Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection - regenerates


  • This topic is locked This topic is locked
13 replies to this topic

#1 Genjima

Genjima

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 19 June 2010 - 08:11 AM


DDS (Ver_10-03-17.01) - NTFSx86
Run by PcUser at 13:50:35.95 on 2010/06/19
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2271 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\WTClient.exe
C:\Program Files\BattlePing\BattleP.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PcUser\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title =
mWindow Title =
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\BattleP.dll
LSP: %SystemRoot%\system32\PrxerDrv.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {81A0AA91-60BF-4549-BEE9-BEA399AE7BD3} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pcuser\applic~1\mozilla\firefox\profiles\qz2jd7ye.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
FF - prefs.js: keyword.URL - hxxp://www3.iamwired.net/websearch.php?src=tops&search=
FF - plugin: c:\documents and settings\pcuser\application data\mozilla\firefox\profiles\qz2jd7ye.default\extensions\solidstateion@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-17 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-4 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-4 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-4 242896]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-17 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-17 267432]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-17 60936]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-5-21 233472]
R3 BATTLEP;BATTLEP;c:\program files\battleping\BattleP.exe [2009-12-25 1568768]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-5-21 36608]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]
R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-13 1684736]
S3 cpuz132;cpuz132;\??\c:\docume~1\pcuser\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\pcuser\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-4 25832]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-1-24 24416]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-5-22 27064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2010-5-21 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2010-5-21 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2010-5-21 121856]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\xdva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\xdva344.sys --> c:\windows\system32\XDva344.sys [?]

=============== Created Last 30 ================

2010-06-19 11:43:01 20 ----a-w- c:\documents and settings\pcuser\defogger_reenable
2010-06-19 11:13:34 7168 --sha-w- c:\windows\Thumbs.db
2010-06-19 11:10:46 5120 --sha-w- c:\windows\system32\Thumbs.db
2010-06-17 17:57:01 0 d-----w- c:\docume~1\pcuser\applic~1\Avira
2010-06-17 17:56:08 0 d-----w- c:\windows\system32\NtmsData
2010-06-17 17:47:25 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-06-17 17:47:23 0 d-----w- c:\program files\Avira
2010-06-17 17:47:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-06-17 17:35:52 242896 ----a-w- c:\windows\system32\drivers\doemwpzj.sys
2010-06-17 15:51:56 242896 ----a-w- c:\windows\system32\drivers\kgsyqttt.sys
2010-06-17 15:04:24 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-14 20:46:07 600 ----a-w- c:\documents and settings\pcuser\PUTTY.RND
2010-06-13 14:30:07 0 d-----w- c:\windows\system32\RTCOM
2010-06-13 14:29:17 0 d-----w- c:\program files\Realtek
2010-06-11 19:47:26 0 d-----w- c:\program files\mIRC
2010-06-11 19:37:49 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-11 19:37:49 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-06-11 17:08:02 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-11 16:18:01 0 d-----w- c:\docume~1\pcuser\applic~1\DeviceDoctorSoftware
2010-06-11 16:17:59 0 d-----w- c:\program files\Device Doctor
2010-06-11 16:06:46 0 d-----w- c:\program files\Driver-Soft
2010-06-07 22:39:38 0 ----a-w- C:\debug
2010-06-07 22:29:14 112 ----a-w- c:\docume~1\alluse~1\applic~1\dkbxy4p3.dat
2010-06-05 12:23:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Driver Whiz
2010-05-26 10:05:32 0 d-----w- c:\docume~1\pcuser\applic~1\Simply Super Software
2010-05-26 10:05:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-05-25 12:16:58 17544 ------w- c:\windows\system32\drivers\RkPavproc1.sys
2010-05-25 12:10:29 0 d-----w- c:\program files\Panda Security
2010-05-25 11:53:52 0 d-----w- c:\program files\Trend Micro
2010-05-24 13:07:05 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-05-24 12:32:34 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-05-24 12:32:34 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-05-24 12:32:34 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-05-24 12:32:34 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-05-24 12:32:34 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-05-22 17:04:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2010-05-22 11:22:58 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-05-22 11:22:56 0 d-----w- c:\program files\VS Revo Group
2010-05-22 11:08:47 0 d-----w- c:\docume~1\pcuser\applic~1\Malwarebytes
2010-05-22 11:06:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 11:06:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-22 11:06:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 11:06:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-21 11:55:56 0 d-----w- c:\docume~1\pcuser\applic~1\Samsung
2010-05-21 11:55:42 0 d-----w- c:\program files\MarkAny
2010-05-21 11:55:41 0 d-----w- c:\program files\PC Connectivity Solution
2010-05-21 11:55:25 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-06-03 19:43:44 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-05 02:45:04 4807680 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-05-05 01:55:30 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-05-05 01:55:24 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-05-05 01:53:40 3997696 ----a-w- c:\windows\system32\aticaldd.dll
2010-05-05 01:48:36 15056896 ----a-w- c:\windows\system32\atioglxx.dll
2010-05-05 01:43:24 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-05-05 01:39:32 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-05-05 01:38:40 301568 ----a-w- c:\windows\system32\ati2dvag.dll
2010-05-05 01:37:12 3693696 ----a-w- c:\windows\system32\ati3duag.dll
2010-05-05 01:27:02 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-05-05 01:26:52 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-05-05 01:26:46 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-05-05 01:26:42 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-05-05 01:26:32 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-05-05 01:25:30 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-05-05 01:24:50 2250880 ----a-w- c:\windows\system32\ativvaxx.dll
2010-05-05 01:24:22 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-05-05 01:24:22 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-05-05 01:23:46 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-05 01:20:44 593920 ----a-w- c:\windows\system32\atikvmag.dll
2010-05-05 01:19:58 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-05-05 01:19:08 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-05-05 01:18:50 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-05-05 01:14:26 708608 ----a-w- c:\windows\system32\ati2cqag.dll
2010-05-05 01:12:44 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-05-05 01:12:44 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-05-05 01:12:12 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-04-14 18:53:51 1682 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-04-14 17:08:18 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-12 15:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-25 15:56:00 203331 ----a-w- c:\windows\system32\atiicdxx.dat

============= FINISH: 13:51:24.68 ===============

Unfortunately I was unable to get the GMER log; this was due to my PC restarting every time I executed the program (possibly due to the Malware preventing it?).

