Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection


  • This topic is locked This topic is locked
68 replies to this topic

#1 zomglawlbbq

zomglawlbbq

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 April 2010 - 04:08 PM

Alright I've been through this before, unfortunately this time I'm not sure what I have. The other night I was on youtube watching videos with my girlfriend and I had a little icon pop up next to my skype icon on my taskbar. Looked like a little green shield and said Windows blah blah says your computer is infected and then a blue "fake" scanner window popped up. I knew it wasn't legit and so I ran a malwarebytes scan and it had nothing and either did Kaspersky.

I do know malwarebytes picked up a trojan a few weeks ago and it quarantined it without any problems.
Posted below is the DDS log, the attachments are the DDS attach.txt log and gmer log.





DDS (Ver_10-03-17.01) - NTFSx86
Run by david at 16:39:23.57 on Fri 04/02/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_16

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [cnicmuyj] c:\users\david\appdata\local\qoolkyije\regtpmktssd.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Bluetooth.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 206.127.155.34 aion.patcher.ncsoft.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\david\appdata\roaming\mozilla\firefox\profiles\wo3n8fkz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-02 18:11:57 0 d-sh--w- C:\$RECYCLE.BIN
2010-03-31 16:17:00 426704 ----a-w- c:\windows\system32\uc_wepic_launching.dll
2010-03-30 05:12:00 0 d-----w- C:\Meew
2010-03-30 04:27:55 1607920 ----a-w- c:\users\david\flashplayer_9_plugin_debug.exe
2010-03-30 04:03:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2010-03-30 01:25:27 0 d-----w- c:\programdata\FLEXnet
2010-03-30 01:12:25 0 d-----w- c:\program files\common files\Control Panels
2010-03-30 01:10:24 0 d-----w- c:\programdata\ALM
2010-03-30 00:24:49 0 d-----w- c:\program files\Bonjour
2010-03-30 00:20:49 0 d-----w- c:\program files\common files\Macrovision Shared
2010-03-29 23:49:05 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2010-03-29 23:49:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2010-03-27 08:55:17 0 d-----w- c:\program files\Veoh Networks
2010-03-27 08:52:55 10575024 ----a-w- c:\users\david\VeohWebPlayerSetup_eng.exe
2010-03-25 21:55:41 0 d-----w- c:\program files\Meew
2010-03-25 21:54:59 2004056 ----a-w- c:\users\david\setup.exe
2010-03-23 01:59:55 0 d-----w- C:\ijji
2010-03-23 01:59:07 0 d-----w- c:\programdata\ijjigame
2010-03-23 01:15:56 87472 ----a-w- c:\windows\system32\ijjiChannelingPlugin.dll
2010-03-23 01:15:56 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2010-03-23 01:15:56 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2010-03-23 01:15:56 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2010-03-23 01:15:56 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2010-03-23 01:15:56 53248 ----a-w- c:\windows\system32\uc_luminary_launching.dll
2010-03-23 01:15:56 0 d-----w- c:\program files\ijji
2010-03-23 01:12:37 7505912 ----a-w- c:\users\david\IJJI_REACTOR_INST_EN.exe
2010-03-19 01:38:34 0 d-----w- c:\program files\gPotato
2010-03-19 01:25:10 0 d-----w- c:\programdata\PMB Files
2010-03-19 01:24:49 0 d-----w- c:\program files\Pando Networks
2010-03-19 01:24:00 1769144 ----a-w- c:\users\david\AikaOnlineDownloader.exe
2010-03-16 02:20:05 0 d-----w- c:\users\david\appdata\roaming\fltk.org
2010-03-16 01:36:47 0 d-----w- c:\program files\ePSXe
2010-03-13 18:36:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-03-13 18:36:36 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-03-11 06:37:21 77312 ----a-w- c:\windows\MBR.exe
2010-03-11 06:37:20 98816 ----a-w- c:\windows\sed.exe
2010-03-11 06:37:20 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 06:37:20 161792 ----a-w- c:\windows\SWREG.exe
2010-03-09 23:54:54 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-09 23:54:52 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-09 23:54:52 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-04 09:26:04 86016 ----a-w- c:\windows\system32\frapsvid.dll

