Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Defender and other rootkits.


  • This topic is locked This topic is locked
19 replies to this topic

#1 Agarest

Agarest

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 21 May 2010 - 11:22 PM

I have a computer which belongs to my brother and his wife that is infected with XP defender. My friend tried to fix it with help from google (MBAM + Combofix) and it temporarily dissapeared. XP Defender respawned with a new name and has since and still wreaking havoc on the computer system. The antivirus software installed is Avira and it always comes up now trying to block a new threat. I have since disabled the internet connection on that computer.

I ran the tools in the Preparation guide and I could not get 'gmer' to finish. The computer would crash midway into the rootkit scan. I also tried running it in safe mode but the computer would crash and restart when trying to startup safemode. Here are the DDS and Attach log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by hero at 22:33:38.45 on Fri 05/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2711 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kingsoft\PowerWord PE\ksdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Kingsoft\PowerWord PE\CBTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\hero\LOCALS~1\Temp\os5hw.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kingsoft\PowerWord Lite\XDict.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager .exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\hero\Desktop\Eric Diag Tools\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: QvodExtend: {53ac8551-0de0-4606-8a1e-a51af20add60} - QvodExtend
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: ȸɽʰfor IE: {a28581a7-e2a8-4b6c-9cc9-4a4cc1efd55a} - c:\program files\kingsoft\powerword pe\SelectForIE.dll
BHO: CBBrowerBuddy Class: {a412e581-59b2-485e-834f-c5f0c0268c79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
EB: ɽʰ: {abb7394c-91cd-42e9-88a3-23166137709d} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
uRun: [KingSoft PowerWord PE] c:\program files\kingsoft\powerword pe\CBTray.exe -AUTORUN
uRun: [QQ2009] "c:\program files\tencent\qq\bin\QQ.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Gtoqequbefo] rundll32.exe "c:\windows\sbsht3ap.dll",Startup
uRun: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] c:\docume~1\hero\locals~1\temp\os5hw.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [SDTray] c:\program files\spyware doctor\SDTrayApp.exe
mRun: [Gpezu] rundll32.exe "c:\windows\imasicuzoja.dll",Startup
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\660B~1.LNK -
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: ???QQ?? - c:\program files\tencent\qq\bin\AddEmotion.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {9D5CCDC3-545F-4418-8AEC-9CD2773B4861} - {48B4D816-8BE7-4F32-85C9-F2E912C02311} - c:\program files\kingsoft\powerword pe\SelectForIE.dll
IE: {A412E581-59B2-485E-834F-C5F0C0268C79} - {A412E581-59B2-485E-834F-C5F0C0268C79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253245610373
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - SABShellExecuteHook Class

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hero\applic~1\mozilla\firefox\profiles\lxj0rgxr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D} - c:\documents and settings\hero\local settings\application data\{C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-8 11608]
R1 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2010-4-18 39248]
R1 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2010-4-18 52304]
R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2010-4-18 59984]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2010-4-18 83536]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-8 56816]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-18 80392]
R2 KSDSVC;Kingsoft Common Content Service;c:\program files\kingsoft\powerword pe\ksdsvc.exe [2009-10-18 26264]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2010-4-18 708176]
R2 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2010-4-18 1302272]
R2 TSUSVC;Tencent Software Update Service;c:\program files\tencent\qqsoftmgr\1.0.338.203\TencentUpdateSvc.exe [2008-12-9 116040]
S0 lwqmm;lwqmm; [x]
S0 svqfw;svqfw; [x]
S2 MSIU-4c16f203;MSIU-4c16f203;c:\windows\system32\-4c16f203.exe [2010-5-19 71168]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

chm.file="hh.exe" %1
txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2010-05-22 02:26:17 20 ----a-w- c:\documents and settings\hero\defogger_reenable
2010-05-19 17:19:37 2544 ----a-w- c:\windows\uraquqofolin.dll
2010-05-19 15:54:14 40960 ---ha-w- c:\windows\system32\cidaelog.dll
2010-05-19 15:54:02 30000 ----a-w- c:\windows\system32\om5qnrci.dll
2010-05-19 15:53:46 185344 ----a-w- c:\windows\Owupoa.exe
2010-05-19 15:53:41 71168 ----a-w- c:\windows\system32\-4c16f203.exe
2010-05-18 05:11:14 0 ----a-w- c:\windows\EEventManager .INI
2010-05-16 21:05:54 31822 ----a-w- C:\debug
2010-05-16 21:04:07 112 ----a-w- c:\docume~1\alluse~1\applic~1\5hXFc7H.dat
2010-05-16 08:34:01 200 ----a-w- c:\windows\QCPC60UI.dat
2010-05-16 08:33:59 0 d-----w- c:\program files\QCP Converter
2010-05-10 19:15:15 0 dc-h--w- c:\windows\ie8
2010-05-08 11:08:58 50990 ----a-w- c:\windows\system32\qvvbhgjqealjkean.exe
2010-05-08 00:11:20 120 ----a-w- c:\windows\Bwikalibi.dat
2010-05-08 00:11:20 0 ----a-w- c:\windows\Btinape.bin