Some malware detected by Avira:
TR/Crypt.ZPACK.Gen

I also saw an Injector that created many of the viruses, however whenever I try remove it via an Anti-Virus, it seems to say 'not found' at the end.
Pretty much all of the malware I have is attached to the process 'svchost.exe'.
I have tried renaming and downloading GMER with different names, yet the same happens at the end; my pc restarts by itself.

If you require any information please let me know (or how to get around this GMER.exe problem I have, so that I can post a log from that).

Many thanks for your assistance.



Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 24 June 2010 - 07:46 AM

Hi Genjima,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Avira or AVG.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Run GMER, uncheck all other boxes than the box next to Sections and C drive. These two should remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  4. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  5. Try also to get this log. Run GMER, uncheck all boxes except the box next to Registry and C drive. Click Scan.
    When it finished press Save to save the log and post it to your reply.


#3 Genjima

Genjima
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 24 June 2010 - 11:02 AM

Unfortunately I cannot get GMER to work, when I launch the .exe I get a BSOD and it says 'BAD_POOL_HEADER'. I googled it and could not find anything that was revelent to my problem with launching GMER.

The situation with my computer seems to be okay right now (however I'd still like to get my GMER working, too see if I could've missed something), as I also used Microsoft Security Essentials in safe mode, and it seems to have removed/quarantined the following items, which it could not get rid of in the normal mode:

rootkit:Alureon->AvgTdiX

containerfile:C:\WINDOWS\Temp\wykl.tmp\svchost.exe
file:C:\WINDOWS\Temp\wykl.tmp\svchost.exe->[aPLib_034]



However here is my MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4233

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2010/06/24 05:46:37 PM
mbam-log-2010-06-24 (17-46-37).txt

Scan type: Quick scan
Objects scanned: 119239
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------

My MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK

Attached Files


Edited by Genjima, 24 June 2010 - 05:30 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 24 June 2010 - 11:24 AM

Please post fresh DDS logs. You may attach them.

Edited by farbar, 24 June 2010 - 11:25 AM.


#5 Genjima

Genjima
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 24 June 2010 - 05:30 PM

Done.

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 24 June 2010 - 05:50 PM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either Avira or Microsoft Security Essentials.

  2. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please uninstall the following:

    Java™ 6 Update 4

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 Genjima

Genjima
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 26 June 2010 - 05:40 AM

Just as I am about to finish the ComboFx scan, I get the BSOD and it has BAD_POOL_HEADER. The same happens with GMER, any suggestions?

Edited by Genjima, 26 June 2010 - 05:40 AM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 26 June 2010 - 06:28 AM

Let's try this.
  1. Start in Safe Mode Using the F8 key:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    • Use the arrow keys to select the Safe Mode with networking menu item.
    • Press the Enter key.
    • Log to your usual account.

  2. Now please do the ComboFix step. But when if needed a reboot let it boot to normal mode.


#9 Genjima

Genjima
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 27 June 2010 - 01:37 PM

*This scan was done in Safe Mode with Networking*

ComboFix 10-06-27.02 - PcUser 2010/06/27 20:15:48.4.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2591 [GMT 2:00]
Running from: c:\documents and settings\PcUser\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\Penx.dat
c:\windows\system32\Thumbs.db
c:\windows\system32\Xpen.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GOOGLEUPDATEBETA


((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.

