Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Suite Infection


  • This topic is locked This topic is locked
70 replies to this topic

#1 kev9982

kev9982

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 13 August 2010 - 06:12 PM

Hello, and thank you for your willingness to help. I had previously posted in the Am I infected? What do I do? forum, and was instructed to post here by Orange Blossom after following the Preparation Guide from step 6 forward. I have the security suite virus on my PC, Windows XP Pro. My symptoms include constant pop-ups and an inability to run any program unless I rename it to firefox.exe, or perhaps IExplore.exe, or other name the virus might allow. This is to the extent that I cannot open notepad.exe to view logs and cannot run rkill, as it tries to open the command prompt, which is blocked by the virus. I have noted, however, that I can quickly open the task manager when the computer first boots, before the virus begins executing. Using this method I was able to attempt to run something and determined that it is a process called csrss.exe that causes the pop-up to happen that states "whatever.exe is infected. Do you want to activate your antivirus software now?" I'm not sure if it is responsible for just the pop-up or for killing the processes also. I tried to kill the process but got a message saying it is a critical system process and task manager refuses to end it. Also to mention, I am unable to boot into safe mode, perhaps because of a malicious registry entry or rootkit, etc. I should perhaps also mention that before I came to Bleeping Computer for help I was able to get malware bytes to run by renaming the executable to firefox.exe, it found infections and I had it clean them up and reboot, but the virus was still present. Upon an additional scan, it detected no infections.

I wanted to run dds.scr, but the program is blocked by the virus. I considered renaming it to firefox.exe and running it that way, but because I am unfamiliar with the .scr extension, I didn't know if it would run properly, so I though I should ask here first. I did, however, run GMER by renaming it to firefox.exe. I cannot attach the log because I would have to transfer it to my girlfriends laptop (which I am using to post here) and I don't want to risk spreading the infection via a flash drive or burned cd (not that I could necessarily get cd burning software to run on my infected pc). Because of this, I will just take the time to type out the GMER log by hand, which is below. Also, before any of this I was able to run DeFogger by renaming it to firefox.exe, let it run and reboot my PC. I noticed that one of my CD Drive emulators still had an icon in the system tray, although it appears unresponsive if I try to access it the drive.

Here is my GMER log, painstakingly typed by hand smile.gif. I was able to open the text file using firefox. Please note that any extra spaces are only there to help aid in reading, and everything appears in the order it was in. Again, Thank you for your help!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-13 18:18:37
Windows 5.1.2600 Service Pack 2
Running: firefox.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgncipoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ikdwh.sys BA6A3000 12 Bytes JMP BA6E15AA ikdwh.sys
.text ikdwh.sys BA6A300D 78 Bytes [00, 0F, 9B, C0, 0F, A4, F2,...]
.text ikdwh.sys BA6A305C 55 Bytes [86, F0, C0, C0, 05, 9C, 0F,...]
.text ikdwh.sys BA6A3094 225 Bytes [00, 00, 88, 34, 24, 68, FE,...]
.text ikdwh.sys BA6A3176 134 Bytes JMP BA6E26CC ikdwh.sys
.test …
? C:\WINDOWS.0\system32\drivers\ikdwh.sys A device attached to the system is not functioning
PAGE Ntfs.sys BA569E55 4 Bytes CALL 8676BE41
.text C:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA0E5360, 0x2BBAD, 0xE8000020]
.rsrc C:\WINDOWS.0\system32\DRIVERS\mouclass.sys entry point in “.rsrc” section [0xBABB4814]
.text C:\WINDOWS.0\system32\DRIVERS\atksgt.sys section is writeable [0xB77F4300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS.0\system32\DRIVERS\lirsgt.sys section is writeable [0xBAC60300, 0x1B7E, 0xE8000020]
pnidata C:\WINDOWS.0\system32\DRIVERS\secdrv.sys unknown last section [0xB746AF00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS.0\system32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 007B000A
.text C:\WINDOWS.0\system32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 007C000A
.text C:\WINDOWS.0\system32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 007A000C
.text C:\WINDOWS.0\system32\svchost.exe[1060] USER32.dll!GetCursorPos 7E41BD5E 5 Bytes JMP 00B0000A
.text C:\WINDOWS.0\system32\svchost.exe[1060] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00AA000A
.text C:\WINDOWS.0\Explorer.EXE[1476] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B1000A
.text C:\WINDOWS.0\Explorer.EXE[1476] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B7000A
.text C:\WINDOWS.0\Explorer.EXE[1476] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B0000C

.text C:\Documents and Settings\Administrator\Desktop\firefox.exe[2724]ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 003E000A
.text C:\Documents and Settings\Administrator\Desktop\firefox.exe[2724]ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 003F000A
.text C:\Documents and Settings\Administrator\Desktop\firefox.exe[2724]ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 003C000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86783BE0

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys [Microsoft Filesystem Filter Manager/Microsoft Corporation]
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys [Microsoft Filesystem Filter Manager/Microsoft Corporation]

Device -> \Driver\atapi \Device\Harddisk0\DR0 864DFEC5

---- Services - GMER 1.0.15 ----

Service (***hidden***) [BOOT] ikdwh <--- ROOTKIT!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ikdwh@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ikdwh@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ikdwh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ikdwh@Group Boot Bus Extender

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x86 0x5B 0x01
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0xB3 0xEB 0x23…
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00…
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6B 0xAA 0x37 0x45…
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\OJf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\OJf40@khjeh 0xC4 0xAC 0x27 0x2E…

Reg HKLM\SYSTEM\ControlSet002\Services\ikdwh@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ikdwh@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\ikdwh@Error Control 0
Reg HKLM\SYSTEM\ControlSet002\Services\ikdwh@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x86 0x5B 0x01…
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9D 0xB3 0xEB 0x23…
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00…
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6B 0xAA 0x37 0x45…

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\OJf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\OJf40@khjeh 0xC4 0xAC 0x27 0x2E…

---- Files - GMER 1.0.15 ----

File C:\WINDOWS.0\system23\DRIVERS\mouclass.sys suspicious modification
File C:\WINDOWS.0\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


I really hope this is not too difficult to read! Please note that atapi.sys may be related to my hard disk drive, although it was detected as suspicious. Thanks again!






BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 20 August 2010 - 03:29 PM

Hi,

If help still needed please rename dds.scr to something.com and try to run it.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 20 August 2010 - 11:29 PM

Thank you for helping! To update you, I turned my PC on for the first time in about three days this evening to find that the security suite icon at the bottom of the screen is gone and I can now run executables. I ran dds.scr as something.com, and noticed that notepad opened up the log files just fine, and I can open them after I've saved them. The last time I used the PC I could not run any .exe files. Also to mention, the pop-ups are no longer present but I cannot use firefox to browse the web. It just states that the address cannot be found. I have done nothing to the computer since I initially posted. I'm still wary of moving files from my machine onto any other computer since I can't risk infecting someone else's machine, so I'll have to type the log below. If at any point you think it is safe for me to copy files from my machine, please let me know. Or perhaps we could focus on getting internet access back first, if that is possible. Here is my DDS log...

DDS (Ver_10_03_17.01) - NTFSx86
Run by Administrator at 22:05:37.40 on Fri 08/20/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.732 [GMT -4:00]

=== Running Processes ===

C:\WINDOWS.0\system32/svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\PnkBstrA.exe
C:\WINDOWS.0\system32\UAService7.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Program Files\PowerISO\PWRISOVM.exe
C:\WINDOWS.0\system32\RUNDLL32.exe
C:\Program Files\Java\Jreg6\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS.0\system32\devldr32.exe
C:\Documentsand Settings\Administrator\Desktop\dds\something.com

=== Pseudo HJT Report ===

uSerach page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings, ProxyServer = http=127.0.0.1:6522
uInternet Settings, ProsyOverride = <local>
uSearchURL, (Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprobj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.3.28.dll
BHO: Spybot-S&D IE Protection: {53707692-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 ssv Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program files\java\jre6\lib\deploy\jqs\ie\jgs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {ED4BD629-CIB6-4399-8A34-02CCAA921DC9} - No File
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [nsmvfsfa] c:\windows.0\ulshhoxshdw.exe
mRun: [nwiz] nwiz.exe /install
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows.0\system32\NvMcTray.dll,nVTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nsmvfsfa] c:\windows.0\ulshhoxshdw.exe
mRun: [Bxisomuyi] rundll32.exe "c:\windows.0\ulakecof.dll",Startup
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1. lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1. lnk - c:\program files\magicdisc\MagicDisc.exe
uPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\componet\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB5F1910-F110-11D2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micro~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389b71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

=== FIREFOX ===

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6w0xbuem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1261830&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Torrent Reactor - The most active torrents on the web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6w0xbuem.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6w0xbuem.default\extensions\yyginstantplay@yoyogames.com\NPYYGInstantPlay.dll
FF - plugin: c:\progra~1\mozill~1\plugins\np32dsw.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npdivx32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\progra~1\mozill~1\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozill~1\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozill~1\plugins\nppl3260.dll
FF - plugin: c:\progra~1\mozill~1\plugins\nprjplug.dll
FF - plugin: c:\progra~1\mozill~1\plugins\nprpjplug.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - Hidden Extension: XULRunner: {26D5111C-C4B4-4031-8BA9-2710484CB9EF} - c:\documents and settings\administrator\local settings\application data\{26D5111C-C4B4-4031-8BA9-2710484CB9EF}
FF - Hidden Extension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extension\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

--- FIREFOX POLICIES---

C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.lu", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.nu", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.nz", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.xn--p1ai", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.xn--mgbayh7gpa", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("network.IDN.whitelist.tel", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("security.ssl.allow_unrestricted_renego_everywhere_temporarily_available_perf", true);
C:\program files\mozilla firefox\greperfs\all.js - perf("security.ssl.renego_unrestricted_hosts:, "");
C:\program files\mozilla firefox\greperfs\all.js - perf("security.ssl.treat_unsafe_negotiation_as_broken", false);
C:\program files\mozilla firefox\greperfs\all.js - perf("security.ssl.require_safe_negotiation", false);
C:\program files\mozilla firefox\greperfs\all.js - perf("security.ssl3.rsa_seed_sha", true);
C:\program files\mozilla firefox\defaults\pref\firefox-branding.js - perf(app.update.url.manual", "http://www.firefox.com");

=== SERVICES / DRIVERS ===

S0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [2002-12-31 77312]
S2 gupdate1c99849c3f91d8c;Google Update Service (gupdate1c99849c3f91d8c); c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 dump_wmimmc;dump_wmimmc; \??\f:\softnyx\rakionis\bin\gameguard\dump_wmimmc.sys --> f:\softnyx\rakionis\bin\gameguard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows.0\system32\drivers\gan_adapter.sys [2006-8-29 10664]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows.0\system32\UnlockerDriver4.sys [2007-4-19 3584]
S3 XDva007;XDva007;\??\c:\windows.o\system32\xdva007.sys --> c:\windows.0\system32\XDva007.sys [?]

