Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • This topic is locked This topic is locked
21 replies to this topic

#1 Gilthantis

Gilthantis

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 27 May 2010 - 07:05 PM

I ran scan using Malwarebits, found 13 infected files/keys. Removed them, rebooted, and they all reappeared. Used rkill to stop the processes, then tried again, and got same result.

I ran the dds scan, and when it was done no logs poped up. Only the pop up telling me what to do with the logs appearded, not the log itself.

I tried to run gmer a few times and it seems that my computer freezes up part way through the scan.

Not sure how u would like me to go about getting logs for you since the ones you requested arnt working smile.gif

Let me know what to do?

Thanks
Gil

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 30 May 2010 - 06:06 AM

Hello Gilthantis

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================

Since you have run this before delete the current copy you have of gmer and redownload it from below.
If switching the settings still produce a blue screen then uncheck all option's to the right except for Sections and Files.
See if it will produce a log that way.
If it still will not work then please try it in Safe Mode.
Instructions on how to get into Safe Mode are here > http://www.computerhope.com/issues/chsafe.htm
========
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 31 May 2010 - 03:24 AM

OTL logfile created on: 5/30/2010 4:44:02 PM - Run 1
OTL by OldTimer - Version 3.2.5.1 Folder = C:\Documents and Settings\Administrator\My Documents\My Completed Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5508)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 504.00 Mb Available Physical Memory | 49.00% Memory free
5.00 Gb Paging File | 2.00 Gb Available in Paging File | 36.00% Paging File free
Paging file location(s): z:\pagefile.sys 4094 4095 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 30.27 Gb Total Space | 21.19 Gb Free Space | 69.98% Space Free | Partition Type: NTFS
Drive D: | 117.51 Gb Total Space | 72.59 Gb Free Space | 61.78% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 4.88 Gb Total Space | 0.85 Gb Free Space | 17.51% Space Free | Partition Type: NTFS

Computer Name: SEAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - D:\Program Files\TortoiseSVN\bin\TSVNCache.exe (http://tortoisesvn.net)
PRC - D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\WINNT\system32\WgaTray.exe (Microsoft Corporation)
PRC - D:\Program Files\DAP\DAP.exe (Speedbit Ltd.)
PRC - C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - C:\WINNT\explorer.exe (Microsoft Corporation)
PRC - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft)
PRC - D:\Program Files\Ventrilo\Ventrilo.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINNT\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5508_x-ww_35d3ce4a\comctl32.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS) -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SQLAgent$SQLEXPRESS) SQL Server Agent (SQLEXPRESS) -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE (Microsoft Corporation)
SRV - (MSSQLServerADHelper100) -- C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE (Microsoft Corporation)
SRV - (SQLWriter) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (SQLBrowser) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (UtilMan) -- C:\WINNT\system32\utilman.exe (Microsoft Corporation)
SRV - (aawservice) -- D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft)


========== Driver Services (SafeList) ==========

DRV - (rak) -- C:\WINNT\system32\rakion.sys ()
DRV - (RsFx0102) -- C:\WINNT\system32\drivers\RsFx0102.sys (Microsoft Corporation)
DRV - (ati2mtag) -- C:\WINNT\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\WINNT\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (HDAudBus) -- C:\WINNT\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (MPE) -- C:\WINNT\system32\drivers\mpe.sys (Microsoft Corporation)
DRV - (gameenum) -- C:\WINNT\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (RasAcd) -- C:\WINNT\system32\drivers\rasacd.sys ()
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINNT\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (Cdralw2k) -- C:\WINNT\system32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (Cdr4_2K) -- C:\WINNT\system32\drivers\cdr4_2K.sys (Sonic Solutions)
DRV - (LVUSBSta) -- C:\WINNT\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (PID_PEPI) Logitech QuickCam IM(PID_PEPI) -- C:\WINNT\system32\drivers\LV302V32.SYS (Logitech Inc.)
DRV - (SISRAID) -- C:\WINNT\system32\DRIVERS\SiSRaid.sys (Silicon Integrated Systems)
DRV - (SISNIC) -- C:\WINNT\system32\drivers\sisnic.sys (SiS Corporation)
DRV - (ha10kx2k) -- C:\WINNT\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINNT\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctsfm2k) -- C:\WINNT\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k) -- C:\WINNT\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINNT\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINNT\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINNT\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (EL90BC) -- C:\WINNT\system32\drivers\el90xbc5.sys (3Com Corporation)
DRV - (ctljystk) -- C:\WINNT\system32\drivers\ctljystk.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL File not found
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINNT\system32\shdocvw.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}:8.6.7.0
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:7.0.20100326W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}:6.0.01
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.19
FF - prefs.js..extensions.enabledItems: nasanightlaunch@example.com:0.6.20100207

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINNT\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 10:00:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/27 00:54:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/27 00:54:29 | 000,000,000 | ---D | M]

[2008/08/26 14:00:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2008/08/26 14:00:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2010/05/30 11:46:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions
[2009/09/02 15:46:11 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/29 20:49:09 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2007/04/03 15:10:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2010/02/08 14:28:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\nasanightlaunch@example.com
[2007/11/02 00:52:53 | 000,001,951 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\searchplugins\monkey-character-search.xml
[2010/05/27 02:04:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/11/13 13:01:39 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/31 11:00:47 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/06/30 16:15:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2010/03/31 11:00:43 | 000,023,000 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2010/03/31 11:00:43 | 000,134,616 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2008/06/10 19:03:52 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2008/06/10 19:03:52 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2008/06/10 19:03:52 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2006/10/02 22:59:57 | 000,040,552 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2008/09/03 09:34:52 | 000,024,683 | ---- | M] (Ask.com) -- C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
[2008/01/07 19:45:16 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2008/06/10 19:03:12 | 001,335,600 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2008/06/10 19:03:38 | 000,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2010/03/31 11:00:45 | 000,065,496 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2010/05/10 13:16:24 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2006/12/18 04:18:30 | 000,077,824 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2007/01/15 13:47:51 | 000,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/05/09 09:12:48 | 000,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/05/09 09:12:48 | 000,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/05/09 09:12:48 | 000,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/05/09 09:12:48 | 000,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/05/09 09:12:48 | 000,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/05/09 09:12:48 | 000,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/05/09 09:12:48 | 000,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/05/24 12:05:58 | 000,392,355 | R--- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13576 more lines...
O2 - BHO: (no name) - {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINNT\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINNT\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [gcNotifier] C:\Documents and Settings\Administrator\Local Settings\Application Data\VTShared\gcnotifier.exe (Golden Casino)
O4 - HKLM..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Synchronization Manager] C:\WINNT\System32\mobsync.exe (Microsoft Corporation)
O4 - HKCU..\Run: [CurseClient] D:\Program Files\Curse\CurseClient.exe ()
O4 - HKCU..\Run: [DownloadAccelerator] D:\Program Files\DAP\DAP.EXE (Speedbit Ltd.)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe File not found
O4 - HKCU..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Documents and Settings\Administrator\Local Settings\Temp\v4a5yxlhmc.exe ()
O4 - HKCU..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Documents and Settings\Administrator\Local Settings\Temp\system.exe ()
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKCU..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe File not found
O4 - HKCU..\RunOnce: [FFTI] C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe ( )
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINNT\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINNT\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINNT\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINNT\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINNT\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll File not found
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINNT\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINNT\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINNT\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINNT\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINNT\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINNT\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINNT\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINNT\system32\userinit.exe) - C:\WINNT\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINNT\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINNT\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINNT\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINNT\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINNT\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINNT\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINNT\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINNT\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\f0369e03922: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINNT\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINNT\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINNT\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINNT\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINNT\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINNT\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINNT\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINNT\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINNT\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINNT\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINNT\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINNT\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINNT\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINNT\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINNT\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINNT\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINNT\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINNT\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/11/12 00:35:25 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{12c1248d-4038-11de-9e6b-0018f314c518}\Shell - "" = AutoRun
O33 - MountPoints2\{12c1248d-4038-11de-9e6b-0018f314c518}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{12c1248d-4038-11de-9e6b-0018f314c518}\Shell\AutoRun\command - "" = G:\SETUP.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINNT\system32\ias [2008/10/08 15:26:02 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
Unable to start service SrService!