2010-06-27 18:02 . 2010-06-27 18:02 -------- d-----w- c:\program files\Common Files\Windows Live
2010-06-26 10:40 . 2010-06-26 10:40 -------- d-----w- c:\program files\Speccy
2010-06-26 00:27 . 2010-06-26 00:27 -------- d-----w- c:\documents and settings\PcUser\Application Data\ElevatedDiagnostics
2010-06-25 00:51 . 2010-06-25 00:51 -------- d-----w- c:\program files\Runes of Magic
2010-06-24 16:06 . 2010-05-21 12:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-22 20:55 . 2010-06-22 20:52 53632 ----a-w- c:\documents and settings\PcUser\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-20 11:09 . 2010-06-20 11:09 242896 ----a-w- c:\windows\system32\drivers\vafpgiqx.sys
2010-06-19 23:35 . 2010-06-19 23:35 242896 ----a-w- c:\windows\system32\drivers\rxqzrrrv.sys
2010-06-17 17:56 . 2010-06-25 01:09 -------- d-----w- c:\windows\system32\NtmsData
2010-06-17 17:35 . 2010-06-17 17:35 242896 ----a-w- c:\windows\system32\drivers\doemwpzj.sys
2010-06-17 15:51 . 2010-06-17 15:51 242896 ----a-w- c:\windows\system32\drivers\kgsyqttt.sys
2010-06-17 15:04 . 2010-06-17 15:04 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-13 14:30 . 2010-06-14 13:34 -------- d-----w- c:\windows\system32\RTCOM
2010-06-11 19:47 . 2010-06-27 17:58 -------- d-----w- c:\program files\mIRC
2010-06-11 19:37 . 2008-04-13 22:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-11 19:37 . 2008-04-13 22:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-06-11 17:08 . 2010-06-11 17:08 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-11 16:18 . 2010-06-11 16:18 -------- d-----w- c:\documents and settings\PcUser\Application Data\DeviceDoctorSoftware
2010-06-11 16:17 . 2010-06-11 16:17 -------- d-----w- c:\program files\Device Doctor
2010-06-11 16:06 . 2010-06-11 16:06 -------- d-----w- c:\program files\Driver-Soft
2010-06-05 12:23 . 2010-06-05 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-06-01 13:32 . 2010-06-01 13:32 503808 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1062bea3-n\msvcp71.dll
2010-06-01 13:32 . 2010-06-01 13:32 499712 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1062bea3-n\jmc.dll
2010-06-01 13:32 . 2010-06-01 13:32 348160 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1062bea3-n\msvcr71.dll
2010-06-01 13:32 . 2010-06-01 13:32 61440 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-799bb02d-n\decora-sse.dll
2010-06-01 13:32 . 2010-06-01 13:32 12800 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-799bb02d-n\decora-d3d.dll
2010-06-01 08:41 . 2010-06-01 08:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-06-01 08:41 . 2010-06-01 08:41 -------- d-----w- c:\documents and settings\PcUser\Application Data\PC Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 18:10 . 2009-12-04 14:49 -------- d-----w- c:\documents and settings\PcUser\Application Data\mIRC
2010-06-26 20:43 . 2010-02-26 07:33 -------- d-----w- c:\program files\Defraggler
2010-06-26 00:50 . 2010-01-21 15:23 -------- d-----w- c:\program files\Java
2010-06-25 09:49 . 2010-01-31 20:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-24 15:35 . 2009-12-04 09:50 -------- d-----w- c:\program files\AVG
2010-06-24 10:40 . 2010-03-02 13:08 117760 ----a-w- c:\documents and settings\PcUser\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-24 10:37 . 2010-03-02 13:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-22 20:54 . 2009-12-04 07:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-19 11:25 . 2009-12-25 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-19 00:22 . 2010-05-09 19:17 -------- d-----w- c:\documents and settings\PcUser\Application Data\vlc
2010-06-16 14:12 . 2009-12-14 11:24 -------- d-----w- c:\program files\Warhammer Online - Age of Reckoning
2010-06-13 14:29 . 2010-06-13 14:29 -------- d-----w- c:\program files\Realtek
2010-06-13 14:29 . 2009-12-04 06:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-13 13:47 . 2009-12-04 16:24 -------- d-----w- c:\documents and settings\PcUser\Application Data\uTorrent
2010-06-11 15:38 . 2009-12-04 06:47 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-08 12:17 . 2010-06-07 22:29 112 ----a-w- c:\documents and settings\All Users\Application Data\dkbxy4p3.dat
2010-06-06 15:12 . 2009-12-29 11:49 -------- d-----w- c:\program files\Ubisoft
2010-05-29 19:05 . 2010-05-14 22:00 -------- d-----w- c:\documents and settings\PcUser\Application Data\dvdcss
2010-05-26 11:52 . 2010-02-27 15:19 -------- d-----w- c:\program files\VentriloMIX
2010-05-26 11:48 . 2010-05-25 12:10 -------- d-----w- c:\program files\Panda Security
2010-05-26 10:10 . 2010-05-24 13:07 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-05-26 10:05 . 2009-12-25 08:10 -------- d-----w- c:\program files\TrendMicro
2010-05-26 10:05 . 2010-05-26 10:05 -------- d-----w- c:\documents and settings\PcUser\Application Data\Simply Super Software
2010-05-26 10:05 . 2010-05-26 10:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-05-26 10:04 . 2010-05-25 11:53 -------- d-----w- c:\program files\Trend Micro
2010-05-25 17:20 . 2010-01-24 14:06 -------- d-----w- c:\program files\Uniblue
2010-05-25 11:53 . 2010-05-25 11:53 388096 ----a-r- c:\documents and settings\PcUser\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-23 21:27 . 2010-05-23 21:27 48388 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-22 17:04 . 2010-05-22 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-05-22 15:12 . 2010-03-20 14:46 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-05-22 15:08 . 2010-03-18 15:32 -------- d-----w- c:\documents and settings\PcUser\Application Data\RhythmRascal
2010-05-22 15:06 . 2010-01-24 13:53 -------- d-----w- c:\documents and settings\PcUser\Application Data\Uniblue
2010-05-22 11:22 . 2010-05-22 11:22 -------- d-----w- c:\program files\VS Revo Group
2010-05-22 11:08 . 2010-05-22 11:08 -------- d-----w- c:\documents and settings\PcUser\Application Data\Malwarebytes
2010-05-22 11:06 . 2010-05-22 11:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 11:06 . 2010-05-22 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-21 11:56 . 2010-05-21 11:57 69632 ----a-w- c:\documents and settings\PcUser\Application Data\Samsung\New PC Studio\DriverChecker.exe
2010-05-21 11:56 . 2010-05-21 11:55 -------- d-----w- c:\program files\Samsung
2010-05-21 11:56 . 2009-12-04 06:30 -------- d-----w- c:\program files\DIFX
2010-05-21 11:56 . 2010-05-21 11:55 -------- d-----w- c:\program files\PC Connectivity Solution
2010-05-21 11:55 . 2010-05-21 11:55 -------- d-----w- c:\documents and settings\PcUser\Application Data\Samsung
2010-05-21 11:55 . 2010-05-21 11:55 -------- d-----w- c:\program files\MarkAny
2010-05-21 11:49 . 2009-12-04 07:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-19 12:38 . 2010-02-22 15:53 -------- d-----w- c:\program files\uTorrent
2010-05-17 09:48 . 2010-02-14 20:53 -------- d-----w- c:\program files\Electronic Arts
2010-05-17 09:47 . 2009-12-17 09:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-14 22:57 . 2010-05-14 22:56 -------- d-----w- c:\documents and settings\PcUser\Application Data\Media Player Classic
2010-05-14 22:56 . 2010-05-14 22:56 -------- d-----w- c:\program files\MPC HomeCinema
2010-05-09 19:13 . 2010-05-09 19:13 -------- d-----w- c:\program files\VideoLAN
2010-05-09 12:05 . 2009-12-16 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-05-07 13:05 . 2010-01-24 09:31 2 --shatr- c:\windows\winstart.bat
2010-05-05 02:45 . 2009-12-03 17:44 4807680 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-05-05 01:55 . 2009-12-03 17:44 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-05-05 01:55 . 2009-12-03 17:44 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-05-05 01:53 . 2009-12-03 17:44 3997696 ----a-w- c:\windows\system32\aticaldd.dll
2010-05-05 01:48 . 2009-12-03 17:44 15056896 ----a-w- c:\windows\system32\atioglxx.dll
2010-05-05 01:43 . 2009-12-03 17:44 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-05-05 01:39 . 2009-12-03 17:44 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-05-05 01:38 . 2009-12-03 17:44 301568 ----a-w- c:\windows\system32\ati2dvag.dll
2010-05-05 01:37 . 2009-12-03 17:44 3693696 ----a-w- c:\windows\system32\ati3duag.dll
2010-05-05 01:27 . 2009-12-03 17:44 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-05-05 01:26 . 2009-12-03 17:44 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-05-05 01:26 . 2009-12-03 17:44 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-05-05 01:26 . 2009-12-03 17:44 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-05-05 01:26 . 2009-12-03 17:44 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-05-05 01:25 . 2009-12-03 17:44 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-05-05 01:24 . 2009-12-03 17:44 2250880 ----a-w- c:\windows\system32\ativvaxx.dll
2010-05-05 01:24 . 2010-03-22 15:01 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-05-05 01:24 . 2010-03-22 15:01 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-05-05 01:24 . 2009-12-03 17:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-05-05 01:23 . 2010-03-22 15:01 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-05 01:20 . 2009-12-03 17:44 593920 ----a-w- c:\windows\system32\atikvmag.dll
2010-05-05 01:19 . 2009-12-03 17:44 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-05-05 01:19 . 2009-12-03 17:44 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-05-05 01:18 . 2009-12-03 17:44 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-05-05 01:14 . 2009-12-03 17:44 708608 ----a-w- c:\windows\system32\ati2cqag.dll
2010-05-05 01:12 . 2009-12-03 17:44 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-05-05 01:12 . 2009-12-03 17:44 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-05-05 01:12 . 2009-12-03 17:44 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-05-03 13:42 . 2010-05-03 13:41 -------- d-----w- c:\documents and settings\PcUser\Application Data\MSNInstaller
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 10:07 . 2010-01-22 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-04-29 13:39 . 2010-05-22 11:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-05-22 11:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-14 18:53 . 2010-02-07 10:28 1682 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-14 18:53 . 2010-02-07 10:28 1682 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-04-14 17:08 . 2009-12-11 19:55 139128 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-14 17:08 . 2009-12-11 19:55 215128 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-04-12 15:29 . 2010-04-16 13:50 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-31 08:12 . 2010-03-31 08:12 503808 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35aa57a5-n\msvcp71.dll
2010-03-31 08:12 . 2010-03-31 08:12 499712 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35aa57a5-n\jmc.dll
2010-03-31 08:12 . 2010-03-31 08:12 348160 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-35aa57a5-n\msvcr71.dll
2010-03-31 08:11 . 2010-03-31 08:11 61440 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59fd45b3-n\decora-sse.dll
2010-03-31 08:11 . 2010-03-31 08:11 12800 ----a-w- c:\documents and settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-59fd45b3-n\decora-d3d.dll
2010-03-30 22:16 . 2010-03-30 22:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 22:10 . 2010-03-30 22:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 18670592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^PcUser^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\PcUser\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-04-02 16:05 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-03-11 01:20 689488 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-02-21 03:03 1093208 ----a-w- c:\program files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-03-16 17:15 2937528 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 14:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 14:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-18 16:52 322352 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WTClient]
2007-04-11 16:27 40960 ----a-w- c:\windows\system32\WTClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"IJPLMSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Games\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\Anno4.exe"=
"c:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\tools\\Anno4Web.exe"=
"c:\\Games\\Steam\\SteamApps\\jinzuul\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Codemasters\\The Lord of the Rings Online\\TurbineInvoker.exe"=
"c:\\Program Files\\Codemasters\\The Lord of the Rings Online\\TurbineLauncher.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_04\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_04\\bin\\appletviewer.exe"=
"c:\\gPotato.eu\\Allods Online\\bin\\Launcher.exe"=
"c:\\gPotato.eu\\Allods Online\\bin\\AOgame.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\gPotato.eu\\Allods Online\\bin\\Launcher-broken.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"c:\\gPotato.eu\\Allods Online\\bin\\Launcher-Broken2.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Mount&Blade Warband\\mb_warband.exe"=
"c:\\gPotato.eu\\Allods Online\\bin\\Launcher-Broken3.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_04\\jre\\bin\\java.exe"=
"c:\\gPotato.eu\\Allods Online\\bin\\Launcher-Broken4.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Ubisoft\\The Settlers 7 - Paths to a Kingdom\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R.exe"=
"c:\\Program Files\\Ubisoft\\The Settlers 7 - Paths to a Kingdom\\Data\\Base\\_Dbg\\Bin\\Release\\UPlayBrowser.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\PcUser\\Local Settings\\Apps\\2.0\\65QN8HJ7.DLL\\W7O2XZD2.WWV\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57909:TCP"= 57909:TCP:Pando Media Booster
"57909:UDP"= 57909:UDP:Pando Media Booster
"433:TCP"= 433:TCP:Lotro
"5015:TCP"= 5015:TCP:Lotro
"8081:TCP"= 8081:TCP:Lotro
"9000:TCP"= 9000:TCP:Lotro
"2900:UDP"= 2900:UDP:Lotro
"5015:UDP"= 5015:UDP:Lotros
"9000:UDP"= 9000:UDP:Lotro
"57546:TCP"= 57546:TCP:Pando Media Booster
"57546:UDP"= 57546:UDP:Pando Media Booster