==================== Find3M ====================

2010-05-22 02:28:16 16608 ----a-w- c:\windows\gdrv.sys
2010-05-21 01:58:10 36868 ----a-w- c:\windows\system32\rundll32.exe.tmp
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 17:26:18 83536 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-04-18 17:26:13 59984 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-04-18 17:26:03 26064 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-04-18 17:26:00 52304 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-04-18 17:26:00 39248 ----a-w- c:\windows\system32\drivers\ikfileflt.sys
2010-04-15 00:07:25 139586 ----a-w- C:\MGlogs.zip
2010-04-14 23:59:26 0 ----a-w- C:\settings.dat
2010-04-14 17:01:04 2389388 ----a-w- C:\MGtools.exe
2010-04-13 16:50:47 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-12 22:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:45:47 65500 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 22:35:18.53 ===============

Attached Files


Edited by Agarest, 21 May 2010 - 11:47 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 24 May 2010 - 03:23 AM

Hi,

ComboFix shouldn't be run without supervision of trained helper. Post contents of ComboFix log from earlier run. (should be in c:\combofix.txt file). Also, try to run GMER by having nothing but sections option selected.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 24 May 2010 - 05:46 PM

I am still unable to run GMER completely but was able to save about the first half of the scan. The Combofix log is about one month old and was before the computer started breaking down. I also removed Avira since it seemed to conflict with gmer scan abit but now I am not able to to see the infection.

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 24 May 2010 - 11:13 PM

Hi,

Please run ComboFix and let it update itself. Post back the report + fresh dds.txt log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 25 May 2010 - 11:17 AM

Here is the combofix log

ComboFix 10-05-24.05 - hero 05/25/2010 6:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2821 [GMT -4:00]
Running from: c:\jims stuff3\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\yO4105dp.exe
c:\documents and settings\hero\Local Settings\Application Data\{C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D}
c:\documents and settings\hero\Local Settings\Application Data\{C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D}\chrome.manifest
c:\documents and settings\hero\Local Settings\Application Data\{C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D}\chrome\content\_cfg.js
c:\documents and settings\hero\Local Settings\Application Data\{C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D}\chrome\content\overlay.xul
c:\documents and settings\hero\Local Settings\Application Data\{C4E2F418-E35E-4EF4-BD0D-779BDCEBC21D}\install.rdf
c:\documents and settings\hero\Local Settings\Application Data\Windows Server
c:\documents and settings\hero\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\hero\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\program files\Java\jre6\bin\jusched.exe
c:\windows\imasicuzoja.dll
c:\windows\msv1_0.dll
c:\windows\sbsht3ap.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\qvvbhgjqealjkean.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\vb40032.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\uraquqofolin.dll

CODE
<pre>
c:\program files\Java\jre6\bin\jusched .exe ---^> c:\program files\Java\jre6\bin\jusched.exe
</pre>

.
Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :P
c:\windows\system32\grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_USBXBOX