========== Files/Folders - Created Within 30 Days ==========

[2010/05/25 23:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/25 23:57:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/25 23:46:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server
[2010/05/10 13:17:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PMB Files
[2010/05/10 13:16:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/05/10 13:16:23 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2010/05/10 12:03:29 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\My Documents\Runes of Magic
[2010/05/10 02:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\FOG Downloader
[2010/05/08 17:35:40 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Administrator\Desktop\setup-spybotsd162.exe
[6 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/30 16:47:00 | 000,000,886 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/29 20:47:00 | 000,000,882 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/27 18:36:15 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/05/27 18:35:59 | 000,000,256 | ---- | M] () -- C:\WINNT\tasks\WGASetup.job
[2010/05/27 18:35:32 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2010/05/27 18:35:30 | 000,000,250 | ---- | M] () -- C:\WINNT\tasks\SpeedOptimizer Startup.job
[2010/05/27 18:35:10 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/05/27 18:35:04 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2010/05/27 18:34:58 | 1073,008,640 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/27 10:40:11 | 000,001,572 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\QuickZip45.ini
[2010/05/27 02:39:23 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/27 01:43:13 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds(3).scr
[2010/05/26 21:49:54 | 000,003,321 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922P.manifest
[2010/05/26 21:49:42 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922C.manifest
[2010/05/26 21:49:42 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922S.manifest
[2010/05/26 21:49:42 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922O.manifest
[2010/05/26 17:20:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/26 17:15:06 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds(2).scr
[2010/05/26 17:10:24 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/05/26 17:03:12 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/05/26 01:21:44 | 000,003,283 | ---- | M] () -- C:\WINNT\wininit.ini
[2010/05/24 12:05:58 | 000,392,355 | R--- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2010/05/21 13:36:37 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\CurseClientStartup.ccip
[2010/05/21 13:36:21 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Curse Client.appref-ms
[2010/05/12 10:01:21 | 000,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/05/10 11:46:53 | 000,000,814 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Runes of Magic.lnk
[2010/05/10 02:13:29 | 000,060,928 | ---- | M] () -- C:\WINNT\System32\rakion.sys
[2010/05/08 17:38:58 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/05/08 17:36:18 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Administrator\Desktop\setup-spybotsd162.exe
[2010/05/08 05:04:51 | 000,001,635 | ---- | M] () -- C:\WINNT\option.dat
[6 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/27 01:43:16 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds(3).scr
[2010/05/26 17:20:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2010/05/26 17:15:08 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds(2).scr
[2010/05/26 17:10:20 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/05/26 17:03:16 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/05/25 23:46:29 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922P.manifest
[2010/05/25 23:46:29 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922C.manifest
[2010/05/25 23:46:29 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922S.manifest
[2010/05/25 23:46:29 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\020000001d72aa22922O.manifest
[2010/05/24 03:23:35 | 000,075,408 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/21 13:36:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\CurseClientStartup.ccip
[2010/05/21 13:36:21 | 000,000,312 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Curse Client.appref-ms
[2010/05/10 11:46:55 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Runes of Magic.lnk
[2010/05/10 02:13:29 | 000,060,928 | ---- | C] () -- C:\WINNT\System32\rakion.sys
[2010/05/08 17:38:58 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk
[2010/05/08 05:04:51 | 000,001,635 | ---- | C] () -- C:\WINNT\option.dat
[2009/10/20 17:50:23 | 001,589,248 | ---- | C] () -- C:\WINNT\System32\libmysql_d.dll
[2009/05/13 23:38:28 | 000,021,840 | ---- | C] () -- C:\WINNT\System32\SIntfNT.dll
[2009/05/13 23:38:28 | 000,017,212 | ---- | C] () -- C:\WINNT\System32\SIntf32.dll
[2009/05/13 23:38:28 | 000,012,067 | ---- | C] () -- C:\WINNT\System32\SIntf16.dll
[2008/10/08 15:15:25 | 000,001,793 | ---- | C] () -- C:\WINNT\System32\fxsperf.ini
[2008/10/08 15:03:51 | 000,135,168 | ---- | C] () -- C:\WINNT\System32\property.dll
[2008/09/02 10:30:44 | 000,058,163 | R--- | C] () -- C:\WINNT\System32\lvcoinst.ini
[2008/06/10 19:07:20 | 003,596,288 | ---- | C] () -- C:\WINNT\System32\qt-dx331.dll
[2008/06/10 19:03:26 | 000,000,416 | ---- | C] () -- C:\WINNT\System32\dtu100.dll.manifest
[2008/06/10 19:03:26 | 000,000,416 | ---- | C] () -- C:\WINNT\System32\dpl100.dll.manifest
[2008/05/22 17:18:54 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\DivXWMPExtType.dll
[2008/05/03 07:00:00 | 000,008,832 | ---- | C] () -- C:\WINNT\System32\drivers\rasacd.sys
[2008/03/24 14:57:05 | 000,003,283 | ---- | C] () -- C:\WINNT\wininit.ini
[2008/03/20 20:36:12 | 000,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2008/03/13 19:31:10 | 000,000,206 | ---- | C] () -- C:\WINNT\System32\MRT.INI
[2008/03/13 15:55:33 | 000,000,051 | ---- | C] () -- C:\WINNT\GunzLauncher.INI
[2008/01/08 01:57:41 | 000,000,110 | ---- | C] () -- C:\WINNT\GMouse.ini
[2007/11/28 14:41:02 | 000,765,952 | ---- | C] () -- C:\WINNT\System32\xvidcore.dll
[2007/11/28 14:41:02 | 000,180,224 | ---- | C] () -- C:\WINNT\System32\xvidvfw.dll
[2007/07/17 19:51:39 | 000,000,324 | ---- | C] () -- C:\WINNT\NEC1800.INI
[2007/02/13 05:34:15 | 000,000,881 | ---- | C] () -- C:\WINNT\ODBC.INI
[2006/11/13 12:15:20 | 000,000,128 | ---- | C] () -- C:\WINNT\SBWIN.INI
[2006/11/13 12:15:19 | 000,000,231 | ---- | C] () -- C:\WINNT\AC3API.INI
[2006/11/13 12:15:08 | 000,037,727 | ---- | C] () -- C:\WINNT\System32\Emu10kx.ini
[2006/11/13 12:15:08 | 000,000,029 | ---- | C] () -- C:\WINNT\System32\ctzapxx.ini
[2006/11/13 12:15:07 | 000,000,180 | ---- | C] () -- C:\WINNT\System32\KILL.INI
[2006/11/12 00:53:50 | 000,003,555 | ---- | C] () -- C:\WINNT\Ascd_tmp.ini
[2006/11/12 00:53:48 | 000,005,824 | ---- | C] () -- C:\WINNT\System32\drivers\ASUSHWIO.SYS
[1999/12/07 07:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/09/25 05:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 05:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys
[1999/01/22 21:46:58 | 000,065,536 | ---- | C] () -- C:\WINNT\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2008/10/08 11:51:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ashampoo
[2010/03/22 11:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitTorrent
[2007/12/10 11:47:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2010/02/16 04:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DAoC Portal
[2009/12/13 01:53:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DaocTB
[2009/10/15 17:34:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Dev-Cpp
[2007/03/31 16:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Electronic Arts
[2010/05/17 17:42:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FOG Downloader
[2008/05/19 13:13:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
[2008/04/03 16:14:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data\ijjigame
[2009/11/03 01:45:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MySQL
[2008/09/03 09:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SpeedBit
[2009/10/20 16:18:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Subversion
[2007/11/29 13:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SystemRequirementsLab
[2010/02/26 20:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TaxCut
[2008/08/20 11:59:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\VTExtra
[2009/01/19 15:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ascentive
[2008/10/08 11:50:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2008/08/07 14:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AutoKiller
[2007/08/19 12:42:20 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/01/19 15:54:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts
[2009/10/20 15:38:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MySQL
[2008/11/17 14:33:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/05/10 13:26:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2008/09/03 09:25:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedBit
[2010/02/26 20:50:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut
[2010/05/30 16:41:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/01/19 15:55:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/05/27 18:35:30 | 000,000,250 | ---- | M] () -- C:\WINNT\Tasks\SpeedOptimizer Startup.job
[2010/05/27 18:35:59 | 000,000,256 | ---- | M] () -- C:\WINNT\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/05/03 07:00:00 | 000,000,000 | ---- | M] () -- C:\ATICCC.ins
[2006/11/12 00:35:25 | 000,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT
[2008/10/08 15:13:50 | 000,000,206 | -HS- | M] () -- C:\boot.ini
[2008/06/30 21:32:44 | 000,006,437 | ---- | M] () -- C:\ComboFix.txt
[2006/11/12 00:35:25 | 000,000,000 | -H-- | M] () -- C:\CONFIG.SYS
[2007/04/05 07:33:47 | 000,055,808 | ---- | M] (Microsoft Corporation) -- C:\devcon.exe
[2007/05/27 04:08:42 | 000,246,423 | ---- | M] () -- C:\DPsFnshr.exe
[2008/05/03 07:00:00 | 000,000,630 | ---- | M] () -- C:\DPsFnshr.ini
[2007/04/07 13:52:09 | 000,000,420 | ---- | M] () -- C:\DriverPack_CPU_wnt5_x86-32.ini
[2008/02/12 14:51:12 | 000,073,254 | ---- | M] () -- C:\DriverPack_MassStorage_wnt5_x86-32.ini
[2007/05/27 04:08:45 | 000,211,039 | ---- | M] () -- C:\DSPdsblr.exe
[2010/05/30 11:46:35 | 000,004,914 | ---- | M] () -- C:\feed.txt
[2010/05/27 18:34:58 | 1073,008,640 | -HS- | M] () -- C:\hiberfil.sys
[2006/11/12 00:35:25 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/09/05 09:56:34 | 000,000,370 | -H-- | M] () -- C:\IPH.PH
[2007/04/05 07:33:47 | 000,020,992 | ---- | M] () -- C:\makePNF.exe
[2006/11/12 00:35:25 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2007/04/05 07:33:47 | 000,137,728 | ---- | M] () -- C:\mute.exe
[2009/05/04 19:15:50 | 000,001,046 | ---- | M] () -- C:\net_save.dna
[2008/05/03 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/05/03 07:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2007/05/27 04:08:47 | 000,202,187 | ---- | M] () -- C:\pmtimer.exe
[2010/05/27 18:36:26 | 000,000,723 | ---- | M] () -- C:\rkill.log

