 07:46 . 2009-11-26 02:03 61952 ----a-w- c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\StrataBuddy@ReduxTeam\components\dwmxpcom.dll
2010-03-17 13:45 . 2010-03-17 13:45 503808 ----a-w- c:\documents and settings\Sythe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-790cd88c-n\msvcp71.dll
2010-03-17 13:45 . 2010-03-17 13:45 499712 ----a-w- c:\documents and settings\Sythe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-790cd88c-n\jmc.dll
2010-03-17 13:45 . 2010-03-17 13:45 348160 ----a-w- c:\documents and settings\Sythe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-790cd88c-n\msvcr71.dll
2010-03-17 13:45 . 2010-03-17 13:45 61440 ----a-w- c:\documents and settings\Sythe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3edfdb02-n\decora-sse.dll
2010-03-17 13:45 . 2010-03-17 13:45 12800 ----a-w- c:\documents and settings\Sythe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3edfdb02-n\decora-d3d.dll
2010-03-16 06:12 . 2010-03-16 06:16 -------- d-----w- c:\documents and settings\Sythe\Application Data\SPlayer
2010-03-16 06:07 . 2010-03-28 11:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-16 06:06 . 2010-03-20 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-03-16 06:06 . 2010-03-16 06:06 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-03-16 04:43 . 2010-03-19 07:49 1 ----a-w- c:\documents and settings\Sythe\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-16 04:43 . 2010-03-16 04:43 -------- d-----w- c:\documents and settings\Sythe\Application Data\OpenOffice.org
2010-03-16 04:07 . 2010-03-16 04:07 -------- d-----w- c:\program files\Common Files\Java
2010-03-16 04:06 . 2010-03-16 04:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-16 04:05 . 2010-03-16 04:05 -------- d-----w- c:\program files\Java
2010-03-16 02:38 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-15 22:37 . 2010-03-15 23:08 -------- d-----w- c:\documents and settings\Sythe\Local Settings\Application Data\ApplicationHistory
2010-03-15 18:30 . 2010-03-15 18:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-15 09:39 . 2010-03-15 09:39 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-15 09:33 . 2010-03-15 09:33 -------- d-----w- c:\program files\FlashFire
2010-03-15 08:59 . 2010-03-28 07:52 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-15 08:59 . 2010-03-28 07:52 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-03-15 08:59 . 2010-03-28 07:52 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-15 08:51 . 2010-03-28 07:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2010-03-15 08:45 . 2010-01-14 20:08 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-15 08:45 . 2010-01-14 20:08 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-15 08:45 . 2010-01-14 20:08 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-15 08:45 . 2010-03-15 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-15 08:34 . 2009-12-11 08:38 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-03-15 08:33 . 2010-03-15 22:49 -------- d-----w- c:\windows\ie8updates
2010-03-15 08:32 . 2009-12-21 19:14 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-03-15 08:14 . 2010-03-15 08:14 -------- d-----w- c:\program files\Reference Assemblies
2010-03-15 08:13 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-15 08:13 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-15 08:13 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-15 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-15 08:13 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-15 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-15 08:13 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-15 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-15 08:13 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-15 08:10 . 2010-03-15 08:10 -------- d-----w- c:\windows\PCHEALTH
2010-03-15 08:09 . 2010-03-15 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-03-15 07:59 . 2010-02-16 17:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-15 07:59 . 2010-03-15 07:59 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-15 07:57 . 2010-03-15 08:39 -------- d-----w- c:\windows\system32\LogFiles
2010-03-15 07:57 . 2010-03-15 07:58 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-03-15 07:54 . 2010-03-15 07:54 -------- d-----w- c:\windows\system32\URTTemp
2010-03-15 07:54 . 2010-03-15 07:54 0 ----a-w- c:\windows\nsreg.dat
2010-03-15 07:54 . 2010-03-15 07:54 -------- d-----w- c:\documents and settings\Sythe\Local Settings\Application Data\Mozilla
2010-03-15 07:52 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-03-15 07:51 . 2009-12-04 18:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-03-15 07:51 . 2010-03-15 07:51 -------- d-sh--w- c:\documents and settings\Sythe\IECompatCache