R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2007/06/07 07:16 PM 18944]
S1 dqakgofq;dqakgofq;\??\c:\windows\system32\drivers\dqakgofq.sys --> c:\windows\system32\drivers\dqakgofq.sys [?]
S1 MpKsl467578d2;MpKsl467578d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{247E3FB5-5F40-4300-A124-E213195E7496}\MpKsl467578d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{247E3FB5-5F40-4300-A124-E213195E7496}\MpKsl467578d2.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010/02/17 10:25 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010/02/17 10:15 AM 66632]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010/05/21 01:56 PM 233472]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010/06/13 04:29 PM 1684736]
S3 BATTLEP;BATTLEP;c:\program files\BattlePing\BattleP.exe [2009/12/25 02:27 AM 1568768]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\games\Dragon Age\bin_ship\daupdatersvc.service.exe [2009/12/04 05:33 PM 25832]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010/05/21 01:56 PM 36608]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2007/04/23 05:28 PM 10752]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010/01/24 11:51 AM 24416]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010/05/22 01:22 PM 27064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010/02/17 10:15 AM 12872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2010/05/21 01:56 PM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2010/05/21 01:56 PM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2010/05/21 01:56 PM 121856]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\XDva344.sys --> c:\windows\system32\XDva344.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010/02/14 07:29 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-06-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]

2010-06-27 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2009-12-03 03:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title =
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\BattleP.dll
TCP: {81A0AA91-60BF-4549-BEE9-BEA399AE7BD3} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\PcUser\Application Data\Mozilla\Firefox\Profiles\qz2jd7ye.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
FF - prefs.js: keyword.URL - hxxp://www3.iamwired.net/websearch.php?src=tops&search=
FF - plugin: c:\documents and settings\PcUser\Application Data\Mozilla\Firefox\Profiles\qz2jd7ye.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 20:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-299502267-562591055-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8b,b9,a8,6c,a7,bf,89,62,59,09,f6,d3,a3,66,c8,b8,1b,50,8b,09,91,c3,30,
a0,c0,89,d2,a9,11,dd,a6,9a,b8,13,f7,09,74,6a,91,8a,5f,34,12,04,fa,59,5d,4b,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-299502267-562591055-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:2f,99,0c,c2,30,82,17,14,75,03,21,c7,06,6b,08,e2,7a,ff,0a,5b,58,
bf,17,73,c3,93,51,b6,69,33,09,89,16,08,77,bf,c0,61,b1,e1,96,59,41,f7,49,10,\
"rkeysecu"=hex:3f,98,3b,78,be,a9,a6,a4,34,98,26,7f,d8,53,42,82
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(2044)
c:\windows\system32\msi.dll
.
Completion time: 2010-06-27 20:21:47
ComboFix-quarantined-files.txt 2010-06-27 18:21