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/06/03 12:22:24 | 000,413,696 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINNT\system32\ATIDEMGX.dll
[1 C:\WINNT\system32\*.tmp files -> C:\WINNT\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/10/08 10:02:19 | 001,572,864 | ---- | M] () -- C:\WINNT\system32\config\default.sav
[2008/10/08 14:34:32 | 000,024,576 | ---- | M] () -- C:\WINNT\system32\config\security.sav
[2008/10/08 10:02:19 | 020,971,520 | ---- | M] () -- C:\WINNT\system32\config\software.sav
[2008/10/08 10:02:21 | 004,718,592 | ---- | M] () -- C:\WINNT\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINNT\system32\drivers\mbamswissarmy.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0F8F5844
@Alternate Data Stream - 498 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5BB923A2
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >







OTL Extras logfile created on: 5/30/2010 4:44:02 PM - Run 1
OTL by OldTimer - Version 3.2.5.1 Folder = C:\Documents and Settings\Administrator\My Documents\My Completed Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5508)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 504.00 Mb Available Physical Memory | 49.00% Memory free
5.00 Gb Paging File | 2.00 Gb Available in Paging File | 36.00% Paging File free
Paging file location(s): z:\pagefile.sys 4094 4095 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 30.27 Gb Total Space | 21.19 Gb Free Space | 69.98% Space Free | Partition Type: NTFS
Drive D: | 117.51 Gb Total Space | 72.59 Gb Free Space | 61.78% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 4.88 Gb Total Space | 0.85 Gb Free Space | 17.51% Space Free | Partition Type: NTFS

