Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apparent rootkit, Google result hijack/rogue antivirus installation


  • This topic is locked This topic is locked
12 replies to this topic

#1 PATRICKRL

PATRICKRL

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 13 August 2010 - 09:31 PM

Got this through a Java exploit this morning dry.gif Normally I can get rid of viruses without too much effort, but this is impossible to me! TDASKiller (if it is a TDAS variant) and Malwarebytes aren't detecting it, they just detect whatever extra spyware it attempts to install. I have already tried a lot to remove it, so it isn't in its original state, but it continues to restore itself. I attempted to run ComboFix earlier, but it froze... I realize now I probably shouldn't have tried that.

When I run GMER according to the instructions, it bluescreens after a while, without any detections. So I can't provide the log for that unfortunately.

Thank you in advance for the help and the time it takes to examine this. Here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 20:16:46.51 on Fri 08/13/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1461 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\WINDOWS\AsScrPro.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\SetFSBTray\SetFSBTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\RMClock\RMClockHLT.exe
C:\Program Files\RMClock\RMClockHLT.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\host32.exe,
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRun: [Syuqetube] rundll32.exe "c:\windows\kbgrsbjt.dll",Startup
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [06137159] "c:\docume~1\networ~1\locals~1\applic~1\06137159.exe" 0 45
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\rightm~1.lnk - c:\program files\rmclock\RMClock.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setfsb~1.lnk - c:\program files\setfsbtray\SetFSBTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pq0l64tb.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - HiddenExtension: XULRunner: {B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D} - c:\documents and settings\administrator\local settings\application data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-12 304464]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-12 20952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-1-22 46752]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-8-4 4608]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-4 12672]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3a.tmp --> c:\windows\system32\3A.tmp [?]
S3 wxpSvc;webcamXP Service;c:\program files\wlite\wService.exe [2009-10-23 3714048]

============== File Associations ===============

txtfile=c:\program files\win32pad\win32pad.exe "%L"

=============== Created Last 30 ================

2010-08-13 23:01:49 170 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-13 21:58:52 0 d-----w- c:\program files\Sophos
2010-08-13 21:41:50 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2010-08-13 21:27:28 0 d-sha-r- C:\cmdcons
2010-08-13 18:39:44 47616 ---ha-w- c:\windows\system32\ChCffc.dll
2010-08-13 18:39:36 87552 ----a-w- c:\windows\system32\0.325095580348274.exe
2010-08-13 18:24:57 77312 ----a-w- c:\windows\MBR.exe
2010-08-13 18:24:57 256512 ----a-w- c:\windows\PEV.exe
2010-08-13 18:24:56 98816 ----a-w- c:\windows\sed.exe
2010-08-13 18:24:56 161792 ----a-w- c:\windows\SWREG.exe
2010-08-13 01:21:30 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-13 01:21:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 01:21:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 01:21:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 01:21:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-13 00:47:40 0 d-----r- C:\Sandbox
2010-08-13 00:47:23 1948 ----a-w- c:\windows\Sandboxie.ini
2010-08-13 00:47:13 0 d-----w- c:\program files\Sandboxie
2010-08-13 00:37:36 120 ----a-w- c:\windows\Knorivebaxitivu.dat
2010-08-13 00:37:36 0 ----a-w- c:\windows\Fxupuzaya.bin