=== Created Last 30 ===

2010-08-21 02:03:19 16384 ----atw- c:\temp\Perflib_Perfdata_6e4.dat
2010-08-13 19:46:01 176 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-13 01:26:05 0 d--h--w- c:\windows.0\PIF
2010-08-12 23:52:33 0 d-----w- c:\temp\~nsu.tmp
2010-08-12 23:52:26 0 d-----w- c:\temp\RESC92.tmp
2010-08-12 23:51:49 120 ----a-w- c:\windows.0\Ibonikodadode.dat
2010-08-12 23:51:49 0 ----a-w- c:\windows.0\Tkifozuxaho.bin
2010-08-12 23:50:12 256512 ----a-w- c:\windows.0\ulshhoxshdw.exe
2010-08-12 23:50:11 0 d-----w- c:\docume~1\admini~1\applic~1\05437E96E1FD2846D3B7CAA8FE153911
2010-07-26 04:21:04 0 d-----w- c:\docume~1\admini~1\applic~1\Unity

=== Find3M ===

2007-09-23 03:29:30 56 --sh--r- c:\windows.0\system32\7D2ACCA678.sys
2007-11-08 21:20:43 1890 --sha-w- c:\windows.0\system32\KGyGaAvL.sys

=== FINISH: 22:06:17.37 ===

Thanks again!

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 21 August 2010 - 03:55 AM

Hi,

You can use removable drive to transfer log files between two systems if needed. Make sure removable drive is properly protected by running a disinfector on it:
1. Download Flash_Disinfector and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 21 August 2010 - 11:07 PM

Okay, I ran ComboFix, and then ran dds again. Still no pop-ups. The only obvious signs of the malware currently are that my machine froze before I started doing anything this evening, when I hovered over the programs tab in the start menu, and I had to reset, and that last night when I shut the machine down it took a very long time for it to shutdown, and that the machine says it is connected to the internet, but when I navigate to any website with any browser it tells me it is unavailable. Many of my c:\windows.0 executable files are "infected" according to the log, including explorer.exe, and many exe and dll files in the system32 folder as well. I admit I was afraid that ComboFix was deleting crucial files by misidentifying them, but explorer did return to me. Perhaps I'm being too concerned, but I am wary of shutting off the PC. I have the logs, but am still not able to connect to the internet in order to post them from the infected machine. Before I involve another PC, I'm wondering, is it feasible to run Flash Disinfector on the PC you are helping me clean to ensure that a flash drive will not transfer the virus to another machine, or is it perhaps possible to restore internet access? I will find a way to post the logs based on your advice. Thank you very much for your patience smile.gif.

I almost forgot to mention, ComboFix said I have an outdated version of the recovery console, but it couldn't install it. According to the ComboFix guide, I should manually install it. Should I try to do this before we proceed?

Edited by kev9982, 21 August 2010 - 11:29 PM.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 22 August 2010 - 02:58 AM

Hi,

If possible you could run Flash disinfector on the affected system too.

QUOTE
I almost forgot to mention, ComboFix said I have an outdated version of the recovery console, but it couldn't install it. According to the ComboFix guide, I should manually install it. Should I try to do this before we proceed?

Let's skip recovery console part until I've seen ComboFix log + fresh dds logs after your previous ComboFix run.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 22 August 2010 - 10:52 PM

Sorry for the delay. I will have the ComboFix and DDS logs posted as soon as possible.

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 23 August 2010 - 05:54 AM

No problem smile.gif

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 23 August 2010 - 09:40 AM

Okay, my logs are posted below smile.gif.

ComboFix 10-08-21.04 - Administrator 08/21/2010 22:38:52.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.768 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\05437E96E1FD2846D3B7CAA8FE153911
c:\documents and settings\Administrator\Application Data\05437E96E1FD2846D3B7CAA8FE153911\enemies-names.txt
c:\documents and settings\Administrator\Application Data\05437E96E1FD2846D3B7CAA8FE153911\local.ini
c:\documents and settings\Administrator\Application Data\ghryhpvfj
c:\documents and settings\Administrator\Application Data\ghryhpvfj\ulshhoxshdw.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{26D5111C-C4B6-4031-8BA9-2710484CB9EF}
c:\documents and settings\Administrator\Local Settings\Application Data\{26D5111C-C4B6-4031-8BA9-2710484CB9EF}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{26D5111C-C4B6-4031-8BA9-2710484CB9EF}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{26D5111C-C4B6-4031-8BA9-2710484CB9EF}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{26D5111C-C4B6-4031-8BA9-2710484CB9EF}\install.rdf
c:\documents and settings\Administrator\Local Settings\Application Data\ghryhpvfj
c:\documents and settings\Administrator\Local Settings\Application Data\ghryhpvfj\ulshhoxshdw.exe
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows.0\system\WINSPOOL.DRV
c:\windows.0\system32\win.ini
c:\windows.0\ulakecof.dll
c:\windows.0\ulshhoxshdw.exe
F:\autorun.inf

c:\windows.0\regedit.exe . . . is infected!!