((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-22 03:52 . 2010-05-22 03:50 293376 ----a-w- C:\8611y0uj.exe
2010-05-19 15:54 . 2010-05-20 03:21 -------- d-----w- c:\documents and settings\hero\Local Settings\Application Data\iletdlrwb
2010-05-19 15:54 . 2010-05-19 15:54 40960 ---ha-w- c:\windows\system32\cidaelog.dll
2010-05-17 16:02 . 2010-05-17 16:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-05-16 08:34 . 2010-05-16 08:39 200 ----a-w- c:\windows\QCPC60UI.dat
2010-05-16 08:33 . 2010-05-16 08:34 -------- d-----w- c:\program files\QCP Converter
2010-05-10 19:15 . 2010-05-10 19:16 -------- dc-h--w- c:\windows\ie8
2010-05-08 11:10 . 2010-05-08 11:10 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-05-08 11:08 . 2010-05-08 12:22 -------- d-----w- c:\documents and settings\hero\Local Settings\Application Data\eooaoifjb
2010-05-08 00:11 . 2010-05-25 10:22 120 ----a-w- c:\windows\Bwikalibi.dat
2010-05-08 00:11 . 2010-05-25 10:22 0 ----a-w- c:\windows\Btinape.bin
2010-05-02 17:54 . 2010-05-02 17:54 1435864 ----a-w- c:\documents and settings\hero\Application Data\Tencent\QQ\AuTemp\0NU1ID3Z}JGFYOBZ5SG5ZRI\1272012353316707935\QQ2010Betakb8_update.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 10:47 . 2009-05-18 14:26 16608 ----a-w- c:\windows\gdrv.sys
2010-05-25 10:46 . 2009-06-02 05:41 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000002-80641102}.dat
2010-05-25 10:46 . 2009-06-02 05:41 24 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000002-80641102}.dat
2010-05-25 10:33 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-05-25 10:24 . 2010-05-16 21:04 112 ----a-w- c:\documents and settings\All Users\Application Data\5hXFc7H.dat
2010-05-24 03:21 . 2009-11-24 01:35 -------- d-----w- c:\program files\QvodPlayer
2010-05-18 14:06 . 2009-12-29 15:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\kingsoft
2010-05-17 20:59 . 2009-10-27 13:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\Tencent
2010-05-17 20:58 . 2010-04-18 17:25 -------- d-----w- c:\program files\Spyware Doctor
2010-05-12 20:45 . 2010-04-14 22:56 117760 ----a-w- c:\documents and settings\hero\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-12 20:31 . 2010-03-16 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 03:02 . 2010-04-13 02:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 19:39 . 2010-03-16 03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-16 03:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 13:48 . 2009-05-18 14:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-18 18:06 . 2010-04-18 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 17:26 . 2010-04-18 17:25 83536 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2010-04-18 17:26 . 2010-04-18 17:25 59984 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2010-04-18 17:26 . 2010-04-18 17:25 26064 ----a-w- c:\windows\system32\drivers\kcom.sys
2010-04-18 17:26 . 2010-04-18 17:25 52304 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2010-04-18 17:26 . 2010-04-18 17:25 39248 ----a-w- c:\windows\system32\drivers\ikfileflt.sys
2010-04-18 17:25 . 2010-04-18 17:25 -------- d-----w- c:\documents and settings\hero\Application Data\PC Tools
2010-04-15 07:02 . 2009-05-18 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 00:07 . 2010-04-15 00:06 139586 ----a-w- C:\MGlogs.zip
2010-04-14 23:59 . 2010-04-14 23:59 0 ----a-w- C:\settings.dat
2010-04-14 23:55 . 2010-04-14 23:55 -------- d-----w- c:\program files\CCleaner
2010-04-14 22:57 . 2010-04-14 22:57 52224 ----a-w- c:\documents and settings\hero\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 22:56 . 2010-04-14 22:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 22:56 . 2010-04-14 22:56 -------- d-----w- c:\documents and settings\hero\Application Data\SUPERAntiSpyware.com
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-14 17:01 . 2010-04-15 00:05 2389388 ----a-w- C:\MGtools.exe
2010-04-13 16:50 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-13 04:49 . 2009-05-28 04:18 -------- d-----w- c:\program files\Google
2010-04-13 02:11 . 2010-04-13 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-10 00:57 . 2009-05-18 14:23 81680 ----a-w- c:\documents and settings\hero\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-31 01:56 . 2009-05-22 13:47 -------- d-----w- c:\documents and settings\hero\Application Data\uTorrent
2010-03-29 14:58 . 2009-05-18 14:00 -------- d-----w- c:\program files\NeoSmart Technologies
2010-03-19 23:08 . 2010-03-19 23:08 2568360 ----a-w- c:\documents and settings\hero\Application Data\Tencent\QQ\AuTemp\0NU1ID3Z}JGFYOBZ5SG5ZRI\12675122321261256759\QQ2010Betakb7_update.exe
2010-03-10 06:15 . 2008-06-25 17:19 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:45 . 2009-06-05 16:24 65500 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-06 00:16 . 2010-03-06 00:16 2217968 ----a-w- c:\documents and settings\hero\Application Data\Google\Google Pinyin 2\pinyin-2.2.11.69\GooglePinyinUpdater.exe
2010-02-25 06:24 . 2008-06-23 16:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 11:57 . 2008-07-02 12:23 457216 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Epson Software\Event Manager\EEventManager .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Sage Software\Peachtree\PeachtreePrefetcher .exe
c:\program files\Spyware Doctor\SDTrayApp .exe
c:\program files\Tencent\QQ\Bin\QQ .exe
c:\windows\system32\rundll32 .exe
</pre>