Computer Name: SEAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" %*
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k cd "%L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"4100:UDP" = 4100:UDP:*:Enabled:uPNP Router Control Port
"86:TCP" = 86:TCP:*:Enabled:BroadCam Video Streaming Server Web Server
"57366:TCP" = 57366:TCP:*:Enabled:Pando Media Booster
"57366:UDP" = 57366:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\WINNT\explorer.exe" = C:\WINNT\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Program Files\BitTorrent\bittorrent.exe" = D:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- File not found
"D:\Program Files\DAP\DAP.exe" = D:\Program Files\DAP\DAP.exe:*:Enabled:Download Accelerator Plus (DAP) -- (Speedbit Ltd.)
"D:\Program Files\Curse\CurseClient.exe" = D:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client -- ()
"D:\Action\Axion2008\r1q2.exe" = D:\Action\Axion2008\r1q2.exe:*:Enabled:R1Q2 - Enhanced Quake II Client/Server -- (r1ch.net)
"D:\Program Files\Dawn of Light\mysql\bin\mysqld-opt.exe" = D:\Program Files\Dawn of Light\mysql\bin\mysqld-opt.exe:*:Enabled:mysqld-opt -- ()
"D:\Program Files\Dawn of Light\DOLServer.exe" = D:\Program Files\Dawn of Light\DOLServer.exe:*:Enabled:Dawn of Light - DOLServer -- (Dawn of Light Development Team)
"D:\Program Files\Dawn of Light\Source\release\DOLServer.exe" = D:\Program Files\Dawn of Light\Source\release\DOLServer.exe:*:Enabled:Dawn of Light - DOLServer -- (Dawn of Light Development Team)
"D:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe" = D:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"D:\Program Files\Softnyx\RakionIS\Bin\rakion.bin" = D:\Program Files\Softnyx\RakionIS\Bin\rakion.bin:*:Enabled:rakion -- File not found
"C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\FOGDownloader-RoM_2_1_6_2049.exe" = C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\FOGDownloader-RoM_2_1_6_2049.exe:*:Enabled:FOGDownloader-RoM_2_1_6_2049 -- File not found
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"D:\Program Files\Savage 2 - A Tortured Soul\savage2.exe" = D:\Program Files\Savage 2 - A Tortured Soul\savage2.exe:*:Enabled:savage2 -- File not found
"D:\Program Files\Runes of Magic\Client.exe" = D:\Program Files\Runes of Magic\Client.exe:*:Enabled:Runes of Magic -- (Runewaker)
"D:\Program Files\Runes of Magic\launcher.exe" = D:\Program Files\Runes of Magic\launcher.exe:*:Enabled:BaseUpda Application -- ()
"C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" = C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe:*:Enabled:VideoAccelerator -- File not found
"C:\Documents and Settings\Administrator\Local Settings\Apps\2.0\BXH639X5.2PL\NJ5GCOEV.TBD\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe" = C:\Documents and Settings\Administrator\Local Settings\Apps\2.0\BXH639X5.2PL\NJ5GCOEV.TBD\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe:*:Enabled:Curse Client 4.0 -- (Curse)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{0F938C41-8DDD-6C8A-A234-4B5EBA0E9932}" = Catalyst Control Center Localization Turkish
"{0FDEFFDE-F20C-8AF3-828A-076CCAEDEDBA}" = Catalyst Control Center Graphics Full New
"{100E3E1D-3771-8668-8064-4AD38848BBE1}" = Catalyst Control Center Localization Spanish
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP460" = Canon MP460
"{1283C02D-CD9C-0206-355E-02683341FD64}" = CCC Help French
"{13043D3E-558B-7D1C-13BE-783187299F59}" = CCC Help Dutch
"{162AAA0F-C766-6832-3812-5E21FB1DA80C}" = Catalyst Control Center Localization Korean
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}" = Microsoft SQL Server 2008 Common Files
"{1F8BC334-1EB1-F4D2-DBF8-97C1AA64DE6C}" = CCC Help Turkish
"{20292BBB-C7D7-4526-9E38-42C4A5C2A3A6}" = H&R Block Deluxe + Efile 2009
"{20C5A8DE-62D2-B1C1-B60B-2106F1146F30}" = CCC Help Italian
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2496F1D4-B171-4070-955C-2CF9FCAB2194}" = MySQL Server 5.1
"{24CE4B41-9A9B-B7DC-01AD-E815F4F60E7C}" = Catalyst Control Center Core Implementation
"{25462A56-9707-749D-250C-1137754BD238}" = ccc-utility
"{2A75E60D-3335-9D96-BA98-975BCF6760CC}" = CCC Help Japanese
"{2B7330BD-C032-EE14-A27A-A7998244F3D1}" = CCC Help Swedish
"{2C5C7563-B8B4-3A2E-7C5C-8F5365ED6874}" = Catalyst Control Center Localization Portuguese
"{2D128229-CA51-A674-E3AA-225D15F37D98}" = CCC Help Norwegian
"{31D3AB6C-F1AB-8C52-85B7-E30BFA88C531}" = CCC Help German
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{33BBE45C-6296-488A-B7D5-37E692E71B3F}" = TortoiseSVN 1.6.5.16974 (32 bit)
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{395D29E5-0FAE-751C-F682-F23479A8806A}" = Catalyst Control Center Localization Chinese Standard
"{3B9E28EC-5D0E-44F4-6E82-CBDCF29CAE49}" = CCC Help Polish
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}" = Skype Plugin Manager
"{3DC44177-D4CD-4C43-B698-705ED3334CC9}" = LOKI2
"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}" = Sound Blaster Live! Web 2K/XP
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{4815BD99-96A4-49FE-A885-DCF06E9E4E78}" = Microsoft SQL Server 2008 Database Engine Shared
"{4A6F34E2-09E5-4616-B227-4A26A488A6F9}" = Microsoft SQL Server 2008 Common Files
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{55969DFE-C3FF-E015-256D-D70EFBAB805C}" = Catalyst Control Center Localization Swedish
"{58721EC3-8D4E-4B79-BC51-1054E2DDCD10}" = Microsoft SQL Server 2008 Database Engine Services
"{59A0E0DA-E80F-D9E2-32C6-8AA559D33C8E}" = Catalyst Control Center Graphics Full Existing
"{5AB1B545-5FB7-35D4-D09C-77D0949B2164}" = CCC Help Czech
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{61125E9F-D49A-CD2D-1722-FB9D654E40F2}" = Catalyst Control Center Localization Thai
"{61A81217-25FB-470D-976D-0D635FD0F906}" = AutoKiller DirectX Map
"{6BFBB953-B60F-6058-33BB-3AB2A0971FF9}" = Catalyst Control Center Localization Chinese Traditional
"{6CCEE8D0-012D-AB81-E824-4415B1110669}" = Catalyst Control Center Graphics Previews Common
"{6DF5D680-2490-BE97-CA76-E1069C8ECE7B}" = CCC Help Finnish
"{760DE1B8-D1C9-2DCF-8CE3-3AB7D2D974BC}" = Catalyst Control Center Localization Czech
"{774DB051-42B4-DF78-9B7F-EEA352BBC5B5}" = Catalyst Control Center Localization Finnish
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{819F2F52-EAEC-0DB1-D2EE-66F48ACF43C6}" = CCC Help Greek
"{85DD724B-15E5-4572-81BF-CF9031D83848}" = Ventrilo Server
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
"{9B763348-BDD5-4353-AFC9-F123C5B1BAFE}_is1" = Dawn of Light v1.9.3 r1792
"{9D6D76A6-4328-49E8-97A7-531A74841DA5}" = Microsoft SQL Server 2008 Setup Support Files (English)
"{9E021ACC-F408-27C7-2407-587852C15364}" = CCC Help Russian
"{9FABF436-2541-70C2-49D4-FF8945EAAECB}" = ccc-core-static
"{A01028FE-68D1-E3F2-160E-9763905BF095}" = Catalyst Control Center Localization Russian
"{A0E38350-2547-161B-2D3E-C5EFD24DD70F}" = CCC Help Portuguese
"{A228A56E-8663-61A6-768E-7A55890C0013}" = Catalyst Control Center Localization Italian
"{A2F166A0-F031-4E27-A057-C69733219434}_is1" = Runes of Magic
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4418082-E601-3954-805B-D56A2B50EC8B}" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"{A493EC63-3021-73EF-2097-8FC2DE857021}" = CCC Help English
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A4C0E536-D094-CA7E-4F7F-18043992FD36}" = Skins
"{A6BD418C-37B2-4434-9F96-23C2CAAFF11C}" = CCC Help Spanish
"{A7ECFC98-E5D5-BBDE-C5CE-D4177E4DA573}" = Catalyst Control Center Localization French
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA09F72E-8B3D-ABDF-3FC8-650176EA3EB8}" = Catalyst Control Center Graphics Light
"{ABF68C52-0ADD-C352-5998-13D16BC3B359}" = CCC Help Hungarian
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5153233-9AEE-4CD4-9D2C-4FAAC870DBE2}" = Microsoft SQL Server 2008 Database Engine Services
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}" = Microsoft SQL Server VSS Writer
"{BE3F26EE-F81B-4A50-8376-271F5CA84C5B}" = Catalyst Control Center - Branding
"{C0721ABB-9A28-A7F3-6E5A-D30550C50D26}" = CCC Help Chinese Standard
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser
"{C965F01C-76EA-4BD7-973E-46236AE312D7}" = Sql Server Customer Experience Improvement Program
"{C9F100D9-5D68-1B5B-F8C8-3632876AF990}" = CCC Help Chinese Traditional
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D08027B6-F704-A2FA-EE4E-EB955E2BB591}" = Catalyst Control Center Localization Danish
"{D083BDDE-09F7-D12A-9C81-4EE4AFE3C933}" = ccc-core-preinstall
"{D4F7D59E-9F53-3ADC-1D4A-5A698445D538}" = CCC Help Danish
"{D56625ED-7605-5B0C-70EE-B0C80F0B7B38}" = Catalyst Control Center Localization Japanese
"{D9D937B0-E842-4130-9588-B948E876904A}" = Microsoft SQL Server 2008 Native Client
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{DFA2EACA-8915-29EE-E946-F8542AE21171}" = Catalyst Control Center Localization Norwegian
"{E32CE8E3-D4D3-60CE-A5FC-3EA3D0B9118C}" = Catalyst Control Center Localization Greek
"{E40CFA81-9EF9-B589-34FB-94D6C801967B}" = CCC Help Korean
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E5F5743C-15C6-6F6B-F515-86C36E96464F}" = Catalyst Control Center Localization Polish
"{ED425483-53D8-5F86-98DA-50834FE77F7E}" = Catalyst Control Center Localization German
"{F1DC7648-8623-442F-92B7-E118DF61872E}" = Microsoft SQL Server 2008 RsFx Driver
"{F3494AB6-6900-41C6-AF57-823626827ED8}" = Microsoft SQL Server 2008 Database Engine Shared
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F5FDCCDE-9909-02CE-ED67-0AE3905B32A1}" = CCC Help Thai
"{F7861EB4-0B8A-91E8-6C1C-4F99C7002E96}" = Catalyst Control Center Localization Dutch
"{FC7E9E53-9A60-3E08-C909-83B00D30ADAE}" = Catalyst Control Center Localization Hungarian
"{FCB10DE3-E190-4A7E-B06A-FAC61567ABFC}" = MySQL Tools for 5.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"AC Tool" = AC Tool
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AdobeESD" = Adobe Download Manager 2.2 (Remove Only)
"All ATI Software" = ATI - Software Uninstall Utility
"Ashampoo Burning Studio 7_is1" = Ashampoo Burning Studio 7
"ATI Display Driver" = ATI Display Driver
"CurseClient" = Curse Client
"DAOCCharplan" = DAOC-Charplan
"Dark Age of Camelot - Catacombs_is1" = Dark Age of Camelot - Catacombs
"Dark Age of Camelot - Darkness Rising_is1" = Dark Age of Camelot - Darkness Rising
"Dark Age of Camelot - Labyrinth of the Minotaur_is1" = Dark Age of Camelot - Labyrinth of the Minotaur
"Dark Age of Camelot - Shrouded Isles" = Dark Age of Camelot - Shrouded Isles
"Dark Age of Camelot - Trials of Atlantis" = Dark Age of Camelot - Trials of Atlantis
"Debut" = Debut Video Capture Software
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"Diablo II" = Diablo II
"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)
"ExpressBurn" = Express Burn
"Fraps" = Fraps
"Genesis3D11Key" = Genesis3D11
"GhostMouse 2.0" = GhostMouse 2.0
"HijackThis" = HijackThis 2.0.2
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 10" = Microsoft SQL Server 2008
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008
"Microsoft Visual C# 2008 Express Edition with SP1 - ENU" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MP Navigator 3.0" = Canon MP Navigator 3.0
"PremiumSoft Navicat Premium 8.2_is1" = PremiumSoft Navicat Premium 8.2
"Prism" = Prism Video Converter
"Quick Zip_is1" = Quick Zip 4.60.010
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"Skype_is1" = Skype 3.1
"SpeedOptimizer" = SpeedOptimizer
"VideoPad" = VideoPad Video Editor
"Warhammer Online - Age of Reckoning" = Warhammer Online - Age of Reckoning
"WinMerge_is1" = WinMerge 2.12.4
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"090215de958f1060" = Curse Client
"BitTorrent" = BitTorrent
"DAoC Portal" = DAoC Portal
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/27/2010 1:56:24 AM | Computer Name = SEAN | Source = Steam Client Service | ID = 1
Description =

Error - 5/27/2010 1:57:42 AM | Computer Name = SEAN | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5508, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2010 1:57:42 AM | Computer Name = SEAN | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5508, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2010 2:19:10 AM | Computer Name = SEAN | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2010 5:20:32 AM | Computer Name = SEAN | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 5/27/2010 5:35:34 AM | Computer Name = SEAN | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 5/27/2010 7:15:18 AM | Computer Name = SEAN | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 5/27/2010 7:29:54 AM | Computer Name = SEAN | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 5/27/2010 9:06:15 AM | Computer Name = SEAN | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Error - 5/27/2010 9:22:54 AM | Computer Name = SEAN | Source = Userenv | ID = 1007
Description = Windows cannot determine the associated site for this computer. (The
RPC server is too busy to complete this operation. ). Group Policy processing aborted.