Infected copy of c:\windows.0\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows.0\system32\msgsvc.dll . . . is infected!!

c:\windows.0\explorer.exe . . . is infected!!

c:\windows.0\hh.exe . . . is infected!!

c:\windows.0\NOTEPAD.EXE . . . is infected!!

c:\windows.0\winhlp32.exe . . . is infected!!

c:\windows.0\inf\unregmp2.exe . . . is infected!!

c:\windows.0\mui\muisetup.exe . . . is infected!!

c:\windows.0\pchealth\helpctr\binaries\HelpCtr.exe . . . is infected!!

c:\windows.0\pchealth\helpctr\binaries\HelpSvc.exe . . . is infected!!

c:\windows.0\pchealth\helpctr\binaries\HscUpd.exe . . . is infected!!

c:\windows.0\pchealth\helpctr\binaries\msconfig.exe . . . is infected!!

c:\windows.0\pchealth\UploadLB\Binaries\UploadM.exe . . . is infected!!

c:\windows.0\system32\accwiz.exe . . . is infected!!

c:\windows.0\system32\actmovie.exe . . . is infected!!

c:\windows.0\system32\ahui.exe . . . is infected!!

c:\windows.0\system32\alg.exe . . . is infected!!

c:\windows.0\system32\asr_fmt.exe . . . is infected!!

c:\windows.0\system32\asr_pfu.exe . . . is infected!!

c:\windows.0\system32\at.exe . . . is infected!!

c:\windows.0\system32\atmadm.exe . . . is infected!!

c:\windows.0\system32\auditusr.exe . . . is infected!!

c:\windows.0\system32\autochk.exe . . . is infected!!

c:\windows.0\system32\autoconv.exe . . . is infected!!

c:\windows.0\system32\autofmt.exe . . . is infected!!

c:\windows.0\system32\autolfn.exe . . . is infected!!

c:\windows.0\system32\blastcln.exe . . . is infected!!

c:\windows.0\system32\calc.exe . . . is infected!!

c:\windows.0\system32\cipher.exe . . . is infected!!

c:\windows.0\system32\cisvc.exe . . . is infected!!

c:\windows.0\system32\cleanmgr.exe . . . is infected!!

c:\windows.0\system32\clipbrd.exe . . . is infected!!

c:\windows.0\system32\clipsrv.exe . . . is infected!!

c:\windows.0\system32\cmd.exe . . . is infected!!

c:\windows.0\system32\cmdl32.exe . . . is infected!!

c:\windows.0\system32\cmmon32.exe . . . is infected!!

c:\windows.0\system32\cmstp.exe . . . is infected!!

c:\windows.0\system32\conime.exe . . . is infected!!

c:\windows.0\system32\cscript.exe . . . is infected!!

c:\windows.0\system32\csrss.exe . . . is infected!!

c:\windows.0\system32\ctfmon.exe . . . is infected!!

c:\windows.0\system32\ddeshare.exe . . . is infected!!

c:\windows.0\system32\defrag.exe . . . is infected!!

c:\windows.0\system32\dfrgfat.exe . . . is infected!!

c:\windows.0\system32\dfrgntfs.exe . . . is infected!!

c:\windows.0\system32\diantz.exe . . . is infected!!

c:\windows.0\system32\diskpart.exe . . . is infected!!

c:\windows.0\system32\dllhost.exe . . . is infected!!

c:\windows.0\system32\dmadmin.exe . . . is infected!!

c:\windows.0\system32\dmremote.exe . . . is infected!!

c:\windows.0\system32\dplaysvr.exe . . . is infected!!

c:\windows.0\system32\dpnsvr.exe . . . is infected!!

c:\windows.0\system32\dpvsetup.exe . . . is infected!!

c:\windows.0\system32\dumprep.exe . . . is infected!!

c:\windows.0\system32\dvdupgrd.exe . . . is infected!!

c:\windows.0\system32\dwwin.exe . . . is infected!!

c:\windows.0\system32\dxdiag.exe . . . is infected!!

c:\windows.0\system32\eudcedit.exe . . . is infected!!

c:\windows.0\system32\eventcreate.exe . . . is infected!!

c:\windows.0\system32\extrac32.exe . . . is infected!!

c:\windows.0\system32\findstr.exe . . . is infected!!

c:\windows.0\system32\fontview.exe . . . is infected!!

c:\windows.0\system32\fsquirt.exe . . . is infected!!

c:\windows.0\system32\ftp.exe . . . is infected!!

c:\windows.0\system32\gpresult.exe . . . is infected!!

c:\windows.0\system32\grpconv.exe . . . is infected!!

c:\windows.0\system32\ie4uinit.exe . . . is infected!!

c:\windows.0\system32\iexpress.exe . . . is infected!!

c:\windows.0\system32\imapi.exe . . . is infected!!

c:\windows.0\system32\ipconfig.exe . . . is infected!!

c:\windows.0\system32\ipv6.exe . . . is infected!!

c:\windows.0\system32\ipxroute.exe . . . is infected!!

c:\windows.0\system32\locator.exe . . . is infected!!

c:\windows.0\system32\logman.exe . . . is infected!!

c:\windows.0\system32\logonui.exe . . . is infected!!

c:\windows.0\system32\lsass.exe . . . is infected!!

c:\windows.0\system32\magnify.exe . . . is infected!!

c:\windows.0\system32\mmc.exe . . . is infected!!

c:\windows.0\system32\mnmsrvc.exe . . . is infected!!

c:\windows.0\system32\mobsync.exe . . . is infected!!

c:\windows.0\system32\mplay32.exe . . . is infected!!

c:\windows.0\system32\mqbkup.exe . . . is infected!!

c:\windows.0\system32\mqsvc.exe . . . is infected!!

c:\windows.0\system32\mqtgsvc.exe . . . is infected!!

c:\windows.0\system32\msdtc.exe . . . is infected!!

c:\windows.0\system32\mshta.exe . . . is infected!!

c:\windows.0\system32\mspaint.exe . . . is infected!!

c:\windows.0\system32\mstinit.exe . . . is infected!!

c:\windows.0\system32\mstsc.exe . . . is infected!!

c:\windows.0\system32\narrator.exe . . . is infected!!

c:\windows.0\system32\nddeapir.exe . . . is infected!!

c:\windows.0\system32\net.exe . . . is infected!!

c:\windows.0\system32\net1.exe . . . is infected!!

c:\windows.0\system32\netdde.exe . . . is infected!!