==================== Find3M ====================

2010-03-30 00:42:34 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-30 00:42:34 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-30 00:42:34 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-23 00:26:00 147456 ----a-w- c:\windows\system32\uc_neosteam_launching.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 14:24:36 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2010-01-06 15:39:38 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:38:47 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 13:30:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-11-17 12:23:29 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-19 18:16:26 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-10-19 18:16:26 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-10-19 18:16:26 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-10-19 18:16:26 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-09-10 22:47:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-09-10 00:17:47 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\internet explorer\domstore\index.dat
2009-09-08 21:34:11 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009083120090907\index.dat
2009-09-09 03:20:31 114688 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009090820090909\index.dat
2009-09-09 18:58:03 98304 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009090920090910\index.dat
2009-09-10 22:47:35 65536 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009091020090911\index.dat
2009-09-10 20:46:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat
2009-09-10 22:47:35 278528 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\privacie\index.dat
2008-08-02 17:38:30 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2008-08-02 17:38:29 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 16:40:26.50 ===============


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 06 April 2010 - 05:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 06 April 2010 - 09:54 PM

Ready when you are. xP

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 07 April 2010 - 02:00 PM

Okay, you have a rootkit which we need to remove

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 April 2010 - 04:11 PM

It shutdown mid scan, I was semi afk helping girlfriend proof read and essay when it rebooted Windows brought up a Error report, posting it as an attachment.

I was on Google about a hours ago helping her with research and looks like I have a Google reroute virus/malware now also. The symptoms seem to be what I dealt with before and had you guys help me on here. Which if it is I wouldn't be surprised seeing as I was home for Easter break and my brother was using my comp again, I can see if I can find info on the rootkit I had last time.

Going to red/l and rerun Combofix and this time stay and see what it does.

p.s. the second picture is what I mentioned int he first post about the fake scanner that pops up every time I reboot then times out.

Edited by zomglawlbbq, 07 April 2010 - 04:37 PM.


#6 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 April 2010 - 04:33 PM

Alright reran it...got the BSoD at stage 33-34. :/

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 07 April 2010 - 05:18 PM

Run these two programs before Combofix, then run Combofix as before

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


And

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Then Combofix smile.gif
Posted Image
m0le is a proud member of UNITE

#8 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 April 2010 - 05:55 PM

Sorry lost the Rkill log, cause I accidentally clicked it again and it overrode the original log, it did show something removed though. @_@

exeHelper by Raktor
Build 20100329
Run at 18:24:08 on 04/07/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Windows\system32\sdra64.exe
Error deleting C:\Windows\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