------- Sigcheck -------

[-] 2008-08-27 . DF70435F3D17C40D5CB15E6DC918342E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-08-27 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KingSoft PowerWord PE"="c:\program files\Kingsoft\PowerWord PE\CBTray.exe" [2009-10-22 597144]
"QQ2009"="c:\program files\Tencent\QQ\Bin\QQ.exe" [N/A]
"Gtoqequbefo"="c:\windows\sbsht3ap.dll" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-08 149280]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [N/A]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [N/A]
"SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [N/A]
"Gpezu"="c:\windows\imasicuzoja.dll" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\hero\\Desktop\\Plugin\\Com.Tencent.QQMusic\\bin\\QQMusic\\QzoneMusic.exe"=
"c:\\Program Files\\Tencent\\QQ\\Plugin\\Com.Tencent.QQMusic\\bin\\QQMusic\\QzoneMusic.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Tencent\\QQ\\Bin\\auclt.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\QQSoftMgr.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\QQSoftMgrUpdater.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\TencentUpdateSvc.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYConfig.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYLiveup.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYLevel.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYDict.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQImeRegDict.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQImeRegSkin.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/18/2009 10:27 AM 80392]
R2 KSDSVC;Kingsoft Common Content Service;c:\program files\Kingsoft\PowerWord PE\ksdsvc.exe [10/18/2009 11:07 PM 26264]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 12:25 PM 455968]
R2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [4/18/2010 1:25 PM 708176]
R2 TSUSVC;Tencent Software Update Service;c:\program files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe [12/9/2008 5:22 AM 116040]
S0 lwqmm;lwqmm; [x]
S0 svqfw;svqfw; [x]
S2 MSIU-4c16f203;MSIU-4c16f203;c:\windows\system32\-4c16f203.exe --> c:\windows\system32\-4c16f203.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/25/2009 9:28 PM 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: ???QQ?? - c:\program files\Tencent\QQ\Bin\AddEmotion.htm
IE: {{9D5CCDC3-545F-4418-8AEC-9CD2773B4861} - {48B4D816-8BE7-4F32-85C9-F2E912C02311} - c:\program files\Kingsoft\PowerWord PE\SelectForIE.dll
FF - ProfilePath - c:\documents and settings\hero\Application Data\Mozilla\Firefox\Profiles\lxj0rgxr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-qvvbhgjqealjkean - c:\windows\system32\qvvbhgjqealjkean.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 06:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x8964E8B4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba62fbb0
PacketIndicateHandler -> NDIS.sys @ 0xba63cb21
SendHandler -> NDIS.sys @ 0xba61a87b
user & kernel MBR OK
copy of MBR has been found in sector 8 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,e2,3f,47,1e,35,73,40,bf,51,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,e2,3f,47,1e,35,73,40,bf,51,6f,\

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\mR0RQ*Q*h`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ\\Bin\\AddEmotion.htm"

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{030AB8C1-6B62-5892-BDCC-EB504777704A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbgadmoehkaphhcgmpobbmldikoiggigjlofamkc"=hex:6b,61,65,6b,62,68,6c,64,68,65,
66,67,68,6e,6f,64,6c,6f,6f,6d,67,64,00,00

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Tencent\QQToolbar\Accounts\0\suspend*Login]
"le"=dword:00000000

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Tencent\QQToolbar\Update*nd]
"nut"=dword:4b9d99f5

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\mR0RQ*Q*h`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ\\Bin\\AddEmotion.htm"

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3180)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Doctor\swdsvc.exe
.
**************************************************************************
.
Completion time: 2010-05-25 07:02:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-25 11:02
ComboFix2.txt 2010-04-14 23:55
ComboFix3.txt 2009-08-08 23:43

Pre-Run: 136,510,398,464 bytes free
Post-Run: 136,795,734,016 bytes free

- - End Of File - - 41298F9908756F1C86F96C00A63BEF11

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
and Here is the DDS log
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

DDS (Ver_10-03-17.01) - NTFSx86
Run by hero at 7:03:06.14 on Tue 05/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2797 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kingsoft\PowerWord PE\ksdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kingsoft\PowerWord PE\CBTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\hero\Desktop\Eric Diag Tools\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: QvodExtend: {53ac8551-0de0-4606-8a1e-a51af20add60} - QvodExtend
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: ȸɽʰfor IE: {a28581a7-e2a8-4b6c-9cc9-4a4cc1efd55a} - c:\program files\kingsoft\powerword pe\SelectForIE.dll
BHO: CBBrowerBuddy Class: {a412e581-59b2-485e-834f-c5f0c0268c79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
EB: ɽʰ: {abb7394c-91cd-42e9-88a3-23166137709d} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
uRun: [KingSoft PowerWord PE] c:\program files\kingsoft\powerword pe\CBTray.exe -AUTORUN
uRun: [QQ2009] "c:\program files\tencent\qq\bin\QQ.exe" /background
uRun: [Gtoqequbefo] rundll32.exe "c:\windows\sbsht3ap.dll",Startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [SDTray] c:\program files\spyware doctor\SDTrayApp.exe
mRun: [Gpezu] rundll32.exe "c:\windows\imasicuzoja.dll",Startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\660B~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: ???QQ?? - c:\program files\tencent\qq\bin\AddEmotion.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {9D5CCDC3-545F-4418-8AEC-9CD2773B4861} - {48B4D816-8BE7-4F32-85C9-F2E912C02311} - c:\program files\kingsoft\powerword pe\SelectForIE.dll
IE: {A412E581-59B2-485E-834F-C5F0C0268C79} - {A412E581-59B2-485E-834F-C5F0C0268C79} - c:\p

Attached Files


Edited by Agarest, 25 May 2010 - 12:22 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 25 May 2010 - 12:00 PM

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\grpconv.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 25 May 2010 - 12:21 PM

Here is what was in the notepad.


Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 25 May 2010 - 12:47 PM

Hi,

We need to get the missing file. Do you have XP Professional media handy?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 25 May 2010 - 01:14 PM

The disc? yes I do

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 26 May 2010 - 12:40 AM

Good. You should find grpconv.ex_ file on i386 folder on the disc. Please copy the file to your desktop.