[ System Events ]
Error - 5/27/2010 1:51:47 AM | Computer Name = SEAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 5/27/2010 2:27:02 AM | Computer Name = SEAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 5/27/2010 2:54:07 AM | Computer Name = SEAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 5/27/2010 3:42:24 AM | Computer Name = SEAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 5/27/2010 6:12:44 AM | Computer Name = SEAN | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 5/27/2010 6:15:27 AM | Computer Name = SEAN | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 5/27/2010 10:04:26 AM | Computer Name = SEAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 5/27/2010 7:35:29 PM | Computer Name = SEAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
RasAcd

Error - 5/30/2010 5:44:21 PM | Computer Name = SEAN | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 5/30/2010 5:44:21 PM | Computer Name = SEAN | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >







GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-31 03:20:50
Windows 5.1.2600 Service Pack 3
Running: 0l36xs9j.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINNT\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6BCB000, 0x198FE0, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[296] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 002B6691
.text C:\Program Files\Mozilla Firefox\firefox.exe[296] WS2_32.dll!send 71AB4C27 5 Bytes JMP 002B63D3
.text C:\Program Files\Mozilla Firefox\firefox.exe[296] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 002B6597
.text C:\Program Files\Mozilla Firefox\firefox.exe[296] WS2_32.dll!recv 71AB676F 5 Bytes JMP 002B6446
.text C:\Program Files\Mozilla Firefox\firefox.exe[296] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 002B64FD

---- EOF - GMER 1.0.15 ----


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 05 June 2010 - 12:10 PM

Sorry didn't see that you had replied.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 07 June 2010 - 01:46 AM

ComboFix 10-06-06.03 - Administrator 06/07/2010 1:33.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.754 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\csrss.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\services.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Administrator\Application Data\020000001d72aa22922C.manifest
c:\documents and settings\Administrator\Application Data\020000001d72aa22922O.manifest
c:\documents and settings\Administrator\Application Data\020000001d72aa22922P.manifest
c:\documents and settings\Administrator\Application Data\020000001d72aa22922S.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Administrator\Recent\Inv_25020_from_U.S._Roaster.pdf
c:\documents and settings\Administrator\Recent\Inv_26473_from_U.S._Roaster1.pdf
C:\feed.txt
c:\winnt\system32\hlp.dat
D:\install.exe

c:\winnt\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-07 06:40 . 2010-06-07 06:40 -------- d-----w- c:\winnt\system32\xircom
2010-06-07 06:40 . 2010-06-07 06:40 -------- d-----w- c:\winnt\system32\wbem\snmp
2010-05-26 05:49 . 2010-05-26 05:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-24 08:23 . 2010-06-03 06:16 75408 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-10 18:17 . 2010-06-07 06:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files
2010-05-10 18:16 . 2010-05-10 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-05-10 18:16 . 2010-05-10 18:16 -------- d-----w- c:\program files\Pando Networks
2010-05-10 07:31 . 2010-05-17 22:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\FOG Downloader
2010-05-10 07:13 . 2010-05-10 07:13 60928 ----a-w- c:\winnt\system32\rakion.sys
2010-05-08 10:04 . 2010-05-08 10:04 1635 ----a-w- c:\winnt\option.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 06:41 . 2007-12-04 17:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-27 05:54 . 2006-11-13 17:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 21:45 . 2009-12-11 08:33 -------- d-----w- c:\program files\NCH Software
2010-05-26 21:45 . 2009-12-11 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-24 15:49 . 2008-03-24 19:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-08 09:34 . 2009-12-11 08:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Software
2010-04-29 20:39 . 2010-02-06 04:45 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2008-06-30 15:07 20952 -c--a-w- c:\winnt\system32\drivers\mbam.sys
2010-04-15 23:59 . 2010-04-15 23:58 21195352 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901dupd.exe
2010-04-14 15:15 . 2007-04-03 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-03-26 15:33 . 2010-04-30 01:49 1496064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 15:33 . 2010-04-30 01:49 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 15:33 . 2010-04-30 01:49 339456 -c--a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 15:32 . 2010-04-30 01:49 346112 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-09 11:09 . 2008-05-03 12:00 430080 -c--a-w- c:\winnt\system32\vbscript.dll
2006-11-12 05:34 . 2006-11-12 05:34 21952 -c-h--w- c:\program files\folder.htt
2008-06-11 00:03 . 2008-06-11 00:03 479232 -c--a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-06-11 00:03 . 2008-06-11 00:03 548864 -c--a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-06-11 00:03 . 2008-06-11 00:03 626688 -c--a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

------- Sigcheck -------

[-] 2008-05-03 . 2D3E126F10624D9B8DB6B81FA62BE3A5 . 578560 . . [5.1.2600.5508] . . c:\winnt\system32\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
[-] 2005-03-12 07:54 . 05CB047C49480A2157911B0A1C7E4C10 . 380688 . . [5.00.2195.7032] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
[-] 2002-07-22 19:05 . 4DC317A74845603F6D2B0B325AA234C6 . 405264 . . [5.00.2195.4314] . . c:\winnt\$NtUninstallQ329115$\user32.dll

[-] 2008-05-03 . E5A9308CCE1C7A08C1DB997CABB29534 . 82432 . . [5.1.2600.5508] . . c:\winnt\system32\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-09-03 3057152]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"CurseClient"="d:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-05-10 2937528]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [2007-03-23 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2008-05-03 143360]
"gcNotifier"="c:\documents and settings\Administrator\Local Settings\Application Data\VTShared\GCNotifier.exe" [2008-04-10 176128]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-05-03 214528]
"nltide_3"="advpack.dll" [2008-05-03 99840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-5-21 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-04 14:41 256576 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\DAP\\DAP.exe"=
"d:\\Program Files\\Curse\\CurseClient.exe"=
"d:\\Action\\Axion2008\\r1q2.exe"=
"d:\\Program Files\\Dawn of Light\\mysql\\bin\\mysqld-opt.exe"=
"d:\\Program Files\\Dawn of Light\\DOLServer.exe"=
"d:\\Program Files\\Dawn of Light\\Source\\release\\DOLServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"d:\\Program Files\\Runes of Magic\\Client.exe"=
"d:\\Program Files\\Runes of Magic\\launcher.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\BXH639X5.2PL\\NJ5GCOEV.TBD\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"57366:TCP"= 57366:TCP:Pando Media Booster
"57366:UDP"= 57366:UDP:Pando Media Booster

S0 ajkyahe;ajkyahe; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 3:13 AM 135664]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [11/11/2006 8:22 PM 61712]
S3 rak;rak;c:\winnt\system32\rakion.sys [5/10/2010 2:13 AM 60928]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\winnt\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:12]

2010-06-07 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:12]

2010-06-07 c:\winnt\Tasks\SpeedOptimizer Startup.job
- d:\progra~1\speedo~1\SPO.exe [2008-09-03 14:45]

2010-06-07 c:\winnt\Tasks\WGASetup.job
- c:\winnt\system32\KB905474\wgasetup.exe [2009-05-05 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{C7BA40A1-74F2-52BD-F411-04B15A2C8953} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
HKCU-Run-Tracks Eraser Pro - c:\program files\Acesoft\Tracks Eraser Pro\te.exe
HKLM-Run-SpyHunter Security Suite - c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe
HKU-Default-RunOnce-tscuninstall - c:\winnt\system32\tscupgrd.exe
Notify-f0369e03922 - (no file)
SafeBoot-sglfb.sys
SafeBoot-tga.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - d:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 01:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"d:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"d:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2460)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
d:\program files\TortoiseSVN\bin\TortoiseStub.dll
d:\program files\TortoiseSVN\bin\TortoiseSVN.dll
d:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\winnt\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\winnt\system32\Ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
d:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\winnt\system32\WgaTray.exe
c:\winnt\system32\wscntfy.exe
d:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\winnt\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
.
**************************************************************************
.
Completion time: 2010-06-07 01:44:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 06:44
ComboFix2.txt 2008-07-01 02:32
ComboFix3.txt 2008-06-30 15:39
ComboFix4.txt 2008-03-31 00:45
ComboFix5.txt 2010-06-07 06:31

Pre-Run: 22,652,784,640 bytes free
Post-Run: 22,591,864,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7CA380F6588DF605DCCD2BF42ED0FD73

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 07 June 2010 - 07:20 AM

Do you have an xp cd handy?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :Filefind
    user32.*
    ws2_32.*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 07 June 2010 - 03:08 PM

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:05 on 07/06/2010 by Administrator (Administrator - Elevation successful)

========== Filefind ==========

Searching for "user32.*"
C:\WINNT\$NtUninstallQ329115$\user32.dll --a--c 405264 bytes [07:34 14/11/2006] [19:05 22/07/2002] 4DC317A74845603F6D2B0B325AA234C6
C:\WINNT\$NtUpdateRollupPackUninstall$\user32.dll --a--c 380688 bytes [09:04 01/12/2007] [07:54 12/03/2005] 05CB047C49480A2157911B0A1C7E4C10
C:\WINNT\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll --a--c 578560 bytes [02:01 05/12/2008] [00:12 14/04/2008] B26B135FF1B9F60C9388B4A7D16F600B
C:\WINNT\system32\user32.dll --a--- 578560 bytes [12:00 03/05/2008] [12:00 03/05/2008] 2D3E126F10624D9B8DB6B81FA62BE3A5

Searching for "ws2_32.*"
C:\WINNT\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll --a--c 82432 bytes [02:02 05/12/2008] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINNT\system32\ws2_32.dll --a--- 82432 bytes [12:00 03/05/2008] [12:00 03/05/2008] E5A9308CCE1C7A08C1DB997CABB29534

-=End Of File=-




I used to have an xp disk, but I have no idea where it is. It's possible I may have given it to someone, should I see if I can get one?