Pre-Run: 40,987,131,904 bytes free
Post-Run: 40,972,029,952 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 46A854D13DC4335F196FA32EF6650E67


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 27 June 2010 - 02:44 PM

You may also do this in Safe Mode. But if needed a reboot let it reboot to normal mode.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
Driver::
dqakgofq
vafpgiqx
doemwpzj
kgsyqttt
rxqzrrrv
Rootkit::
c:\windows\system32\drivers\vafpgiqx.sys
c:\windows\system32\drivers\rxqzrrrv.sys
c:\windows\system32\drivers\doemwpzj.sys
c:\windows\system32\drivers\kgsyqttt.sys
c:\windows\system32\drivers\dqakgofq.sys
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#11 Genjima

Genjima
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 29 June 2010 - 03:16 PM

*Scan done in Safe Mode with Networking*

ComboFix 10-06-27.02 - PcUser 2010/06/29 21:46:34.7.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2738 [GMT 2:00]
Running from: C:\Documents and Settings\PcUser\My Documents\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\PcUser\My Documents\Downloads\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dqakgofq


((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-29 15:27:33 . 2006-09-15 07:45:20 6955008 ------r- C:\Documents and Settings\PcUser\Application Data\Ubisoft\Dark Messiah of Might and Magic\RegistrationReminder.exe
2010-06-29 15:24:10 . 2006-09-23 18:40:50 111419 ----a-w- C:\Documents and Settings\PcUser\Application Data\Ubisoft\Dark Messiah of Might and Magic\steam_setup.exe
2010-06-29 15:24:10 . 2006-09-23 18:40:42 1821008 ----a-w- C:\Documents and Settings\PcUser\Application Data\Ubisoft\Dark Messiah of Might and Magic\instmsiw.exe
2010-06-29 15:24:09 . 2006-09-23 18:40:54 54784 ----a-w- C:\Documents and Settings\PcUser\Application Data\Ubisoft\Dark Messiah of Might and Magic\SteamInstall.exe
2010-06-29 15:24:09 . 2006-09-23 18:40:20 1707856 ----a-w- C:\Documents and Settings\PcUser\Application Data\Ubisoft\Dark Messiah of Might and Magic\instmsi.exe
2010-06-29 14:54:29 . 2010-06-29 14:54:29 -------- d-----w- C:\WINDOWS\system32\AGEIA
2010-06-29 14:54:06 . 2010-06-29 14:54:06 -------- d-----w- C:\Program Files\Microsoft Chart Controls
2010-06-28 23:30:49 . 2008-04-14 03:42:10 221184 ----a-w- C:\WINDOWS\system32\wmpns.dll
2010-06-28 23:04:26 . 2010-06-28 23:04:38 -------- d-----w- C:\Program Files\DAEMON Tools Lite
2010-06-27 18:02:47 . 2010-06-27 18:02:47 -------- d-----w- C:\Program Files\Common Files\Windows Live
2010-06-26 10:40:17 . 2010-06-26 10:40:19 -------- d-----w- C:\Program Files\Speccy
2010-06-26 00:27:54 . 2010-06-26 00:27:54 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\ElevatedDiagnostics
2010-06-25 00:51:23 . 2010-06-25 00:51:23 -------- d-----w- C:\Program Files\Runes of Magic
2010-06-24 16:06:32 . 2010-06-01 17:37:48 221568 ------w- C:\WINDOWS\system32\MpSigStub.exe
2010-06-22 20:55:42 . 2010-06-22 20:52:37 53632 ----a-w- C:\Documents and Settings\PcUser\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-17 17:56:08 . 2010-06-25 01:09:59 -------- d-----w- C:\WINDOWS\system32\NtmsData
2010-06-17 15:04:24 . 2010-06-29 10:57:46 -------- d-----w- C:\Program Files\Microsoft Security Essentials
2010-06-13 14:30:07 . 2010-06-14 13:34:34 -------- d-----w- C:\WINDOWS\system32\RTCOM
2010-06-11 19:47:26 . 2010-06-29 14:54:13 -------- d-----w- C:\Program Files\mIRC
2010-06-11 19:37:49 . 2008-04-13 22:15:14 60032 -c--a-w- C:\WINDOWS\system32\dllcache\usbaudio.sys
2010-06-11 19:37:49 . 2008-04-13 22:15:14 60032 ----a-w- C:\WINDOWS\system32\drivers\USBAUDIO.sys
2010-06-11 17:08:02 . 2010-06-11 17:08:02 -------- d-----w- C:\WINDOWS\system32\wbem\Repository
2010-06-11 16:18:01 . 2010-06-11 16:18:01 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\DeviceDoctorSoftware
2010-06-11 16:17:59 . 2010-06-11 16:17:59 -------- d-----w- C:\Program Files\Device Doctor
2010-06-11 16:06:46 . 2010-06-11 16:06:46 -------- d-----w- C:\Program Files\Driver-Soft
2010-06-05 12:23:29 . 2010-06-05 12:23:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Driver Whiz
2010-06-01 13:32:50 . 2010-06-01 13:32:50 503808 ----a-w- C:\Documents and Settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1062bea3-n\msvcp71.dll
2010-06-01 13:32:50 . 2010-06-01 13:32:50 499712 ----a-w- C:\Documents and Settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1062bea3-n\jmc.dll
2010-06-01 13:32:50 . 2010-06-01 13:32:50 348160 ----a-w- C:\Documents and Settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-1062bea3-n\msvcr71.dll
2010-06-01 13:32:31 . 2010-06-01 13:32:31 61440 ----a-w- C:\Documents and Settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-799bb02d-n\decora-sse.dll
2010-06-01 13:32:31 . 2010-06-01 13:32:31 12800 ----a-w- C:\Documents and Settings\PcUser\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-799bb02d-n\decora-d3d.dll
2010-06-01 08:41:22 . 2010-06-01 08:41:22 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Suite
2010-06-01 08:41:20 . 2010-06-01 08:41:20 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\PC Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 18:46:42 . 2009-12-04 14:49:39 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\mIRC
2010-06-29 15:16:20 . 2009-12-29 13:24:26 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\Ubisoft
2010-06-29 15:16:19 . 2010-03-14 16:44:11 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\InstallShield Installation Information
2010-06-29 14:54:36 . 2010-03-07 08:55:40 -------- d-----w- C:\Program Files\AGEIA Technologies
2010-06-28 23:48:54 . 2009-12-25 08:07:41 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-28 23:04:34 . 2010-02-14 17:29:13 691696 ----a-w- C:\WINDOWS\system32\drivers\sptd.sys
2010-06-28 21:54:32 . 2010-01-04 09:24:33 36620 ---ha-w- C:\WINDOWS\system32\mlfcache.dat
2010-06-26 20:43:35 . 2010-02-26 07:33:27 -------- d-----w- C:\Program Files\Defraggler
2010-06-26 00:50:05 . 2010-01-21 15:23:46 -------- d-----w- C:\Program Files\Java
2010-06-25 09:49:23 . 2010-01-31 20:19:45 -------- d-----w- C:\Program Files\Microsoft Silverlight
2010-06-24 15:35:27 . 2009-12-04 09:50:43 -------- d-----w- C:\Program Files\AVG
2010-06-24 10:40:30 . 2010-03-02 13:08:55 117760 ----a-w- C:\Documents and Settings\PcUser\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-24 10:37:20 . 2010-03-02 13:05:56 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-06-22 20:54:57 . 2009-12-04 07:03:32 -------- d-----w- C:\Program Files\Common Files\Adobe AIR
2010-06-19 00:22:01 . 2010-05-09 19:17:11 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\vlc
2010-06-16 14:12:19 . 2009-12-14 11:24:10 -------- d-----w- C:\Program Files\Warhammer Online - Age of Reckoning
2010-06-13 14:29:17 . 2010-06-13 14:29:17 -------- d-----w- C:\Program Files\Realtek
2010-06-13 14:29:16 . 2009-12-04 06:48:04 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-06-13 13:47:32 . 2009-12-04 16:24:24 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\uTorrent