c:\windows.0\system32\netsh.exe . . . is infected!!

c:\windows.0\system32\netstat.exe . . . is infected!!

c:\windows.0\system32\nslookup.exe . . . is infected!!

c:\windows.0\system32\ntbackup.exe . . . is infected!!

c:\windows.0\system32\ntvdm.exe . . . is infected!!

c:\windows.0\system32\odbcad32.exe . . . is infected!!

c:\windows.0\system32\odbcconf.exe . . . is infected!!

c:\windows.0\system32\openfiles.exe . . . is infected!!

c:\windows.0\system32\osk.exe . . . is infected!!

c:\windows.0\system32\packager.exe . . . is infected!!

c:\windows.0\system32\perfmon.exe . . . is infected!!

c:\windows.0\system32\ping.exe . . . is infected!!

c:\windows.0\system32\powercfg.exe . . . is infected!!

c:\windows.0\system32\progman.exe . . . is infected!!

c:\windows.0\system32\proquota.exe . . . is infected!!

c:\windows.0\system32\proxycfg.exe . . . is infected!!

c:\windows.0\system32\qprocess.exe . . . is infected!!

c:\windows.0\system32\rasphone.exe . . . is infected!!

c:\windows.0\system32\rcimlby.exe . . . is infected!!

c:\windows.0\system32\rcp.exe . . . is infected!!

c:\windows.0\system32\rdpclip.exe . . . is infected!!

c:\windows.0\system32\rdsaddin.exe . . . is infected!!

c:\windows.0\system32\rdshost.exe . . . is infected!!

c:\windows.0\system32\reg.exe . . . is infected!!

c:\windows.0\system32\regsvr32.exe . . . is infected!!

c:\windows.0\system32\rexec.exe . . . is infected!!

c:\windows.0\system32\rsh.exe . . . is infected!!

c:\windows.0\system32\rsnotify.exe . . . is infected!!

c:\windows.0\system32\rtcshare.exe . . . is infected!!

c:\windows.0\system32\rundll32.exe . . . is infected!!

c:\windows.0\system32\runonce.exe . . . is infected!!

c:\windows.0\system32\savedump.exe . . . is infected!!

c:\windows.0\system32\scardsvr.exe . . . is infected!!

c:\windows.0\system32\schtasks.exe . . . is infected!!

c:\windows.0\system32\sdbinst.exe . . . is infected!!

c:\windows.0\system32\secedit.exe . . . is infected!!

c:\windows.0\system32\services.exe . . . is infected!!

c:\windows.0\system32\sessmgr.exe . . . is infected!!

c:\windows.0\system32\sethc.exe . . . is infected!!

c:\windows.0\system32\setup.exe . . . is infected!!

c:\windows.0\system32\shmgrate.exe . . . is infected!!

c:\windows.0\system32\shrpubw.exe . . . is infected!!

c:\windows.0\system32\shutdown.exe . . . is infected!!

c:\windows.0\system32\sigverif.exe . . . is infected!!

c:\windows.0\system32\skeys.exe . . . is infected!!

c:\windows.0\system32\smbinst.exe . . . is infected!!

c:\windows.0\system32\smlogsvc.exe . . . is infected!!

c:\windows.0\system32\smss.exe . . . is infected!!

c:\windows.0\system32\sndrec32.exe . . . is infected!!

c:\windows.0\system32\spider.exe . . . is infected!!

c:\windows.0\system32\spiisupd.exe . . . is infected!!

c:\windows.0\system32\spnpinst.exe . . . is infected!!

c:\windows.0\system32\spoolsv.exe . . . is infected!!

c:\windows.0\system32\stimon.exe . . . is infected!!

c:\windows.0\system32\svchost.exe . . . is infected!!

c:\windows.0\system32\sysocmgr.exe . . . is infected!!

c:\windows.0\system32\taskmgr.exe . . . is infected!!

c:\windows.0\system32\telnet.exe . . . is infected!!

c:\windows.0\system32\tlntadmn.exe . . . is infected!!

c:\windows.0\system32\tlntsess.exe . . . is infected!!

c:\windows.0\system32\tlntsvr.exe . . . is infected!!

c:\windows.0\system32\tourstart.exe . . . is infected!!

c:\windows.0\system32\tracerpt.exe . . . is infected!!

c:\windows.0\system32\tracert.exe . . . is infected!!

c:\windows.0\system32\tscupgrd.exe . . . is infected!!

c:\windows.0\system32\upnpcont.exe . . . is infected!!

c:\windows.0\system32\ups.exe . . . is infected!!

c:\windows.0\system32\userinit.exe . . . is infected!!

c:\windows.0\system32\utilman.exe . . . is infected!!

c:\windows.0\system32\vssvc.exe . . . is infected!!

c:\windows.0\system32\wextract.exe . . . is infected!!

c:\windows.0\system32\wiaacmgr.exe . . . is infected!!

c:\windows.0\system32\winlogon.exe . . . is infected!!

c:\windows.0\system32\winver.exe . . . is infected!!

c:\windows.0\system32\wpabaln.exe . . . is infected!!

c:\windows.0\system32\wpnpinst.exe . . . is infected!!

c:\windows.0\system32\wscntfy.exe . . . is infected!!

c:\windows.0\system32\wscript.exe . . . is infected!!

c:\windows.0\system32\xcopy.exe . . . is infected!!

c:\windows.0\system32\Com\comrepl.exe . . . is infected!!

c:\windows.0\system32\npp\nppagent.exe . . . is infected!!

c:\windows.0\system32\oobe\oobebaln.exe . . . is infected!!

c:\windows.0\system32\Restore\rstrui.exe . . . is infected!!