=====+++ COMBO FIX +++=====

ComboFix 10-04-06.05 - david 04/07/2010 18:31:06.10.2 - x86
Running from: c:\users\david\Desktop\ComFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1194957207.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 22:42 . 2010-04-07 22:43 -------- d-----w- c:\users\david\AppData\Local\temp
2010-04-07 22:42 . 2010-04-07 22:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-04-07 22:42 . 2010-04-07 22:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-07 22:42 . 2010-04-07 22:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-07 22:42 . 2010-04-07 22:42 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-04-07 21:58 . 2010-04-07 21:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2010-04-07 01:58 . 2010-04-07 01:58 1907056 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\setup.exe
2010-04-07 01:58 . 2010-04-07 01:58 252416 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\mcr_lib.dll
2010-04-07 01:58 . 2010-04-07 01:58 110080 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\supertintin_skype_extra_wrapper.exe
2010-04-03 06:30 . 2010-04-03 06:30 -------- d-----w- c:\users\david\AppData\Local\pxhvhpgyv
2010-04-02 02:50 . 2010-04-02 02:50 -------- d-----w- c:\users\david\AppData\Local\qoolkyije
2010-03-31 16:17 . 2010-03-31 16:17 426704 ----a-w- c:\windows\system32\uc_wepic_launching.dll
2010-03-30 05:12 . 2010-03-30 05:12 -------- d-----w- C:\Meew
2010-03-30 04:27 . 2010-03-30 04:27 1607920 ----a-w- c:\users\david\flashplayer_9_plugin_debug.exe
2010-03-30 04:03 . 2007-03-23 08:05 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2010-03-30 01:25 . 2010-03-30 15:04 -------- d-----w- c:\programdata\FLEXnet
2010-03-30 01:12 . 2010-03-30 01:12 -------- d-----w- c:\program files\Common Files\Control Panels
2010-03-30 01:10 . 2010-03-30 01:10 -------- d-----w- c:\programdata\ALM
2010-03-30 00:24 . 2010-03-30 00:24 -------- d-----w- c:\program files\Bonjour
2010-03-30 00:20 . 2010-03-30 00:20 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-03-29 23:49 . 2007-02-20 20:04 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2010-03-29 23:49 . 2007-02-20 20:04 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2010-03-27 08:55 . 2010-03-27 08:55 -------- d-----w- c:\program files\Veoh Networks
2010-03-27 08:52 . 2010-03-27 08:53 10575024 ----a-w- c:\users\david\VeohWebPlayerSetup_eng.exe
2010-03-25 21:55 . 2010-03-25 22:00 -------- d-----w- c:\program files\Meew
2010-03-25 21:54 . 2010-03-25 21:55 2004056 ----a-w- c:\users\david\setup.exe
2010-03-23 01:59 . 2010-03-23 01:59 -------- d-----w- C:\ijji
2010-03-23 01:59 . 2009-06-03 21:48 779720 ----a-w- c:\programdata\ijjigame\PurpleBean.exe
2010-03-23 01:59 . 2008-08-20 14:46 632280 ----a-w- c:\programdata\ijjigame\PLauncher.exe
2010-03-23 01:59 . 2009-05-27 22:08 591320 ----a-w- c:\programdata\ijjigame\ExLauncher.exe
2010-03-23 01:59 . 2008-09-04 20:34 112048 ----a-w- c:\programdata\ijjigame\ijjiPrePLauncher.exe
2010-03-23 01:59 . 2008-08-28 16:50 480688 ----a-w- c:\programdata\ijjigame\ijjistarter2FxB.exe
2010-03-23 01:59 . 2008-08-28 16:50 83376 ----a-w- c:\programdata\ijjigame\ijjiPreStarter2FxB.exe
2010-03-23 01:59 . 2008-08-28 16:50 50608 ----a-w- c:\programdata\ijjigame\ijjiNotify2FxB.exe
2010-03-23 01:59 . 2008-08-28 16:50 79280 ----a-w- c:\programdata\ijjigame\ijjiPreNotify2FxB.exe
2010-03-23 01:59 . 2010-03-23 01:59 -------- d-----w- c:\programdata\ijjigame
2010-03-23 01:20 . 2010-04-07 20:03 1804553488 ----a-w- c:\users\david\AppData\Roaming\ijjigame\U_AVA_Setup.exe
2010-03-23 01:18 . 2010-03-23 01:59 -------- d-----w- c:\users\david\AppData\Roaming\ijjigame
2010-03-23 01:15 . 2010-03-23 01:15 -------- d-----w- c:\program files\ijji
2010-03-23 01:15 . 2009-07-03 04:34 710064 ----a-w- c:\windows\system32\ijjiSetup.exe
2010-03-23 01:15 . 2009-07-03 04:34 58800 ----a-w- c:\windows\system32\ijjiProcessRestarter.exe
2010-03-23 01:15 . 2009-07-03 04:34 58800 ----a-w- c:\windows\system32\ijjiPlugin2.dll
2010-03-23 01:15 . 2009-07-01 14:25 61440 ----a-w- c:\windows\system32\uc_atlantica_launching.dll
2010-03-23 01:15 . 2009-03-31 21:43 53248 ----a-w- c:\windows\system32\uc_luminary_launching.dll