2010-06-11 15:38:03 . 2009-12-04 06:47:58 -------- d-----w- C:\Program Files\Common Files\InstallShield
2010-06-08 12:17:20 . 2010-06-07 22:29:14 112 ----a-w- C:\Documents and Settings\All Users\Application Data\dkbxy4p3.dat
2010-06-06 15:12:38 . 2009-12-29 11:49:38 -------- d-----w- C:\Program Files\Ubisoft
2010-05-29 19:05:58 . 2010-05-14 22:00:32 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\dvdcss
2010-05-26 11:52:12 . 2010-02-27 15:19:37 -------- d-----w- C:\Program Files\VentriloMIX
2010-05-26 11:48:09 . 2010-05-25 12:10:29 -------- d-----w- C:\Program Files\Panda Security
2010-05-26 10:10:02 . 2010-05-24 13:07:05 -------- d-----w- C:\Program Files\Emsisoft Anti-Malware
2010-05-26 10:05:35 . 2009-12-25 08:10:01 -------- d-----w- C:\Program Files\TrendMicro
2010-05-26 10:05:32 . 2010-05-26 10:05:32 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\Simply Super Software
2010-05-26 10:05:32 . 2010-05-26 10:05:32 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2010-05-26 10:04:43 . 2010-05-25 11:53:52 -------- d-----w- C:\Program Files\Trend Micro
2010-05-25 17:20:46 . 2010-01-24 14:06:04 -------- d-----w- C:\Program Files\Uniblue
2010-05-25 11:53:55 . 2010-05-25 11:53:55 388096 ----a-r- C:\Documents and Settings\PcUser\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-23 21:27:25 . 2010-05-23 21:27:24 48388 ----a-w- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-22 17:04:54 . 2010-05-22 17:04:43 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
2010-05-22 15:12:09 . 2010-03-20 14:46:08 -------- d-----w- C:\Program Files\Common Files\Blizzard Entertainment
2010-05-22 15:08:28 . 2010-03-18 15:32:50 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\RhythmRascal
2010-05-22 15:06:54 . 2010-01-24 13:53:05 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\Uniblue
2010-05-22 11:22:56 . 2010-05-22 11:22:56 -------- d-----w- C:\Program Files\VS Revo Group
2010-05-22 11:08:47 . 2010-05-22 11:08:47 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\Malwarebytes
2010-05-22 11:06:18 . 2010-05-22 11:06:14 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-05-22 11:06:14 . 2010-05-22 11:06:14 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-05-21 11:56:51 . 2010-05-21 11:57:15 69632 ----a-w- C:\Documents and Settings\PcUser\Application Data\Samsung\New PC Studio\DriverChecker.exe
2010-05-21 11:56:29 . 2010-05-21 11:55:25 -------- d-----w- C:\Program Files\Samsung
2010-05-21 11:56:26 . 2009-12-04 06:30:07 -------- d-----w- C:\Program Files\DIFX
2010-05-21 11:56:21 . 2010-05-21 11:55:41 -------- d-----w- C:\Program Files\PC Connectivity Solution
2010-05-21 11:55:56 . 2010-05-21 11:55:56 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\Samsung
2010-05-21 11:55:42 . 2010-05-21 11:55:42 -------- d-----w- C:\Program Files\MarkAny
2010-05-21 11:49:30 . 2009-12-04 07:03:05 -------- d-----w- C:\Program Files\Common Files\Adobe
2010-05-19 12:38:54 . 2010-02-22 15:53:30 -------- d-----w- C:\Program Files\uTorrent
2010-05-17 09:48:31 . 2010-02-14 20:53:41 -------- d-----w- C:\Program Files\Electronic Arts
2010-05-17 09:47:53 . 2009-12-17 09:28:35 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2010-05-14 22:57:00 . 2010-05-14 22:56:45 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\Media Player Classic
2010-05-14 22:56:42 . 2010-05-14 22:56:40 -------- d-----w- C:\Program Files\MPC HomeCinema
2010-05-09 19:13:36 . 2010-05-09 19:13:36 -------- d-----w- C:\Program Files\VideoLAN
2010-05-09 12:05:29 . 2009-12-16 12:03:19 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PMB Files
2010-05-07 13:05:22 . 2010-01-24 09:31:57 2 --shatr- C:\WINDOWS\winstart.bat
2010-05-05 02:45:04 . 2009-12-03 17:44:34 4807680 ----a-w- C:\WINDOWS\system32\drivers\ati2mtag.sys
2010-05-05 01:55:30 . 2009-12-03 17:44:40 45056 ----a-w- C:\WINDOWS\system32\aticalrt.dll
2010-05-05 01:55:24 . 2009-12-03 17:44:35 45056 ----a-w- C:\WINDOWS\system32\aticalcl.dll
2010-05-05 01:53:40 . 2009-12-03 17:44:39 3997696 ----a-w- C:\WINDOWS\system32\aticaldd.dll
2010-05-05 01:48:36 . 2009-12-03 17:44:36 15056896 ----a-w- C:\WINDOWS\system32\atioglxx.dll
2010-05-05 01:43:24 . 2009-12-03 17:44:58 311296 ----a-w- C:\WINDOWS\system32\atiiiexx.dll
2010-05-05 01:39:32 . 2009-12-03 17:44:57 446464 ----a-w- C:\WINDOWS\system32\ATIDEMGX.dll
2010-05-05 01:38:40 . 2009-12-03 17:44:39 301568 ----a-w- C:\WINDOWS\system32\ati2dvag.dll
2010-05-05 01:37:12 . 2009-12-03 17:44:35 3693696 ----a-w- C:\WINDOWS\system32\ati3duag.dll
2010-05-05 01:27:02 . 2009-12-03 17:44:34 208896 ----a-w- C:\WINDOWS\system32\atipdlxx.dll
2010-05-05 01:26:52 . 2009-12-03 17:44:41 155648 ----a-w- C:\WINDOWS\system32\Oemdspif.dll
2010-05-05 01:26:46 . 2009-12-03 17:44:39 26112 ----a-w- C:\WINDOWS\system32\Ati2mdxx.exe
2010-05-05 01:26:42 . 2009-12-03 17:44:40 43520 ----a-w- C:\WINDOWS\system32\ati2edxx.dll
2010-05-05 01:26:32 . 2009-12-03 17:44:39 159744 ----a-w- C:\WINDOWS\system32\ati2evxx.dll
2010-05-05 01:25:30 . 2009-12-03 17:44:38 602112 ----a-w- C:\WINDOWS\system32\ati2evxx.exe
2010-05-05 01:24:50 . 2009-12-03 17:44:40 2250880 ----a-w- C:\WINDOWS\system32\ativvaxx.dll
2010-05-05 01:24:22 . 2010-03-22 15:01:18 887724 ----a-w- C:\WINDOWS\system32\ativva6x.dat
2010-05-05 01:24:22 . 2010-03-22 15:01:18 3 ----a-w- C:\WINDOWS\system32\ativva5x.dat
2010-05-05 01:24:22 . 2009-12-03 17:44:39 53248 ----a-w- C:\WINDOWS\system32\ATIDDC.DLL
2010-05-05 01:23:46 . 2010-03-22 15:01:18 143360 ----a-w- C:\WINDOWS\system32\atiapfxx.exe
2010-05-05 01:20:44 . 2009-12-03 17:44:33 593920 ----a-w- C:\WINDOWS\system32\atikvmag.dll
2010-05-05 01:19:58 . 2009-12-03 17:44:36 393216 ----a-w- C:\WINDOWS\system32\atiok3x2.dll
2010-05-05 01:19:08 . 2009-12-03 17:44:34 184320 ----a-w- C:\WINDOWS\system32\atiadlxx.dll
2010-05-05 01:18:50 . 2009-12-03 17:44:40 17408 ----a-w- C:\WINDOWS\system32\atitvo32.dll
2010-05-05 01:14:26 . 2009-12-03 17:44:41 708608 ----a-w- C:\WINDOWS\system32\ati2cqag.dll
2010-05-05 01:12:44 . 2009-12-03 17:44:39 65024 ----a-w- C:\WINDOWS\system32\atimpc32.dll
2010-05-05 01:12:44 . 2009-12-03 17:44:39 65024 ----a-w- C:\WINDOWS\system32\amdpcom32.dll
2010-05-05 01:12:12 . 2009-12-03 17:44:36 53248 ----a-w- C:\WINDOWS\system32\drivers\ati2erec.dll
2010-05-03 13:42:42 . 2010-05-03 13:41:29 -------- d-----w- C:\Documents and Settings\PcUser\Application Data\MSNInstaller
2010-05-02 05:22:50 . 2004-08-04 12:00:00 1851264 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-05-01 10:07:04 . 2010-01-22 08:08:17 -------- d-----w- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2010-04-29 13:39:38 . 2010-05-22 11:06:15 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39:26 . 2010-05-22 11:06:14 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-04-20 05:30:08 . 2004-08-04 12:00:00 285696 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-04-16 16:09:09 . 2004-08-04 12:00:00 667136 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-04-16 16:09:05 . 2004-08-04 12:00:00 81920 ----a-w- C:\WINDOWS\system32\ieencode.dll