c:\windows.0\system32\usmt\migload.exe . . . is infected!!

c:\windows.0\system32\usmt\migwiz.exe . . . is infected!!

c:\windows.0\system32\usmt\migwiz_a.exe . . . is infected!!

c:\windows.0\system32\wbem\mofcomp.exe . . . is infected!!

c:\windows.0\system32\wbem\scrcons.exe . . . is infected!!

c:\windows.0\system32\wbem\wbemtest.exe . . . is infected!!

c:\windows.0\system32\wbem\wmiadap.exe . . . is infected!!

c:\windows.0\system32\wbem\wmiapsrv.exe . . . is infected!!

c:\windows.0\system32\wbem\wmic.exe . . . is infected!!

c:\windows.0\system32\wbem\wmiprvse.exe . . . is infected!!

c:\windows.0\system32\asycfilt.dll . . . is infected!!

c:\windows.0\system32\d3d9.dll . . . is infected!!

c:\windows.0\system32\ddraw.dll . . . is infected!!

c:\windows.0\system32\msimg32.dll . . . is infected!!

c:\windows.0\system32\olepro32.dll . . . is infected!!

c:\windows.0\system32\perfctrs.dll . . . is infected!!

c:\windows.0\system32\schedsvc.dll . . . is infected!!

c:\windows.0\system32\winrnr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-22 02:37 . 2010-08-22 02:37 16384 ----atw- c:\temp\Perflib_Perfdata_63c.dat
2010-08-13 01:26 . 2010-08-13 01:26 -------- d--h--w- c:\windows.0\PIF
2010-08-12 23:52 . 2010-08-13 00:10 -------- d-----w- c:\temp\~nsu.tmp
2010-08-12 23:52 . 2010-08-22 02:44 -------- d-----w- c:\temp\RESC92.tmp
2010-08-12 23:51 . 2010-08-22 02:16 0 ----a-w- c:\windows.0\Tkifozuxaho.bin
2010-08-12 23:51 . 2010-08-12 23:51 120 ----a-w- c:\windows.0\Ibonikodadode.dat
2010-08-12 23:50 . 2010-08-22 03:00 782848 ----a-w- c:\windows.0\system32\drivers\ikdwh.sys
2010-08-04 04:37 . 2010-08-04 04:37 84992 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\40bcbb7e-65d3371e-n\atl2k.dll
2010-08-04 04:37 . 2010-08-04 04:37 131072 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\40bcbb7e-65d3371e-n\jflash.dll
2010-08-04 04:37 . 2010-08-04 04:37 102400 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\40bcbb7e-65d3371e-n\atl98.dll
2010-07-26 04:21 . 2010-07-26 04:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Unity
2010-07-26 03:11 . 2010-07-26 03:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Unity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 02:08 . 2009-04-16 16:02 -------- d-----w- c:\program files\PeerGuardian2
2010-08-13 00:19 . 2009-04-29 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-12 21:28 . 2009-10-16 21:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-12 00:24 . 2007-05-08 10:37 534 ----a-w- c:\windows.0\eReg.dat
2007-07-26 23:06 . 2007-07-26 23:06 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-26 23:06 . 2007-07-26 23:06 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-26 23:06 . 2007-07-26 23:06 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-09-23 03:29 . 2007-09-23 03:07 56 --sh--r- c:\windows.0\system32\7D2ACCA678.sys
2007-11-08 21:20 . 2007-09-23 03:07 1890 --sha-w- c:\windows.0\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2002-12-31 . F0B864105F8B82E7E9D415B73B8A9466 . 95616 . . [5.1.2600.2505] . . c:\windows.0\system32\drivers\atapi.sys

[-] 2002-12-31 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows.0\system32\drivers\asyncmac.sys

[-] 2002-12-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows.0\system32\drivers\beep.sys

[-] 2002-12-31 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows.0\system32\drivers\kbdclass.sys

[-] 2002-12-31 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows.0\system32\drivers\ndis.sys

[-] 2002-12-31 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows.0\system32\drivers\null.sys

[-] 2002-12-31 . 39128B5A743545BAEDD3984C210F00A8 . 77824 . . [5.1.2600.2586] . . c:\windows.0\system32\browser.dll

[-] 2002-12-31 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows.0\system32\lsass.exe

[-] 2002-12-31 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows.0\system32\qmgr.dll

[-] 2002-12-31 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows.0\system32\services.exe

[-] 2002-12-31 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows.0\system32\spoolsv.exe

[-] 2002-12-31 . 986EC72D788E00E8E397B7BB7F5A9E45 . 502784 . . [5.1.2600.2645] . . c:\windows.0\system32\winlogon.exe

[-] 2002-12-31 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows.0\system32\cryptsvc.dll

[-] 2002-12-31 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows.0\system32\imm32.dll

[-] 2002-12-31 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows.0\system32\lpk.dll

[-] 2002-12-31 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows.0\system32\msvcrt.dll

[-] 2002-12-31 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows.0\system32\mswsock.dll

[-] 2002-12-31 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows.0\system32\netlogon.dll

[-] 2002-12-31 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows.0\system32\powrprof.dll

[-] 2002-12-31 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows.0\system32\scecli.dll

[-] 2002-12-31 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows.0\system32\sfc.dll

[-] 2002-12-31 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows.0\system32\svchost.exe

[-] 2002-12-31 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows.0\system32\tapisrv.dll

[-] 2002-12-31 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows.0\system32\userinit.exe

[-] 2002-12-31 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows.0\system32\ws2_32.dll

[-] 2002-12-31 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows.0\system32\ws2help.dll