Then do this:
Click start->run->type cmd.exe. In command prompt type the following command.
expand "%userprofile%\desktop\grpconv.ex_" c:\windows\system32\grpconv.exe

After that, check c:\windows\system32\grpconv.exe file exists. Then run ComboFix (let it update itself) & post back its report.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 26 May 2010 - 03:37 PM

Here is the report.

ComboFix 10-05-26.01 - hero 05/26/2010 16:00:01.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2901 [GMT -4:00]
Running from: c:\jims stuff3\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-26 19:38 . 2008-04-14 09:42 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-05-26 19:38 . 2008-04-14 09:42 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-26 06:53 . 2010-05-26 06:53 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-26 06:53 . 2010-05-20 22:10 69120 ----a-w- c:\windows\system32\zlcomm.dll
2010-05-26 06:53 . 2010-05-20 22:10 103936 ----a-w- c:\windows\system32\zlcommdb.dll
2010-05-26 06:53 . 2010-05-26 06:53 -------- d-----w- c:\windows\system32\ZoneLabs
2010-05-26 06:53 . 2010-05-20 22:10 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-26 06:53 . 2010-05-26 06:53 -------- d-----w- c:\program files\Zone Labs
2010-05-26 06:52 . 2010-05-26 20:04 -------- d-----w- c:\windows\Internet Logs
2010-05-26 06:52 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-26 06:52 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-26 06:52 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-26 06:52 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-26 06:52 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-26 06:52 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-26 06:52 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-26 06:51 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-26 06:51 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-26 06:51 . 2010-05-26 06:51 -------- d-----w- c:\program files\Alwil Software
2010-05-26 06:51 . 2010-05-26 06:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-22 03:52 . 2010-05-22 03:50 293376 ----a-w- C:\8611y0uj.exe
2010-05-19 15:54 . 2010-05-20 03:21 -------- d-----w- c:\documents and settings\hero\Local Settings\Application Data\iletdlrwb
2010-05-17 16:02 . 2010-05-17 16:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-05-16 08:34 . 2010-05-16 08:39 200 ----a-w- c:\windows\QCPC60UI.dat
2010-05-16 08:33 . 2010-05-16 08:34 -------- d-----w- c:\program files\QCP Converter
2010-05-10 19:15 . 2010-05-10 19:16 -------- dc-h--w- c:\windows\ie8
2010-05-08 11:10 . 2010-05-08 11:10 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-05-08 11:08 . 2010-05-08 12:22 -------- d-----w- c:\documents and settings\hero\Local Settings\Application Data\eooaoifjb
2010-05-08 00:11 . 2010-05-25 10:22 120 ----a-w- c:\windows\Bwikalibi.dat
2010-05-08 00:11 . 2010-05-25 10:22 0 ----a-w- c:\windows\Btinape.bin
2010-05-02 17:54 . 2010-05-02 17:54 1435864 ----a-w- c:\documents and settings\hero\Application Data\Tencent\QQ\AuTemp\0NU1ID3Z}JGFYOBZ5SG5ZRI\1272012353316707935\QQ2010Betakb8_update.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-26 19:58 . 2009-05-18 14:26 16608 ----a-w- c:\windows\gdrv.sys
2010-05-26 19:56 . 2009-06-02 05:41 24 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000000-00001102-00000002-80641102}.dat
2010-05-26 19:56 . 2009-06-02 05:41 24 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000000-00001102-00000002-80641102}.dat
2010-05-25 10:33 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-05-25 10:24 . 2010-05-16 21:04 112 ----a-w- c:\documents and settings\All Users\Application Data\5hXFc7H.dat
2010-05-24 03:21 . 2009-11-24 01:35 -------- d-----w- c:\program files\QvodPlayer
2010-05-19 15:54 . 2010-05-19 15:54 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\wpcalv.dat
2010-05-18 14:06 . 2009-12-29 15:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\kingsoft
2010-05-17 20:59 . 2009-10-27 13:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\Tencent
2010-05-12 20:45 . 2010-04-14 22:56 117760 ----a-w- c:\documents and settings\hero\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-12 20:31 . 2010-03-16 03:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 03:02 . 2010-04-13 02:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 19:39 . 2010-03-16 03:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-03-16 03:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 13:48 . 2009-05-18 14:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-18 18:06 . 2010-04-18 18:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-15 07:02 . 2009-05-18 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-15 00:07 . 2010-04-15 00:06 139586 ----a-w- C:\MGlogs.zip
2010-04-14 23:59 . 2010-04-14 23:59 0 ----a-w- C:\settings.dat
2010-04-14 23:55 . 2010-04-14 23:55 -------- d-----w- c:\program files\CCleaner
2010-04-14 22:57 . 2010-04-14 22:57 52224 ----a-w- c:\documents and settings\hero\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-14 22:56 . 2010-04-14 22:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-14 22:56 . 2010-04-14 22:56 -------- d-----w- c:\documents and settings\hero\Application Data\SUPERAntiSpyware.com
2010-04-14 22:55 . 2010-04-14 22:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-14 17:01 . 2010-04-15 00:05 2389388 ----a-w- C:\MGtools.exe
2010-04-13 16:50 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-13 04:49 . 2009-05-28 04:18 -------- d-----w- c:\program files\Google
2010-04-13 02:11 . 2010-04-13 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-10 00:57 . 2009-05-18 14:23 81680 ----a-w- c:\documents and settings\hero\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-31 01:56 . 2009-05-22 13:47 -------- d-----w- c:\documents and settings\hero\Application Data\uTorrent
2010-03-29 14:58 . 2009-05-18 14:00 -------- d-----w- c:\program files\NeoSmart Technologies
2010-03-19 23:08 . 2010-03-19 23:08 2568360 ----a-w- c:\documents and settings\hero\Application Data\Tencent\QQ\AuTemp\0NU1ID3Z}JGFYOBZ5SG5ZRI\12675122321261256759\QQ2010Betakb7_update.exe
2010-03-10 06:15 . 2008-06-25 17:19 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:45 . 2009-06-05 16:24 65500 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-06 00:16 . 2010-03-06 00:16 2217968 ----a-w- c:\documents and settings\hero\Application Data\Google\Google Pinyin 2\pinyin-2.2.11.69\GooglePinyinUpdater.exe
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
CODE
<pre>
c:\program files\Epson Software\Event Manager\EEventManager .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Sage Software\Peachtree\PeachtreePrefetcher .exe
c:\program files\Tencent\QQ\Bin\QQ .exe
c:\windows\system32\rundll32 .exe
</pre>