2010-04-14 18:53:51 . 2010-02-07 10:28:19 1682 --sha-w- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2010-04-14 18:53:51 . 2010-02-07 10:28:19 1682 --sha-w- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2010-04-14 17:08:32 . 2009-12-11 19:55:37 139128 ----a-w- C:\WINDOWS\system32\drivers\PnkBstrK.sys
2010-04-14 17:08:18 . 2009-12-11 19:55:18 215128 ----a-w- C:\WINDOWS\system32\PnkBstrB.exe
2010-04-12 15:29:19 . 2010-04-16 13:50:34 411368 ----a-w- C:\WINDOWS\system32\deployJava1.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-06-29_19.11.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-29 19:52:56 . 2010-06-29 19:52:56 16384 C:\WINDOWS\temp\Perflib_Perfdata_1f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-20 09:12:02 18670592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 03:42:18 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 07:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^PcUser^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=C:\Documents and Settings\PcUser\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=C:\WINDOWS\pss\CurseClientStartup.ccipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-04-02 16:05:22 102400 ----a-w- C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2008-03-11 01:20:00 689488 ----a-w- C:\Program Files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16:20 357696 ----a-w- C:\Program Files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSSE]
2010-06-01 12:53:46 1093208 ----a-w- c:\Program Files\Microsoft Security Essentials\msseces.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-03-16 17:15:51 2937528 ----a-w- C:\Program Files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 14:07:20 2260480 --sha-r- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 14:40:26 2012912 ----a-w- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-05-18 16:52:05 322352 ----a-w- C:\Program Files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WTClient]
2007-04-11 16:27:00 40960 ----a-w- C:\WINDOWS\system32\WTClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"IJPLMSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"C:\\Games\\Dragon Age\\bin_ship\\daorigins.exe"=
"C:\\Games\\Dragon Age\\DAOriginsLauncher.exe"=
"C:\\Games\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"C:\\Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Games\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"C:\\Games\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Games\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\Anno4.exe"=
"C:\\Program Files\\Ubisoft\\Related Designs\\ANNO 1404\\tools\\Anno4Web.exe"=
"C:\\Games\\Steam\\SteamApps\\jinzuul\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"=
"C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\TurbineInvoker.exe"=
"C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\TurbineLauncher.exe"=
"C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"C:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_04\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_04\\bin\\appletviewer.exe"=
"C:\\gPotato.eu\\Allods Online\\bin\\Launcher.exe"=
"C:\\gPotato.eu\\Allods Online\\bin\\AOgame.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\gPotato.eu\\Allods Online\\bin\\Launcher-broken.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=
"C:\\gPotato.eu\\Allods Online\\bin\\Launcher-Broken2.exe"=
"C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"C:\\Games\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"C:\\Program Files\\Mount&Blade Warband\\mb_warband.exe"=
"C:\\gPotato.eu\\Allods Online\\bin\\Launcher-Broken3.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_04\\jre\\bin\\java.exe"=
"C:\\gPotato.eu\\Allods Online\\bin\\Launcher-Broken4.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"C:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"C:\\Program Files\\Ubisoft\\The Settlers 7 - Paths to a Kingdom\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R.exe"=
"C:\\Program Files\\Ubisoft\\The Settlers 7 - Paths to a Kingdom\\Data\\Base\\_Dbg\\Bin\\Release\\UPlayBrowser.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\PcUser\\Local Settings\\Apps\\2.0\\65QN8HJ7.DLL\\W7O2XZD2.WWV\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57909:TCP"= 57909:TCP:Pando Media Booster
"57909:UDP"= 57909:UDP:Pando Media Booster
"433:TCP"= 433:TCP:Lotro
"5015:TCP"= 5015:TCP:Lotro
"8081:TCP"= 8081:TCP:Lotro
"9000:TCP"= 9000:TCP:Lotro
"2900:UDP"= 2900:UDP:Lotro
"5015:UDP"= 5015:UDP:Lotros
"9000:UDP"= 9000:UDP:Lotro
"57546:TCP"= 57546:TCP:Pando Media Booster
"57546:UDP"= 57546:UDP:Pando Media Booster
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2010/02/17 10:25:50 AM 12872]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [2010/02/17 10:15:58 AM 66632]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [2010/05/21 01:56:04 PM 233472]
R3 BATTLEP;BATTLEP;C:\Program Files\BattlePing\BattleP.exe [2009/12/25 02:27:14 AM 1568768]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [2010/05/21 01:56:04 PM 36608]
R3 PTSimBus;PenTablet Bus Enumerator;C:\WINDOWS\system32\drivers\PTSimBus.sys [2007/06/07 07:16:28 PM 18944]
R3 PTSimHid;PenTablet Simulated HID MiniDriver;C:\WINDOWS\system32\drivers\PTSimHid.sys [2007/04/23 05:28:56 PM 10752]
S1 MpKsl467578d2;MpKsl467578d2;\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{247E3FB5-5F40-4300-A124-E213195E7496}\MpKsl467578d2.sys --> C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{247E3FB5-5F40-4300-A124-E213195E7496}\MpKsl467578d2.sys [?]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files\Google\Update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;C:\WINDOWS\system32\drivers\Ambfilt.sys [2010/06/13 04:29:18 PM 1684736]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Games\Dragon Age\bin_ship\daupdatersvc.service.exe [2009/12/04 05:33:27 PM 25832]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\drivers\regguard.sys [2010/01/24 11:51:05 AM 24416]
S3 Revoflt;Revoflt;C:\WINDOWS\system32\drivers\revoflt.sys [2010/05/22 01:22:58 PM 27064]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2010/02/17 10:15:58 AM 12872]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys --> D:\NTGLM7X.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\WINDOWS\system32\drivers\ss_bbus.sys [2010/05/21 01:56:13 PM 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\WINDOWS\system32\drivers\ss_bmdfl.sys [2010/05/21 01:56:13 PM 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\WINDOWS\system32\drivers\ss_bmdm.sys [2010/05/21 01:56:13 PM 121856]
S3 TMPassthruMP;TMPassthruMP;C:\WINDOWS\system32\DRIVERS\TMPassthru.sys --> C:\WINDOWS\system32\DRIVERS\TMPassthru.sys [?]
S3 XDva332;XDva332;\??\C:\WINDOWS\system32\XDva332.sys --> C:\WINDOWS\system32\XDva332.sys [?]
S3 XDva344;XDva344;\??\C:\WINDOWS\system32\XDva344.sys --> C:\WINDOWS\system32\XDva344.sys [?]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [2010/02/14 07:29:13 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 19:40:42 . 2010-03-25 19:40:42]