[-] 2002-12-31 . 45757077A47C68A603A79B03A1A836AB . 1032192 . . [6.00.2900.2649] . . c:\windows.0\explorer.exe

[-] 2002-12-31 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows.0\system32\srsvc.dll

[-] 2002-12-31 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows.0\system32\wscntfy.exe

[-] 2002-12-31 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows.0\system32\xmlprov.dll

[-] 2002-12-31 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows.0\system32\eventlog.dll

[-] 2002-12-31 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows.0\system32\sfcfiles.dll

[-] 2002-12-31 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows.0\system32\ctfmon.exe

[-] 2002-12-31 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows.0\system32\regsvc.dll

[-] 2002-12-31 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows.0\system32\schedsvc.dll

[-] 2002-12-31 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows.0\system32\ssdpsrv.dll

[-] 2002-12-31 . 972063211CB1CE503E7CB0AE48955145 . 295424 . . [5.1.2600.2620] . . c:\windows.0\system32\termsrv.dll

[-] 2002-12-31 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows.0\system32\appmgmts.dll

[-] 2002-12-31 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows.0\system32\drivers\acpiec.sys

[-] 2002-12-31 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows.0\system32\drivers\ip6fw.sys

[-] 2002-12-31 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows.0\system32\msgsvc.dll

[-] 2005-01-28 20:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows.0\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 20:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows.0\system32\MsPMSNSv.dll
[-] 2002-12-31 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows.0\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2002-12-31 12:00 . E145DC2EC22EAD60576D569089C9CE76 . 435200 . . [5.1.2400.2674] . . c:\windows.0\system32\ntmssvc.dll

[-] 2002-12-31 . 55E148C01296696588EAFA425782C3E8 . 367616 . . [5.3.2600.2180] . . c:\windows.0\system32\dsound.dll

[-] 2002-12-31 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows.0\system32\d3d9.dll

[-] 2002-12-31 . 7ED462F353B3D915A418A689FA881F96 . 266240 . . [5.03.2600.2180] . . c:\windows.0\system32\ddraw.dll

[-] 2002-12-31 12:00 . 71F282EEAF6EB7392B2EABD54B5440FA . 83456 . . [5.1.2600.2657] . . c:\windows.0\system32\olepro32.dll

[-] 2002-12-31 . 96492C721C6EA517E2BFD5381FEF55E3 . 39936 . . [5.1.2600.2180] . . c:\windows.0\system32\perfctrs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-11-18 1622016]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2006-11-18 7700480]
"NeroFilterCheck"="c:\windows.0\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2006-11-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-1-13 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows.0\explorer.exe,"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^DING!.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\DING!.lnk
backup=c:\windows.0\pss\DING!.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows.0\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2008-11-08 18:33 1410296 ----a-w- f:\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-09-27 02:14 3660848 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"f:\\Steam\\steamapps\\thecheetah86@yahoo.com\\day of defeat source\\hl2.exe"=
"f:\\Steam\\steamapps\\thecheetah86@yahoo.com\\counter-strike\\hl.exe"=
"f:\\SIERRA\\Half-life 2\\hl2.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"f:\\SIERRA\\Arcanum\\Arcanum.exe"=
"f:\\Soldat\\Soldat.exe"=
"c:\\WINDOWS.0\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS.0\\system32\\PnkBstrB.exe"=
"f:\\Team17\\Worms World Party\\wwp.exe"=
"f:\\Ubisoft\\Scrabble2009\\ScrabblePCR.exe"=
"f:\\Half-Life 2\\hl2.exe"=
"f:\\Mule\\mule\\data\\lib\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49160:TCP"= 49160:TCP:BitComet 49160 TCP
"49160:UDP"= 49160:UDP:BitComet 49160 UDP

S0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [12/31/2002 8:00 AM 77312]
S2 gupdate1c99849c3f91d8c;Google Update Service (gupdate1c99849c3f91d8c);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2009 3:38 PM 133104]
S3 dump_wmimmc;dump_wmimmc;\??\f:\softnyx\RakionIS\Bin\GameGuard\dump_wmimmc.sys --> f:\softnyx\RakionIS\Bin\GameGuard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows.0\system32\drivers\gan_adapter.sys [8/29/2006 2:54 AM 10664]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows.0\system32\UnlockerDriver4.sys [4/19/2007 7:51 PM 3584]
S3 XDva007;XDva007;\??\c:\windows.0\system32\XDva007.sys --> c:\windows.0\system32\XDva007.sys [?]
S4 sptd;sptd;c:\windows.0\system32\drivers\sptd.sys [4/24/2007 2:48 AM 716272]

--- Other Services/Drivers In Memory ---

*Deregistered* - ikdwh
.
Contents of the 'Scheduled Tasks' folder

2010-08-22 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 19:38]

2010-08-22 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 19:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows.0\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6w0xbuem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1261830&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6w0xbuem.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6w0xbuem.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-nsmvfsfa - c:\windows.0\ulshhoxshdw.exe
HKLM-Run-nsmvfsfa - c:\windows.0\ulshhoxshdw.exe
HKLM-Run-Bxisomuyi - c:\windows.0\ulakecof.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-Avatars - c:\documents and settings\administrator\desktop\avatars\Uninst.isu
AddRemove-Mini Golf Pro_is1 - f:\mini golf pro\unins000.exe
AddRemove-mudmagic - f:\mudmagic\mudmagic-uninst.exe
AddRemove-Pcsx2_is1 - f:\pcsx2_0.9.4\unins000.exe
AddRemove-RSS Xpress - c:\program files\RSS Xpress\Uninstall.exe
AddRemove-SYNTH™ FREEWARE v1.0 - f:\synth™ freeware v1.0\uninstall.exe
AddRemove-zMUD - f:\zmud\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-21 23:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ikdwh]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-2111687655-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,14,19,da,f7,04,6e,cf,03,58,ee,52,ef,a8,08,1d,fc,0a,35,f9,4d,13,6f,
7b,8c,f6,de,05,1a,17,39,38,d1,da,ea,f6,b0,fe,68,3a,bc,74,b9,81,ae,af,93,f9,\
"??"=hex:8c,c2,25,db,49,c2,be,81,42,57,be,86,6a,77,d2,2d
.
Completion time: 2010-08-21 23:03:22
ComboFix-quarantined-files.txt 2010-08-22 03:03
ComboFix2.txt 2009-05-03 16:16