------- Sigcheck -------

[-] 2008-08-27 . DF70435F3D17C40D5CB15E6DC918342E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-08-27 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-05-25_10.48.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-05-26 19:58 . 2010-05-26 19:58 16384 c:\windows\Temp\Perflib_Perfdata_550.dat
+ 2010-05-26 06:53 . 2010-05-20 22:10 99328 c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 70656 c:\windows\system32\ZoneLabs\zatray.exe
+ 2010-05-26 06:53 . 2010-05-20 22:10 21504 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 14336 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 45568 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 85504 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 37376 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 12800 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 12800 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 12800 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 20992 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 12800 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 10240 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 11264 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 14336 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 12288 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 11264 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 29184 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 13312 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 35840 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:09 38912 c:\windows\system32\ZoneLabs\featuremap.dll
+ 2010-05-26 06:53 . 2010-05-20 22:09 75776 c:\windows\system32\ZoneLabs\camupd.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 43008 c:\windows\system32\vswmi.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 58368 c:\windows\system32\vsregexp.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 141824 c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 173056 c:\windows\system32\ZoneLabs\vsvault.dll
+ 2010-05-26 06:52 . 2010-05-20 22:10 211456 c:\windows\system32\ZoneLabs\vsdb.dll
+ 2010-05-26 06:53 . 2007-10-11 20:51 832984 c:\windows\system32\ZoneLabs\updating.dll
+ 2010-05-26 06:53 . 2010-05-20 22:09 434688 c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2010-05-26 06:53 . 2010-05-20 22:09 135680 c:\windows\system32\ZoneLabs\scheduler.dll
+ 2010-05-26 06:53 . 2009-07-14 03:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 126976 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 279040 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 220672 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 368640 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 184832 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 376320 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2010-05-26 06:52 . 2010-02-08 12:41 595432 c:\windows\system32\ZoneLabs\icslta.dll
+ 2010-05-26 06:53 . 2010-05-04 18:04 284136 c:\windows\system32\ZoneLabs\ffapi.dll
+ 2010-05-26 06:53 . 2010-05-20 22:09 169984 c:\windows\system32\ZoneLabs\fbl.dll
+ 2010-05-26 06:53 . 2008-03-17 20:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 110080 c:\windows\system32\vsxml.dll
+ 2010-05-26 06:52 . 2010-05-20 22:10 712192 c:\windows\system32\vsutil.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 302592 c:\windows\system32\vspubapi.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 107520 c:\windows\system32\vsmonapi.dll
+ 2010-05-26 06:52 . 2010-05-20 22:10 228352 c:\windows\system32\vsinit.dll
+ 2010-05-26 06:53 . 2010-05-13 14:02 532224 c:\windows\system32\vsdatant.sys
+ 2010-05-26 06:52 . 2010-05-20 22:10 112128 c:\windows\system32\vsdata.dll
+ 2010-05-26 06:51 . 2010-05-26 06:51 219648 c:\windows\Installer\27530b.msi
+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2010-05-26 06:53 . 2010-05-20 22:10 1789952 c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2010-05-26 06:53 . 2010-05-20 22:11 2437176 c:\windows\system32\ZoneLabs\vsmon.exe
+ 2010-05-26 06:53 . 2010-05-20 22:10 1536512 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KingSoft PowerWord PE"="c:\program files\Kingsoft\PowerWord PE\CBTray.exe" [2009-10-22 597144]
"QQ2009"="c:\program files\Tencent\QQ\Bin\QQ.exe" [N/A]
"Gtoqequbefo"="c:\windows\sbsht3ap.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-08 149280]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [N/A]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [N/A]
"Gpezu"="c:\windows\imasicuzoja.dll" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-20 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2009-03-08 128512]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\hero\\Desktop\\Plugin\\Com.Tencent.QQMusic\\bin\\QQMusic\\QzoneMusic.exe"=
"c:\\Program Files\\Tencent\\QQ\\Plugin\\Com.Tencent.QQMusic\\bin\\QQMusic\\QzoneMusic.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Tencent\\QQ\\Bin\\auclt.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\QQSoftMgr.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\QQSoftMgrUpdater.exe"=
"c:\\Program Files\\Tencent\\QQSoftMgr\\1.0.338.203\\TencentUpdateSvc.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYConfig.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYLiveup.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYLevel.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQPYDict.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQImeRegDict.exe"=
"c:\\Program Files\\Tencent\\QQPinyin\\3.1.730.201\\QQImeRegSkin.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1583:TCP"= 1583:TCP:Pervasive DBEngine
"3351:TCP"= 3351:TCP:Pervasive DBEngine