2010-03-15 07:50 . 2010-03-15 07:50 -------- d-sh--w- c:\documents and settings\Sythe\PrivacIE
2010-03-15 07:50 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-03-15 07:50 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-03-15 07:50 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-03-15 07:47 . 2010-03-15 07:47 -------- d-----w- c:\program files\Intel
2010-03-15 07:47 . 2007-12-13 04:56 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-03-15 07:46 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-03-15 07:45 . 2010-03-15 07:45 -------- d-sh--w- c:\documents and settings\Sythe\IETldCache
2010-03-15 07:39 . 2009-07-31 04:35 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-03-15 07:39 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-03-15 07:39 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-03-15 07:37 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-03-15 07:37 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-03-15 07:37 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-03-15 07:34 . 2009-01-07 23:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-15 07:34 . 2010-03-15 22:49 -------- d--h--w- c:\windows\$hf_mig$
2010-03-15 07:32 . 2010-03-15 07:32 -------- d-sh--w- c:\documents and settings\Sythe\UserData
2010-03-15 07:30 . 2009-01-19 17:39 933504 ----a-w- c:\windows\system32\drivers\rt2860.sys
2010-03-15 07:30 . 2009-01-19 17:38 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2010-03-15 07:30 . 2009-01-19 17:38 14713 ----a-w- c:\windows\system32\RaCoInst.dat
2010-03-15 07:30 . 2010-03-15 07:30 -------- d-----w- c:\program files\RALINK
2010-03-15 07:29 . 2010-03-15 07:29 -------- d-----w- c:\program files\ASUS
2010-03-15 07:26 . 2010-03-15 07:26 -------- d-----w- c:\program files\Elantech
2010-03-15 07:26 . 2010-03-15 07:26 -------- d-----w- c:\documents and settings\Sythe\Application Data\InstallShield
2010-03-15 07:25 . 2008-04-14 22:43 192512 ----a-w- c:\windows\system32\ETDCoinst.dll
2010-03-15 07:25 . 2008-08-25 06:59 26112 ----a-w- c:\windows\system32\drivers\ETD.sys
2010-03-15 07:23 . 2008-04-14 09:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-03-15 07:23 . 2008-04-14 09:47 83072 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2010-03-15 07:23 . 2008-04-14 09:15 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2010-03-15 07:23 . 2008-04-14 09:15 56576 ----a-w- c:\windows\system32\drivers\swmidi.sys
2010-03-15 07:23 . 2008-04-14 07:09 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-03-15 07:23 . 2008-04-14 09:15 172416 ----a-w- c:\windows\system32\drivers\kmixer.sys
2010-03-15 07:23 . 2008-04-14 09:15 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2010-03-15 07:23 . 2008-04-14 09:45 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2010-03-15 07:23 . 2010-03-15 07:23 -------- d-----w- c:\windows\system32\RTCOM
2010-03-15 07:20 . 2007-12-20 00:06 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-03-15 07:13 . 2008-04-14 09:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-03-15 07:12 . 2010-03-15 07:30 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-15 07:12 . 2008-04-08 20:59 10752 ----a-w- c:\windows\system32\drivers\ASUSACPI.SYS
2010-03-15 07:12 . 2010-03-15 07:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-15 07:12 . 2010-03-15 07:12 -------- d-----w- c:\program files\EeePC
2010-03-15 06:49 . 2010-03-25 08:09 17328 ----a-w- c:\documents and settings\Sythe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 06:46 . 2010-03-15 06:46 -------- d-s---w- c:\windows\system32\Microsoft
2010-03-15 06:34 . 2010-03-15 22:49 -------- d-----w- c:\windows\system32\dllcache
2010-03-15 06:34 . 2010-03-15 07:58 -------- d-sh--w- c:\documents and settings\All Users\DRM
2010-03-15 06:32 . 2008-04-14 09:42 23040 ----a-w- c:\windows\system32\fltMc.exe
2010-03-15 06:32 . 2008-04-14 09:41 16896 ----a-w- c:\windows\system32\fltlib.dll
2010-03-15 06:32 . 2008-04-14 04:03 129792 ----a-w- c:\windows\system32\drivers\fltMgr.sys
2010-03-15 06:32 . 2010-03-16 04:07 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2010-03-15 06:31 . 2010-03-15 23:17 -------- d-----w- c:\windows\system32\wbem\Performance
2010-03-15 06:31 . 2010-03-15 06:31 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-15 01:28 . 2001-08-17 17:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2010-03-15 01:28 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 20:56 . 2010-03-03 23:54 224808 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-03-15 08:16 . 2010-03-15 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-03-15 08:14 . 2010-03-15 08:14 -------- d-----w- c:\program files\MSBuild
2010-03-15 07:22 . 2010-03-15 07:22 -------- d-----w- c:\program files\Realtek