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 08 June 2010 - 06:44 AM

QUOTE
I used to have an xp disk, but I have no idea where it is. It's possible I may have given it to someone, should I see if I can get one?
Yes you have some patched files that need to be replaced.
You will need ti disk to make the appropriate fixes.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 09 June 2010 - 03:51 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5508

6/8/2010 5:46:06 PM
mbam-log-2010-06-08 (17-46-06).txt

Scan type: Quick scan
Objects scanned: 117005
Time elapsed: 7 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Wednesday, June 9, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 08, 2010 21:08:05
Records in database: 4215675
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Z:\
Scan statistics
Objects scanned 180223
Threats found 6
Infected objects found 73
Suspicious objects found 0
Scan duration 03:01:24

File name Threat Threats count
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\awvtt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyx 1
C:\QooBox\Quarantine\C\WINNT\system32\awvtt.exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\hgghfeb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi 1
C:\QooBox\Quarantine\C\WINNT\system32\jkkjg.exe.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\jkkjigh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi 1
C:\QooBox\Quarantine\C\WINNT\system32\khffday.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi 1
C:\QooBox\Quarantine\C\WINNT\system32\ljjkhii.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX10.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX102A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX11.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX12.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX1218.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX13.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX14.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX15.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX16.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX160A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX1614.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX17.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX18.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX19.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX1A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX1C01.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX23.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX23A8.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX27EB.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX2DD8.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX2E.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX31.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX3153.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX380.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX3F4A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX46A.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX4AE.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX6.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX6CA.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX6E3.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCX8B2.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCXB73.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCXD39.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCXDF6.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\RCXF56.tmp.vir Infected: Virus.Win32.Trats.d 1
C:\QooBox\Quarantine\C\WINNT\system32\vtusqon.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi 1
C:\QooBox\Quarantine\C\WINNT\system32\yayawvw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dyi 1
D:\Program Files\Adobe\Adobe Photoshop CS3 Extended + Keygen\Keygen (Adobe).exe Infected: Trojan-Dropper.Win32.Agent.bzl 1
D:\Program Files\Lavasoft\Ad-Aware 2007\ProcessWatch.exe Infected: Trojan-Dropper.Win32.Delf.dzt 1
D:\Program Files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\aaw2007.exe Infected: Trojan.Win32.Buzus.cjbm 1
D:\Program Files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\Crack\ProcessWatch.exe Infected: Trojan-Dropper.Win32.Delf.dzt 1
Selected area has been scanned.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 10 June 2010 - 06:38 AM

I am attaching the 2 files since you do not have a restore disk.
First I need you to right click on the .zip file that you download and choose extract all.
When prompted for a location choose C:\ then hit enter then hit enter again.
Make sure that the files are actually on the c:\ drive and then follow the below instructions.
[attachment=60683:user32.zip]

If the files are not sitting on the C:\Drive then do not proceed but stop and alert me to it.
======================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KILLALL::

FCopy::
C:\user32.dll|C:\Windows\system32\user32.dll
C:\ws2_32.dll|C:\Windows\system32\ws2_32.dll

File::
D:\Program Files\Adobe\Adobe Photoshop CS3 Extended + Keygen\Keygen (Adobe).exe
D:\Program Files\Lavasoft\Ad-Aware 2007\ProcessWatch.exe
D:\Program Files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\aaw2007.exe
D:\Program Files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\Crack\ProcessWatch.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 10 June 2010 - 06:51 PM

ComboFix 10-06-10.03 - Administrator 06/10/2010 18:39:03.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.511 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"d:\program files\Adobe\Adobe Photoshop CS3 Extended + Keygen\Keygen (Adobe).exe"
"d:\program files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\aaw2007.exe"
"d:\program files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\Crack\ProcessWatch.exe"
"d:\program files\Lavasoft\Ad-Aware 2007\ProcessWatch.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\user32.dll
d:\program files\Adobe\Adobe Photoshop CS3 Extended + Keygen\Keygen (Adobe).exe
d:\program files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\aaw2007.exe
d:\program files\Lavasoft Ad-Aware 2007 Professional v7.0.2.1 + Crack\Crack\ProcessWatch.exe
d:\program files\Lavasoft\Ad-Aware 2007\ProcessWatch.exe

c:\winnt\system32\ws2_32.dll . . . is infected!!

.
--------------- FCopy ---------------

c:\user32.dll --> c:\Windows\system32\user32.dll
c:\ws2_32.dll --> c:\Windows\system32\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-10 23:39 . 2010-06-10 23:39 -------- d-----w- C:\Windows
2010-06-10 23:22 . 2008-04-14 13:00 82432 ------w- C:\ws2_32.dll
2010-06-07 06:40 . 2010-06-07 06:40 -------- d-----w- c:\winnt\system32\xircom
2010-06-07 06:40 . 2010-06-07 06:40 -------- d-----w- c:\winnt\system32\wbem\snmp
2010-05-26 05:49 . 2010-05-26 05:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-24 08:23 . 2010-06-03 06:16 75408 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 23:45 . 2007-12-04 17:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-08 07:36 . 2007-04-03 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-05-27 05:54 . 2006-11-13 17:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 21:45 . 2009-12-11 08:33 -------- d-----w- c:\program files\NCH Software
2010-05-26 21:45 . 2009-12-11 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-24 15:49 . 2008-03-24 19:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-17 22:42 . 2010-05-10 07:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\FOG Downloader
2010-05-10 18:26 . 2010-05-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-05-10 18:16 . 2010-05-10 18:16 -------- d-----w- c:\program files\Pando Networks
2010-05-10 07:13 . 2010-05-10 07:13 60928 ----a-w- c:\winnt\system32\rakion.sys
2010-05-08 10:04 . 2010-05-08 10:04 1635 ----a-w- c:\winnt\option.dat
2010-05-08 09:34 . 2009-12-11 08:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Software
2010-04-29 20:39 . 2010-02-06 04:45 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2008-06-30 15:07 20952 -c--a-w- c:\winnt\system32\drivers\mbam.sys
2010-04-15 23:59 . 2010-04-15 23:58 21195352 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901dupd.exe
2010-03-26 15:33 . 2010-04-30 01:49 1496064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 15:33 . 2010-04-30 01:49 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 15:33 . 2010-04-30 01:49 339456 -c--a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 15:32 . 2010-04-30 01:49 346112 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2006-11-12 05:34 . 2006-11-12 05:34 21952 -c-h--w- c:\program files\folder.htt
2008-06-11 00:03 . 2008-06-11 00:03 479232 -c--a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-06-11 00:03 . 2008-06-11 00:03 548864 -c--a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-06-11 00:03 . 2008-06-11 00:03 626688 -c--a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

------- Sigcheck -------

[-] 2008-05-03 . 2D3E126F10624D9B8DB6B81FA62BE3A5 . 578560 . . [5.1.2600.5508] . . c:\winnt\system32\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
[-] 2005-03-12 07:54 . 05CB047C49480A2157911B0A1C7E4C10 . 380688 . . [5.00.2195.7032] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
[-] 2002-07-22 19:05 . 4DC317A74845603F6D2B0B325AA234C6 . 405264 . . [5.00.2195.4314] . . c:\winnt\$NtUninstallQ329115$\user32.dll