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/26/2010 2:52 AM 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/26/2010 2:52 AM 19024]
R2 KSDSVC;Kingsoft Common Content Service;c:\program files\Kingsoft\PowerWord PE\ksdsvc.exe [10/18/2009 11:07 PM 26264]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [9/5/2007 12:25 PM 455968]
R2 TSUSVC;Tencent Software Update Service;c:\program files\Tencent\QQSoftMgr\1.0.338.203\TencentUpdateSvc.exe [12/9/2008 5:22 AM 116040]
S0 lwqmm;lwqmm; [x]
S0 svqfw;svqfw; [x]
S2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/18/2009 10:27 AM 80392]
S2 MSIU-4c16f203;MSIU-4c16f203;c:\windows\system32\-4c16f203.exe --> c:\windows\system32\-4c16f203.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/25/2009 9:28 PM 721904]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: ???QQ?? - c:\program files\Tencent\QQ\Bin\AddEmotion.htm
IE: {{9D5CCDC3-545F-4418-8AEC-9CD2773B4861} - {48B4D816-8BE7-4F32-85C9-F2E912C02311} - c:\program files\Kingsoft\PowerWord PE\SelectForIE.dll
FF - ProfilePath - c:\documents and settings\hero\Application Data\Mozilla\Firefox\Profiles\lxj0rgxr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-26 16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys >>UNKNOWN [0x894C98B4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba8ecf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
user & kernel MBR OK
copy of MBR has been found in sector 8 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,e2,3f,47,1e,35,73,40,bf,51,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,e2,3f,47,1e,35,73,40,bf,51,6f,\

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Microsoft\Internet Explorer\MenuExt\mR0RQ*Q*hˆ`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ\\Bin\\AddEmotion.htm"

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{030AB8C1-6B62-5892-BDCC-EB504777704A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"dbgadmoehkaphhcgmpobbmldikoiggigjlofamkc"=hex:6b,61,65,6b,62,68,6c,64,68,65,
66,67,68,6e,6f,64,6c,6f,6f,6d,67,64,00,00

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Tencent\QQToolbar\Accounts\0\suspend*Login]
"le"=dword:00000000

[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Tencent\QQToolbar\Update*nd]
"nut"=dword:4b9d99f5

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\MenuExt\mR0RQ*Q*hˆ`]
"contexts"=dword:00000002
@="c:\\Program Files\\Tencent\\QQ\\Bin\\AddEmotion.htm"

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-26 16:10:48
ComboFix-quarantined-files.txt 2010-05-26 20:10
ComboFix2.txt 2010-05-25 11:02
ComboFix3.txt 2010-04-14 23:55
ComboFix4.txt 2009-08-08 23:43

Pre-Run: 136,225,906,688 bytes free
Post-Run: 136,199,888,896 bytes free

- - End Of File - - 48457C28F665521039604DFFD0B9F72A

Edited by Agarest, 26 May 2010 - 03:37 PM.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 27 May 2010 - 01:47 AM

Hi again,

Update MBAM and run a quick scan with it. Post back the report.


Open notepad and copy/paste the text in the quotebox below into it:

CODE
Driver::
lwqmm
svqfw
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
Folder::
c:\documents and settings\hero\Local Settings\Application Data\iletdlrwb
c:\documents and settings\hero\Local Settings\Application Data\eooaoifjb
File::
c:\windows\Bwikalibi.dat
c:\windows\Btinape.bin
c:\documents and settings\All Users\Application Data\5hXFc7H.dat
RenV::
c:\program files\Epson Software\Event Manager\EEventManager .exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe
c:\program files\Sage Software\Peachtree\PeachtreePrefetcher .exe
c:\program files\Tencent\QQ\Bin\QQ .exe
c:\windows\system32\rundll32 .exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gtoqequbefo"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gpezu"=-
RegNull::
[HKEY_USERS\S-1-5-21-1202660629-484061587-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{030AB8C1-6B62-5892-BDCC-EB504777704A}*]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.