2010-06-29 C:\WINDOWS\Tasks\System Restore.job
- C:\WINDOWS\system32\Restore\rstrui.exe [2009-12-03 17:16:31 . 2008-04-14 03:42:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title =
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: C:\WINDOWS\system32\BattleP.dll
TCP: {81A0AA91-60BF-4549-BEE9-BEA399AE7BD3} = 192.168.0.1
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - ProfilePath - C:\Documents and Settings\PcUser\Application Data\Mozilla\Firefox\Profiles\qz2jd7ye.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www3.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.za/
FF - prefs.js: keyword.URL - hxxp://www3.iamwired.net/websearch.php?src=tops&search=
FF - plugin: C:\Documents and Settings\PcUser\Application Data\Mozilla\Firefox\Profiles\qz2jd7ye.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 29 June 2010 - 03:40 PM

How many time you have run ComboFix in between and what other things are changed?

Please read from my first post:

QUOTE
Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.


As I see my assistance is not needed. You have to uninstall ComboFix at the end. Please let me know you have read this before I close the thread. Thanks you.

Edited by farbar, 29 June 2010 - 03:43 PM.


#13 Genjima

Genjima
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 30 June 2010 - 06:49 AM

Well, thanks a load for all the assistance you've done so far, muchly appriciated, and yes I've read that smile.gif

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:59 AM

Posted 30 June 2010 - 06:54 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users