[-] 2008-05-03 . E5A9308CCE1C7A08C1DB997CABB29534 . 82432 . . [5.1.2600.5508] . . c:\winnt\system32\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-09-03 3057152]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"CurseClient"="d:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-05-10 2937528]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [2007-03-23 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2008-05-03 143360]
"gcNotifier"="c:\documents and settings\Administrator\Local Settings\Application Data\VTShared\GCNotifier.exe" [2008-04-10 176128]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-05-03 214528]
"nltide_3"="advpack.dll" [2008-05-03 99840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-5-21 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\f0369e03922]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-04 14:41 256576 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\DAP\\DAP.exe"=
"d:\\Program Files\\Curse\\CurseClient.exe"=
"d:\\Action\\Axion2008\\r1q2.exe"=
"d:\\Program Files\\Dawn of Light\\mysql\\bin\\mysqld-opt.exe"=
"d:\\Program Files\\Dawn of Light\\DOLServer.exe"=
"d:\\Program Files\\Dawn of Light\\Source\\release\\DOLServer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"d:\\Program Files\\Runes of Magic\\Client.exe"=
"d:\\Program Files\\Runes of Magic\\launcher.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\BXH639X5.2PL\\NJ5GCOEV.TBD\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"57366:TCP"= 57366:TCP:Pando Media Booster
"57366:UDP"= 57366:UDP:Pando Media Booster

S0 ajkyahe;ajkyahe; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 3:13 AM 135664]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [11/11/2006 8:22 PM 61712]
S3 rak;rak;c:\winnt\system32\rakion.sys [5/10/2010 2:13 AM 60928]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\winnt\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:12]

2010-06-10 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:12]

2010-06-10 c:\winnt\Tasks\SpeedOptimizer Startup.job
- d:\progra~1\speedo~1\SPO.exe [2008-09-03 14:45]

2010-06-10 c:\winnt\Tasks\WGASetup.job
- c:\winnt\system32\KB905474\wgasetup.exe [2009-05-05 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - d:\progra~1\DAP\dapie.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{C7BA40A1-74F2-52BD-F411-04B15A2C8953} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 18:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"d:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"d:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4060)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
d:\program files\TortoiseSVN\bin\TortoiseStub.dll
d:\program files\TortoiseSVN\bin\TortoiseSVN.dll
d:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\winnt\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\winnt\system32\Ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\winnt\system32\WgaTray.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
d:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
d:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\winnt\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\winnt\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
.
**************************************************************************
.
Completion time: 2010-06-10 18:49:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-10 23:49
ComboFix2.txt 2010-06-07 06:44
ComboFix3.txt 2008-07-01 02:32
ComboFix4.txt 2008-06-30 15:39
ComboFix5.txt 2010-06-10 23:37

Pre-Run: 22,421,229,568 bytes free
Post-Run: 22,461,874,176 bytes free

- - End Of File - - B12D90E6A1ABDC8371D23A4D6896106C


#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 11 June 2010 - 06:40 AM

Please disable Tea timer before proceeding.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
===============
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
KILLALL::

Driver::
ajkyahe

Dequarantine::
C:\Qoobox\Quarantine\C\user32.dll.vir

FCopy::
C:\user32.dll|C:\Windows\system32\user32.dll
C:\user32.dll|c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
C:\user32.dll|c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
C:\user32.dll|c:\winnt\$NtUninstallQ329115$\user32.dll
C:\ws2_32.dll|C:\Windows\system32\ws2_32.dll
C:\ws2_32.dll|c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
=============
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 11 June 2010 - 05:18 PM

ComboFix 10-06-10.06 - Administrator 06/11/2010 17:07:35.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.565 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\user32.dll

c:\winnt\system32\ws2_32.dll . . . is infected!!

.
--------------- FCopy ---------------

c:\user32.dll --> c:\Windows\system32\user32.dll
c:\user32.dll --> c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
c:\user32.dll --> c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
c:\user32.dll --> c:\winnt\$NtUninstallQ329115$\user32.dll
c:\ws2_32.dll --> c:\Windows\system32\ws2_32.dll
c:\ws2_32.dll --> c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AJKYAHE
-------\Service_ajkyahe


((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-10 23:39 . 2010-06-10 23:39 -------- d-----w- C:\Windows
2010-06-10 23:22 . 2008-04-14 13:00 82432 ------w- C:\ws2_32.dll
2010-06-07 06:40 . 2010-06-07 06:40 -------- d-----w- c:\winnt\system32\xircom
2010-06-07 06:40 . 2010-06-07 06:40 -------- d-----w- c:\winnt\system32\wbem\snmp
2010-05-26 05:49 . 2010-05-26 05:49 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-24 08:23 . 2010-06-03 06:16 75408 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 22:14 . 2007-12-04 17:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-08 07:36 . 2007-04-03 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-05-27 05:54 . 2006-11-13 17:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-26 21:45 . 2009-12-11 08:33 -------- d-----w- c:\program files\NCH Software
2010-05-26 21:45 . 2009-12-11 08:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-24 15:49 . 2008-03-24 19:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-17 22:42 . 2010-05-10 07:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\FOG Downloader
2010-05-10 18:26 . 2010-05-10 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-05-10 18:16 . 2010-05-10 18:16 -------- d-----w- c:\program files\Pando Networks
2010-05-10 07:13 . 2010-05-10 07:13 60928 ----a-w- c:\winnt\system32\rakion.sys
2010-05-08 10:04 . 2010-05-08 10:04 1635 ----a-w- c:\winnt\option.dat
2010-05-08 09:34 . 2009-12-11 08:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Software
2010-04-29 20:39 . 2010-02-06 04:45 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2008-06-30 15:07 20952 -c--a-w- c:\winnt\system32\drivers\mbam.sys
2010-04-15 23:59 . 2010-04-15 23:58 21195352 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US65016901dupd.exe
2010-03-26 15:33 . 2010-04-30 01:49 1496064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 15:33 . 2010-04-30 01:49 43008 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 15:33 . 2010-04-30 01:49 339456 -c--a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 15:32 . 2010-04-30 01:49 346112 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2006-11-12 05:34 . 2006-11-12 05:34 21952 -c-h--w- c:\program files\folder.htt
2008-06-11 00:03 . 2008-06-11 00:03 479232 -c--a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-06-11 00:03 . 2008-06-11 00:03 548864 -c--a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-06-11 00:03 . 2008-06-11 00:03 626688 -c--a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

------- Sigcheck -------

[-] 2010-06-11 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\winnt\$NtUninstallQ329115$\user32.dll
[-] 2010-06-11 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
[-] 2010-06-11 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
[-] 2008-05-03 . 2D3E126F10624D9B8DB6B81FA62BE3A5 . 578560 . . [5.1.2600.5508] . . c:\winnt\system32\user32.dll

[-] 2008-05-03 . E5A9308CCE1C7A08C1DB997CABB29534 . 82432 . . [5.1.2600.5508] . . c:\winnt\system32\ws2_32.dll
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\winnt\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-06-07_06.41.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-01 09:04 . 2010-06-11 22:07 578560 c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
+ 2006-11-14 07:34 . 2010-06-11 22:07 578560 c:\winnt\$NtUninstallQ329115$\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 23:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DownloadAccelerator"="d:\program files\DAP\DAP.EXE" [2008-09-03 3057152]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"CurseClient"="d:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-05-10 2937528]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [2007-03-23 2526776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2008-05-03 143360]
"gcNotifier"="c:\documents and settings\Administrator\Local Settings\Application Data\VTShared\GCNotifier.exe" [2008-04-10 176128]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-05-03 214528]
"nltide_3"="advpack.dll" [2008-05-03 99840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-5-21 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - d:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\f0369e03922]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask .exe -atboottime [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-04 14:41 256576 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\DAP\\DAP.exe"=
"d:\\Program Files\\Curse\\CurseClient.exe"=
"d:\\Action\\Axion2008\\r1q2.exe"=
"d:\\Program Files\\Dawn of Light\\mysql\\bin\\mysqld-opt.exe"=
"d:\\Program Files\\Dawn of Light\\DOLServer.exe"=
"d:\\Program Files\\Dawn of Light\\Source\\release\\DOLServer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"d:\\Program Files\\Runes of Magic\\Client.exe"=
"d:\\Program Files\\Runes of Magic\\launcher.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Apps\\2.0\\BXH639X5.2PL\\NJ5GCOEV.TBD\\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"57366:TCP"= 57366:TCP:Pando Media Booster
"57366:UDP"= 57366:UDP:Pando Media Booster

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2010 3:13 AM 135664]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\drivers\el90xbc5.sys [11/11/2006 8:22 PM 61712]
S3 rak;rak;c:\winnt\system32\rakion.sys [5/10/2010 2:13 AM 60928]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\winnt\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:12]

2010-06-11 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 08:12]

2010-06-11 c:\winnt\Tasks\SpeedOptimizer Startup.job
- d:\progra~1\speedo~1\SPO.exe [2008-09-03 14:45]