Pre-Run: 6,405,586,944 bytes free
Post-Run: 7,655,981,056 bytes free

- - End Of File - - 9FF8154EC185B1E83722695A431BDEE6








DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 23:36:35.65 on Sat 08/21/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.658 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS.0\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\PnkBstrA.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\devldr32.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\something.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows.0\explorer.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.3.28.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [ctfmon.exe] c:\windows.0\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows.0\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\windows.0\system32\NeroCheck.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows.0\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
uPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows.0\java\classes\xmldso.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6w0xbuem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1261830&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6w0xbuem.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6w0xbuem.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

S0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [2002-12-31 77312]
S2 gupdate1c99849c3f91d8c;Google Update Service (gupdate1c99849c3f91d8c);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S3 dump_wmimmc;dump_wmimmc;\??\f:\softnyx\rakionis\bin\gameguard\dump_wmimmc.sys --> f:\softnyx\rakionis\bin\gameguard\dump_wmimmc.sys [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows.0\system32\drivers\gan_adapter.sys [2006-8-29 10664]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows.0\system32\UnlockerDriver4.sys [2007-4-19 3584]
S3 XDva007;XDva007;\??\c:\windows.0\system32\xdva007.sys --> c:\windows.0\system32\XDva007.sys [?]

=============== Created Last 30 ================

2010-08-22 02:37:41 16384 ----atw- c:\temp\Perflib_Perfdata_63c.dat
2010-08-22 02:28:03 77312 ----a-w- c:\windows.0\MBR.exe
2010-08-22 02:28:02 98816 ----a-w- c:\windows.0\sed.exe
2010-08-22 02:28:02 256512 ----a-w- c:\windows.0\PEV.exe
2010-08-22 02:28:02 161792 ----a-w- c:\windows.0\SWREG.exe
2010-08-22 02:27:53 0 d-----w- C:\ComboFix
2010-08-13 19:46:01 176 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-13 01:26:05 0 d--h--w- c:\windows.0\PIF
2010-08-12 23:52:33 0 d-----w- c:\temp\~nsu.tmp
2010-08-12 23:52:26 0 d-----w- c:\temp\RESC92.tmp
2010-08-12 23:51:49 120 ----a-w- c:\windows.0\Ibonikodadode.dat
2010-08-12 23:51:49 0 ----a-w- c:\windows.0\Tkifozuxaho.bin
2010-08-12 23:50:01 782848 ----a-w- c:\windows.0\system32\drivers\ikdwh.sys
2010-07-26 04:21:04 0 d-----w- c:\docume~1\admini~1\applic~1\Unity

==================== Find3M ====================

2007-09-23 03:29:30 56 --sh--r- c:\windows.0\system32\7D2ACCA678.sys
2007-11-08 21:20:43 1890 --sha-w- c:\windows.0\system32\KGyGaAvL.sys

============= FINISH: 23:36:44.81 ===============


Thanks much!

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 23 August 2010 - 12:36 PM

Hi,

Please upload following files to http://www.virustotal.com (re-analyse if prompted) and post back links to the results:
c:\windows.0\explorer.exe
c:\windows.0\hh.exe
c:\windows.0\NOTEPAD.EXE
c:\windows.0\system32\dwwin.exe
c:\windows.0\system32\dxdiag.exe
c:\windows.0\system32\eudcedit.exe

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 24 August 2010 - 05:28 PM

Again, sorry for the delay. The internet was down at work today, which is where I need to run those files by Virus Total. I may not have a chance to until Thursday. Believe me, I'm anxious to continue cleaning my PC and I very much appreciate your help. The fact that the machine cannot connect to the internet is slowing things down for me significantly. I will post as soon as possible.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 25 August 2010 - 03:06 AM

Thanks for the heads up and be careful with those files. I would use some other than work computer if possible.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 25 August 2010 - 07:05 AM

I have those files burned to a CD. Would putting the CD in a PC and uploading the files to Virus Total risk infecting that PC, or would only actually running the files do that? I have access to a Mac at my other job. Is it safe to use a Mac to upload the files? What is your recommendation?


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:48 PM

Posted 25 August 2010 - 08:51 AM

Hi,

Uploading those files is safe. Just don't run them.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 kev9982

kev9982
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY, NY
  • Local time:06:48 AM

Posted 25 August 2010 - 05:27 PM

Okay, I got the chance to run those files by Virus Total. Here are the links...

NOTEPAD.EXE
http://www.virustotal.com/file-scan/report...8093-1282774536

hh.exe
http://www.virustotal.com/file-scan/report...5aa4-1282774617

explorer.exe
http://www.virustotal.com/file-scan/report...8802-1282774690

eudcedit.exe
http://www.virustotal.com/file-scan/report...70a3-1282774791

dxdiag.exe
http://www.virustotal.com/file-scan/report...d628-1282774878

dwwin.exe
http://www.virustotal.com/file-scan/report...8d54-1282774944




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users