Uninstall your current Adobe shockwave player and get the fresh one here if needed.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 27 May 2010 - 12:35 PM

DDS (Ver_10-03-17.01) - NTFSx86
Run by hero at 13:30:07.23 on Thu 05/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2537 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kingsoft\PowerWord PE\CBTray.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Kingsoft\PowerWord Lite\XDict.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kingsoft\PowerWord PE\ksdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\hero\Desktop\Diagnostic Tools\dds.scr

============== Pseudo HJT Report ===============

BHO: QvodExtend: {53ac8551-0de0-4606-8a1e-a51af20add60} - QvodExtend
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: ȸɽʰfor IE: {a28581a7-e2a8-4b6c-9cc9-4a4cc1efd55a} - c:\program files\kingsoft\powerword pe\SelectForIE.dll
BHO: CBBrowerBuddy Class: {a412e581-59b2-485e-834f-c5f0c0268c79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - Google Dictionary Compression sdch
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
EB: ɽʰ: {abb7394c-91cd-42e9-88a3-23166137709d} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
uRun: [KingSoft PowerWord PE] c:\program files\kingsoft\powerword pe\CBTray.exe -AUTORUN
uRun: [QQ2009] "c:\program files\tencent\qq\bin\QQ.exe" /background
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\660B~1.LNK -
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {9D5CCDC3-545F-4418-8AEC-9CD2773B4861} - {48B4D816-8BE7-4F32-85C9-F2E912C02311} - c:\program files\kingsoft\powerword pe\SelectForIE.dll
IE: {A412E581-59B2-485E-834F-C5F0C0268C79} - {A412E581-59B2-485E-834F-C5F0C0268C79} - c:\program files\kingsoft\powerword lite\CBEBand.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253245610373
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hero\applic~1\mozilla\firefox\profiles\lxj0rgxr.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-26 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-5-26 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-26 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-5-18 80392]
R2 KSDSVC;Kingsoft Common Content Service;c:\program files\kingsoft\powerword pe\ksdsvc.exe [2009-10-18 26264]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\pervasive software\psql\bin\w3dbsmgr.exe [2007-9-5 455968]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-26 40384]
S2 MSIU-4c16f203;MSIU-4c16f203;c:\windows\system32\-4c16f203.exe --> c:\windows\system32\-4c16f203.exe [?]
S2 TSUSVC;Tencent Software Update Service;c:\program files\tencent\qqsoftmgr\1.0.338.203\TencentUpdateSvc.exe [2008-12-9 116040]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

txtfile=c:\windows\notepad.exe %1

=============== Created Last 30 ================

2010-05-27 00:07:21 0 d-----w- c:\docume~1\hero\applic~1\Foxit Software
2010-05-27 00:03:34 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-26 23:40:16 0 d-----w- C:\Tools
2010-05-26 23:38:51 0 d-----w- c:\program files\Defraggler
2010-05-26 23:01:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-05-26 23:01:50 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-26 19:38:37 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-05-26 19:38:37 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-26 06:53:10 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-26 06:53:02 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-26 06:53:02 0 d-----w- c:\windows\system32\ZoneLabs
2010-05-26 06:53:01 420800 ----a-w- c:\windows\system32\vsconfig.xml
2010-05-26 06:53:00 0 d-----w- c:\program files\Zone Labs
2010-05-26 06:52:28 0 d-----w- c:\windows\Internet Logs
2010-05-26 06:51:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-22 03:52:07 293376 ----a-w- C:\8611y0uj.exe
2010-05-22 02:26:17 20 ----a-w- c:\documents and settings\hero\defogger_reenable
2010-05-18 05:11:14 0 ----a-w- c:\windows\EEventManager .INI
2010-05-16 21:05:54 31822 ----a-w- C:\debug
2010-05-16 08:34:01 200 ----a-w- c:\windows\QCPC60UI.dat
2010-05-16 08:33:59 0 d-----w- c:\program files\QCP Converter
2010-05-10 19:15:15 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2010-05-27 08:52:31 16608 ----a-w- c:\windows\gdrv.sys
2010-05-25 10:33:27 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe
2010-04-15 00:07:25 139586 ----a-w- C:\MGlogs.zip
2010-04-14 23:59:26 0 ----a-w- C:\settings.dat
2010-04-14 17:01:04 2389388 ----a-w- C:\MGtools.exe
2010-04-13 16:50:47 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 03:45:47 65500 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 13:31:29.03 ===============


I attached the others.

Attached Files


Edited by Agarest, 28 May 2010 - 01:09 AM.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:13 PM

Posted 27 May 2010 - 02:22 PM

Hi,

Seems that ComboFix log wasn't posted. Please attach its contents too.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Agarest

Agarest
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 28 May 2010 - 01:11 AM

I forgot. gathering.gif I attached it to the previous post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users