2010-03-15 07:22 . 2010-03-15 07:22 319488 ----a-w- c:\windows\HideWin.exe
2010-03-15 07:22 . 2010-03-15 07:22 -------- d-----w- c:\program files\Common Files\InstallShield
2010-03-03 23:54 . 2010-03-03 23:54 276648 ----a-w- c:\windows\system32\guard32.dll
2010-03-03 23:54 . 2010-03-03 23:54 86720 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-03-03 23:54 . 2010-03-03 23:54 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-03-03 23:54 . 2010-03-03 23:54 15376 ----a-w- c:\windows\system32\drivers\cmderd.sys
2009-12-31 16:50 . 2008-04-14 04:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-06-04 696320]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-05-08 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-20 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-20 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-20 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-18 16855040]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-09-03 335872]
"ETDWareDetect"="c:\program files\Elantech\ETDDect.exe" [2008-08-22 204800]
"COMODO Internet Security"="d:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-03-24 1994640]
"ThreatFire"="d:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Sythe\Start Menu\Programs\Startup\
ffcntl.lnk - c:\program files\FlashFire\ffcntl.exe [2009-12-19 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2010-3-15 376832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideRunAsVerb"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 ffire;FlashFire;c:\windows\system32\drivers\ffire.sys [12/19/2009 6:29 PM 10112]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [3/15/2010 4:59 AM 30280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [3/15/2010 4:45 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [3/15/2010 4:45 AM 59664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/3/2010 7:54 PM 224808]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/3/2010 7:54 PM 25160]
R2 a2free;a-squared Free Service;d:\program files\a-squared Free\a2service.exe [3/28/2010 4:55 AM 1858144]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [3/24/2010 5:10 PM 135336]
R2 CSIScanner;CSIScanner;d:\program files\Prevx\prevx.exe [3/15/2010 4:58 AM 6349008]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [3/15/2010 4:59 AM 53088]
R2 ThreatFire;ThreatFire;d:\program files\ThreatFire\TFService.exe service --> d:\program files\ThreatFire\TFService.exe service [?]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [3/15/2010 4:59 AM 24368]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [3/15/2010 3:30 AM 933504]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [3/15/2010 4:45 AM 33552]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Sythe\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Sythe\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Sythe\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Sythe\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\Sythe\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Sythe\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch REG_MULTI_SZ DcomLaunch

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
SENS
Sharedaccess
Tapisrv
Themes
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
napagent
hkmsvc
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\Sythe\Application Data\Mozilla\Firefox\Profiles\xz5b7ifp.default\extensions\StrataBuddy@ReduxTeam\components\dwmxpcom.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 10:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1935655697-527237240-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,f7,88,72,be,d0,b9,48,bf,b3,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,f7,88,72,be,d0,b9,48,bf,b3,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\guard32.dll
d:\program files\ThreatFire\TFWAH.dll
d:\program files\ThreatFire\TFNI.dll
d:\program files\ThreatFire\TFMon.dll
d:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\system32\guard32.dll
d:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2010-03-28 10:35:25
ComboFix-quarantined-files.txt 2010-03-28 14:34

Pre-Run: 1,509,163,008 bytes free
Post-Run: 1,481,502,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9FF369A14B708B8BF91529A3923F7057

Edited by boopme, 30 March 2010 - 02:52 PM.


BC AdBot (Login to Remove)

 


#2 AviraHelp

AviraHelp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 01 April 2010 - 11:44 AM

receiving help for this atm. please close thread thx.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:10:20 PM

Posted 01 April 2010 - 07:58 PM

Per request this thread will now be closed. Thanks for letting us know. smile.gif


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users