2010-06-11 c:\winnt\Tasks\WGASetup.job
- c:\winnt\system32\KB905474\wgasetup.exe [2009-05-05 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Clean Traces - d:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - d:\program files\DAP\dapextie.htm
IE: Download &all with DAP - d:\program files\DAP\dapextie2.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4l76pzcy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: d:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 17:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"d:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"d:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(388)
c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3912)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
d:\program files\TortoiseSVN\bin\TortoiseStub.dll
d:\program files\TortoiseSVN\bin\TortoiseSVN.dll
d:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\winnt\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\Ati2evxx.exe
c:\winnt\system32\Ati2evxx.exe
d:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
d:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\WgaTray.exe
d:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\winnt\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
.
**************************************************************************
.
Completion time: 2010-06-11 17:17:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 22:17
ComboFix2.txt 2010-06-10 23:49
ComboFix3.txt 2010-06-07 06:44
ComboFix4.txt 2008-07-01 02:32
ComboFix5.txt 2010-06-11 22:06
C:\DeQuarantine.txt

Pre-Run: 22,475,005,952 bytes free
Post-Run: 22,453,780,480 bytes free

- - End Of File - - 15E6088B0F009506537331EB97D823DA


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:03 PM

Posted 11 June 2010 - 05:22 PM

Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\Windows\system32\user32.dll
c:\Windows\system32\ws2_32.dll


This will produce a report after the scan is complete, please copy and paste those results in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Gilthantis

Gilthantis
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:03 PM

Posted 13 June 2010 - 07:07 PM

File 083DA59600CA3828D49208485E7D7A00EDE72044.dll received on 2010.06.11 03:56:08 (UTC)
Current status: finished
Result: 1/40 (2.50%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 5.0.0.26 2010.06.11 -
AhnLab-V3 2010.06.11.00 2010.06.11 -
AntiVir 8.2.2.6 2010.06.10 -
Antiy-AVL 2.0.3.7 2010.06.11 -
Authentium 5.2.0.5 2010.06.11 -
Avast 4.8.1351.0 2010.06.10 -
Avast5 5.0.332.0 2010.06.10 -
AVG 9.0.0.787 2010.06.10 -
BitDefender 7.2 2010.06.11 -
CAT-QuickHeal 10.00 2010.06.11 -
ClamAV 0.96.0.3-git 2010.06.11 -
Comodo 5058 2010.06.11 -
DrWeb 5.0.2.03300 2010.06.11 -
eSafe 7.0.17.0 2010.06.10 Win32.Banker
eTrust-Vet 36.1.7627 2010.06.10 -
F-Prot 4.6.0.103 2010.06.11 -
F-Secure 9.0.15370.0 2010.06.11 -
Fortinet 4.1.133.0 2010.06.10 -
GData 21 2010.06.11 -
Ikarus T3.1.1.84.0 2010.06.11 -
Jiangmin 13.0.900 2010.06.10 -
Kaspersky 7.0.0.125 2010.06.11 -
McAfee 5.400.0.1158 2010.06.11 -
McAfee-GW-Edition 2010.1 2010.06.10 -
Microsoft 1.5802 2010.06.10 -
NOD32 5188 2010.06.10 -
Norman 6.04.12 2010.06.10 -
nProtect 2010-06-10.01 2010.06.10 -
Panda 10.0.2.7 2010.06.10 -
PCTools 7.0.3.5 2010.06.11 -
Rising 22.51.04.01 2010.06.11 -
Sophos 4.54.0 2010.06.11 -
Sunbelt 6433 2010.06.11 -
Symantec 20101.1.0.89 2010.06.11 -
TheHacker 6.5.2.0.297 2010.06.11 -
TrendMicro 9.120.0.1004 2010.06.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.06.11 -
VBA32 3.12.12.5 2010.06.10 -
ViRobot 2010.6.10.3879 2010.06.10 -
VirusBuster 5.0.27.0 2010.06.10 -
Additional information
File size: 578560 bytes
MD5 : b26b135ff1b9f60c9388b4a7d16f600b
SHA1 : 08fe9ff1fe9b8fd237adedb10d65fb0447b91fe5
SHA256: acd0ae7b4d5f871e148276c6cc4ae3a216e33f67fc78d827c16986e1f945438c
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xB217
timedatestamp.....: 0x4802A11B (Mon Apr 14 02:11:07 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5F283 0x5F400 6.65 25051dc5344bd71f517de4813f1397ed
.data 0x61000 0x1180 0xC00 2.38 28fc1d764bf4ed37bb349bca5991a1ff
.rsrc 0x63000 0x2A088 0x2A200 4.97 818c69d1407c2f66058a8171086b2fba
.reloc 0x8E000 0x2DE4 0x2E00 6.77 68ebe5a2d822be0663a3e935b39d0bae

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...388b4a7d16f600b
ssdeep: 6144:Q7ML7NoIlCGJPY2Z2AlptXbgz0+Q4odCGfTnpbEdd/fudqsa0jucQgBMacCGNoEd:foHEHblpWz0jPLhEfgP6WMDoEJY
sigcheck: publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows XP USER API Client DLL
original name: user32
internal name: user32
file version.: 5.1.2600.5512 (xpsp.080413-2105)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-



File ws2_32.dll received on 2010.06.08 14:05:33 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 5.0.0.26 2010.06.08 -
AhnLab-V3 2010.06.08.06 2010.06.08 -
AntiVir 8.2.2.6 2010.06.08 -
Antiy-AVL 2.0.3.7 2010.06.08 -
Authentium 5.2.0.5 2010.06.08 -
Avast 4.8.1351.0 2010.06.08 -
Avast5 5.0.332.0 2010.06.08 -
AVG 9.0.0.787 2010.06.08 -
BitDefender 7.2 2010.06.08 -
CAT-QuickHeal 10.00 2010.06.08 -
ClamAV 0.96.0.3-git 2010.06.08 -
Comodo 5028 2010.06.08 -
DrWeb 5.0.2.03300 2010.06.08 -
eSafe 7.0.17.0 2010.06.06 -
eTrust-Vet 36.1.7618 2010.06.08 -
F-Prot 4.6.0.103 2010.06.08 -
F-Secure 9.0.15370.0 2010.06.08 -
Fortinet 4.1.133.0 2010.06.08 -
GData 21 2010.06.08 -
Ikarus T3.1.1.84.0 2010.06.08 -
Jiangmin 13.0.900 2010.06.08 -
Kaspersky 7.0.0.125 2010.06.08 -
McAfee 5.400.0.1158 2010.06.08 -
McAfee-GW-Edition 2010.1 2010.06.08 -
Microsoft 1.5802 2010.06.08 -
NOD32 5182 2010.06.08 -
Norman 6.04.12 2010.06.07 -
nProtect 2010-06-08.01 2010.06.08 -
Panda 10.0.2.7 2010.06.07 -
PCTools 7.0.3.5 2010.06.08 -
Prevx 3.0 2010.06.08 -
Rising 22.51.01.04 2010.06.08 -
Sophos 4.53.0 2010.06.08 -
Sunbelt 6418 2010.06.08 -
Symantec 20101.1.0.89 2010.06.08 -
TheHacker 6.5.2.0.295 2010.06.08 -
TrendMicro 9.120.0.1004 2010.06.08 -
TrendMicro-HouseCall 9.120.0.1004 2010.06.08 -
VBA32 3.12.12.5 2010.06.08 -
ViRobot 2010.6.8.2343 2010.06.08 -
VirusBuster 5.0.27.0 2010.06.07 -
Additional information
File size: 82432 bytes
MD5 : 2ccc474eb85ceaa3e1fa1726580a3e5a
SHA1 : 7cf3366c68e402eb3678046fe97651a586044560
SHA256: 6e99d2fb4997e54e8b1b7d769cf2c0fae296a6441dc39984850ea26bfeb7e500
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1273
timedatestamp.....: 0x4802A163 (Mon Apr 14 02:12:19 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 cb2c4ac799159013b18999c21e2df4f0
.data 0x14000 0x914 0xA00 4.88 704b5717fb2cf3f297691957debc5e92
.rsrc 0x15000 0x3F8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xDC8 0xE00 6.65 c085926e9053221b19c5e6bcc1c08384

( 0 imports )


( 0 exports )
TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...1fa1726580a3e5a
ssdeep: 1536:HRqRC/AJcBuyg2q1htxvSrqtkBx5sALnR4lxCyqnelG:HR0TJKBq1hrvSrMkBx5swR41Mj
sigcheck: publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Socket 2.0 32-Bit DLL
original name: ws2_32.dll
internal name: ws2_32.dll
file version.: 5.1.2600.5512 (xpsp.080413-0852)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set
-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users