2010-03-23 01:15 . 2009-01-29 15:53 87472 ----a-w- c:\windows\system32\ijjiChannelingPlugin.dll
2010-03-23 01:12 . 2010-03-23 01:12 7505912 ----a-w- c:\users\david\IJJI_REACTOR_INST_EN.exe
2010-03-21 03:45 . 2010-03-21 03:45 -------- d-----w- c:\program files\Common Files\Skype
2010-03-19 01:38 . 2010-03-19 01:38 -------- d-----w- c:\program files\gPotato
2010-03-19 01:25 . 2010-03-24 05:45 -------- d-----w- c:\users\david\AppData\Local\PMB Files
2010-03-19 01:25 . 2010-03-19 01:26 -------- d-----w- c:\programdata\PMB Files
2010-03-19 01:24 . 2010-03-19 01:24 -------- d-----w- c:\program files\Pando Networks
2010-03-19 01:24 . 2010-03-19 01:24 1769144 ----a-w- c:\users\david\AikaOnlineDownloader.exe
2010-03-16 02:20 . 2010-03-16 02:55 -------- d-----w- c:\users\david\AppData\Roaming\fltk.org
2010-03-16 01:36 . 2010-04-05 20:42 -------- d-----w- c:\program files\ePSXe
2010-03-15 01:07 . 2010-03-15 01:07 -------- d-----w- c:\users\david\AppData\Roaming\dvdcss
2010-03-13 18:36 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-03-13 18:36 . 2006-09-28 21:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-03-10 22:16 . 2010-03-10 22:16 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-09 23:54 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-09 23:54 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-09 23:54 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 22:43 . 2008-08-17 04:01 -------- d-----w- c:\users\david\AppData\Roaming\Skype
2010-04-07 22:28 . 2010-02-17 09:33 -------- d-----w- c:\program files\Common Files\Akamai
2010-04-07 01:05 . 2008-08-17 04:03 -------- d-----w- c:\users\david\AppData\Roaming\skypePM
2010-04-03 16:39 . 2008-08-03 18:24 1356 ----a-w- c:\users\david\AppData\Local\d3d9caps.dat
2010-03-30 01:26 . 2008-08-02 17:39 92672 ----a-w- c:\users\david\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-30 01:14 . 2008-05-16 04:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-23 01:59 . 2008-05-16 03:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 03:45 . 2009-02-17 04:46 -------- d-----r- c:\program files\Skype
2010-03-21 03:45 . 2008-08-17 03:58 -------- d-----w- c:\programdata\Skype
2010-03-13 18:35 . 2009-08-08 05:20 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-03-10 22:21 . 2009-10-07 12:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-10 00:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-10 00:02 . 2008-07-03 23:25 -------- d-----w- c:\programdata\Microsoft Help
2010-03-06 19:09 . 2009-12-08 13:34 -------- d-----w- c:\program files\SpeedFan
2010-03-04 09:26 . 2010-03-04 09:26 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-02-24 14:16 . 2009-10-03 06:14 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-03-30 19:26 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-30 19:26 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-30 19:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-30 19:26 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-23 00:26 . 2010-02-23 00:26 147456 ----a-w- c:\windows\system32\uc_neosteam_launching.dll
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 18:05 . 2010-02-17 18:04 -------- d-----w- c:\program files\Packet Tracer 5.1
2010-02-17 09:47 . 2010-02-17 09:47 -------- d-----w- c:\program files\alaplaya
2010-02-10 05:36 . 2009-02-04 03:24 -------- d-----w- c:\users\david\AppData\Roaming\Ventrilo
2010-01-25 12:00 . 2010-02-24 09:45 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 09:45 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 09:45 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 09:45 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 09:45 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 09:45 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 09:45 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 09:45 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 09:45 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 09:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-22 14:24 . 2010-01-22 14:24 64000 ----a-w- c:\windows\system32\uc_sfighters_launching.dll
2008-08-02 17:38 . 2008-08-02 17:38 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-08-02 17:38 . 2008-08-02 17:38 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

------- Sigcheck -------

[-] 2008-10-23 . E042398ADDA05FFE10BD8637996E01B1 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\Shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-15 184320]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk.disabled [2009-10-28 743]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TOSCDSPD"=TOSCDSPD.EXE
"Aim6"=
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
"PlayNC Launcher"=
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"Pando Media Booster"=c:\program files\Pando Networks\Media Booster\PMB.exe
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
"vtecghoq"=c:\users\david\AppData\Local\pxhvhpgyv\qebdwoitssd.exe
"cnicmuyj"=c:\users\david\AppData\Local\qoolkyije\regtpmktssd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NDSTray.exe"=NDSTray.exe
"Zune Launcher"="c:\users\david\AppData\Local\Microsoft\Messenger\zomgbloodypanda@live.com\Sharing Folders\ZuneLauncher.exe"
"CLMLServer"="c:\program files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" /start
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"PCMAgent"="c:\program files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
"ITSecMng"=%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:07,2a,cb,d7,00,58,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3072097280-1755431134-3444738708-1000]
"EnableNotificationsRef"=dword:00000002

R1 ntrigdigii;ntrigdigii;c:\windows\system32\drivers\ntrigdigii.sys [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [x]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [x]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [x]
R2 vdsCertPropSvc;Virtual Disk vdsCertPropSvc;c:\windows\system32\AdvancedInstallersa.exe [2008-01-21 64000]
R2 wmiApSrvSBSDWSCService;WMI Performance Adapter wmiApSrvSBSDWSCService;c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0j.exe [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3 meewmeew;meewmeew;c:\windows\system32\drivers\meewmeew.sys [x]
R3 netizen.com;netizen.com;c:\windows\system32\drivers\netizen.com.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-12-16 3453712]
R3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [x]
R3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [x]
R3 TKFsAc;TKFsAc;c:\windows\system32\TKFsAc2k.sys [x]
R3 TKFsAv;TKFsAv;c:\windows\system32\TKFsAv2k.sys [x]
R3 TKFsFt;TKFsFt;c:\windows\system32\TKFsFt2k.sys [x]
R3 TKRgAc;TKRgAc;c:\windows\system32\TKRgAc2k.sys [x]
R3 TKRgFt;TKRgFt;c:\windows\system32\TKRgFtXp.sys [x]
R3 XDva224;XDva224;c:\windows\system32\XDva224.sys [x]
R3 XDva332;XDva332;c:\windows\system32\XDva332.sys [x]
R3 XDva337;XDva337;c:\windows\system32\XDva337.sys [x]
R3 XDva341;XDva341;c:\windows\system32\XDva341.sys [x]
R3 XDva343;XDva343;c:\windows\system32\XDva343.sys [x]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2009-06-25 73720]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-14 172032]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2009-06-25 205304]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-09 8192]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\david\AppData\Roaming\Mozilla\Firefox\Profiles\wo3n8fkz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 18:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85F2BAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x89b0fd24
\Driver\ACPI -> acpi.sys @ 0x8060ed68
\Driver\atapi -> ataport.SYS @ 0x8072aa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet021\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3072097280-1755431134-3444738708-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:42,65,a9,b7,9f,27,5b,b6,4d,4f,32,b0,35,86,37,46,47,79,c9,26,de,0a,f0,
b7,87,56,4a,11,db,3f,2a,5d,6d,2f,b5,6e,5d,53,32,fc,57,22,7b,9b,e4,25,49,72,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet021\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-07 18:47:47
ComboFix-quarantined-files.txt 2010-04-07 22:47
ComboFix2.txt 2010-04-02 18:13
ComboFix3.txt 2010-03-11 06:49

Pre-Run: 110,080,880,640 bytes free
Post-Run: 110,144,983,040 bytes free

- - End Of File - - 7DE23F48583BC6CE9C0A949270ED9B96


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 07 April 2010 - 06:25 PM

Do you recognise this folder?

c:\program files\Meew


Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\XDva224.sys
c:\windows\system32\XDva332.sys
c:\windows\system32\XDva337.sys
c:\windows\system32\XDva341.sys
c:\windows\system32\XDva343.sys

Folder::
c:\users\david\AppData\Local\pxhvhpgyv
c:\users\david\AppData\Local\qoolkyije

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"vtecghoq"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"cnicmuyj"=-

Driver::
XDva224
XDva332
XDva337
XDva341
XDva343

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet021\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#10 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 April 2010 - 06:46 PM

Crashed with BSoD as soon as it began.
When computer boots up its not bringing up the faux scanner and Google isn't rerouting links now. Every once in awhile I get a random windows popping up though.
The meew file belongs to my girlfriend, she stores fraps videos from the games she plays in it.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 07 April 2010 - 06:50 PM

Run ExeHelper again and let's see if it detects sdra.exe.

That's our problem, by the way.
Posted Image
m0le is a proud member of UNITE

#12 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 07 April 2010 - 07:41 PM

Still there...

exeHelper by Raktor
Build 20100329
Run at 18:24:08 on 04/07/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Windows\system32\sdra64.exe
Error deleting C:\Windows\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100329
Run at 20:40:13 on 04/07/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 08 April 2010 - 12:29 PM

Rerun ExeHelper again as it states:

QUOTE
If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Edited by m0le, 08 April 2010 - 12:31 PM.

Posted Image
m0le is a proud member of UNITE

#14 zomglawlbbq

zomglawlbbq
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 08 April 2010 - 12:54 PM

Oops I thought it would bring up a pop-up saying that. Here you go. @_@


exeHelper by Raktor
Build 20100329
Run at 13:52:40 on 04/08/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Windows\system32\sdra64.exe
Error deleting C:\Windows\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100329
Run at 13:53:12 on 04/08/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\Windows\system32\sdra64.exe
Error deleting C:\Windows\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:55 AM

Posted 08 April 2010 - 03:36 PM

Please run MBAM and Combofix straight after, as below

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\Windows\system32\sdra64.exe
c:\windows\system32\XDva224.sys
c:\windows\system32\XDva332.sys
c:\windows\system32\XDva337.sys
c:\windows\system32\XDva341.sys
c:\windows\system32\XDva343.sys

Folder::
c:\users\david\AppData\Local\pxhvhpgyv
c:\users\david\AppData\Local\qoolkyije

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"vtecghoq"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"cnicmuyj"=-

Driver::
XDva224
XDva332
XDva337
XDva341
XDva343

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet021\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks thumbup2.gif

Edited by m0le, 08 April 2010 - 03:37 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users