==================== Find3M ====================

2010-06-24 01:52:11 81728 ----a-w- c:\windows\fonts\seriff.fon
2010-06-24 01:50:31 57936 ----a-w- c:\windows\fonts\serife.fon
2010-06-24 01:49:23 5312 ----a-w- c:\windows\fonts\ega80woa.fon
2010-06-24 01:47:27 8368 ----a-w- c:\windows\fonts\ega40woa.fon
2010-06-23 20:12:42 9135960 ----a-w- c:\windows\fonts\msmincho.ttc
2010-06-23 20:12:30 10044356 ----a-w- c:\windows\fonts\simhei.ttf
2010-06-23 20:12:25 16258580 ----a-w- c:\windows\fonts\batang.ttc
2010-06-23 20:11:16 8823308 ----a-w- c:\windows\fonts\mingliu.ttc
2010-06-23 20:10:46 10500792 ----a-w- c:\windows\fonts\simsun.ttc
2010-06-23 20:03:07 8272028 ----a-w- c:\windows\fonts\msgothic.ttc
2010-06-23 20:00:36 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-23 20:00:12 13518660 ----a-w- c:\windows\fonts\gulim.ttc
2010-06-23 19:39:31 827438 ----a-w- c:\windows\system32\imjp81k.dll
2010-06-23 18:24:46 7728 ----a-w- c:\windows\fonts\jvgasys.fon
2010-06-23 18:24:46 6528 ----a-w- c:\windows\fonts\jvgafix.fon
2010-06-23 18:24:46 38480 ----a-w- c:\windows\fonts\jsmallf.fon
2010-06-23 18:24:16 41584 ----a-w- c:\windows\fonts\jsmalle.fon
2010-06-23 18:11:56 12400 ----a-w- c:\windows\fonts\h8514oem.fon
2010-06-23 18:11:56 11056 ----a-w- c:\windows\fonts\h8514fix.fon
2010-06-23 18:11:56 10032 ----a-w- c:\windows\fonts\h8514sys.fon
2010-06-23 18:00:05 17760 ----a-w- c:\windows\fonts\c8514sys.fon
2010-06-23 18:00:05 13552 ----a-w- c:\windows\fonts\c8514oem.fon
2010-06-23 18:00:05 10992 ----a-w- c:\windows\fonts\c8514fix.fon
2010-06-23 17:59:29 17760 ----a-w- c:\windows\fonts\s8514sys.fon
2010-06-23 17:59:29 12384 ----a-w- c:\windows\fonts\s8514oem.fon
2010-06-23 17:59:29 11056 ----a-w- c:\windows\fonts\s8514fix.fon
2010-06-23 17:35:03 14432 ----a-w- c:\windows\fonts\j8514oem.fon
2010-06-23 17:35:03 12896 ----a-w- c:\windows\fonts\j8514fix.fon
2010-06-23 17:35:03 10656 ----a-w- c:\windows\fonts\j8514sys.fon
2010-06-23 17:20:54 6512 ----a-w- c:\windows\fonts\hvgasys.fon
2010-06-23 17:20:54 5680 ----a-w- c:\windows\fonts\hvgafix.fon
2010-06-23 17:07:16 5680 ----a-w- c:\windows\fonts\svgafix.fon
2010-06-23 17:07:16 12896 ----a-w- c:\windows\fonts\svgasys.fon
2010-06-23 16:53:47 80896 ----a-w- c:\windows\fonts\app949.fon
2010-06-23 16:52:52 80896 ----a-w- c:\windows\fonts\app932.fon
2010-06-23 16:52:52 70000 ----a-w- c:\windows\fonts\app936.fon
2010-06-23 16:51:47 70000 ----a-w- c:\windows\fonts\app950.fon
2010-06-23 16:21:01 5600 ----a-w- c:\windows\fonts\cvgafix.fon
2010-06-23 16:21:01 12896 ----a-w- c:\windows\fonts\cvgasys.fon
2010-06-23 16:18:54 73216 ----a-w- c:\windows\system32\uniime.dll
2010-06-23 16:18:54 7232 ----a-w- c:\windows\fonts\vga932.fon
2010-06-23 16:17:29 6304 ----a-w- c:\windows\fonts\vga949.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga950.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga936.fon
2010-06-23 16:07:27 21504 ----a-w- c:\windows\fonts\smallf.fon
2010-06-23 02:33:19 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 20:20:18.14 ===============

Attached Files


Edited by PATRICKRL, 13 August 2010 - 09:33 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 21 August 2010 - 04:11 AM

Hi,

If help still needed with this post fresh dds logs, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 PATRICKRL

PATRICKRL
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 22 August 2010 - 07:27 AM

Thanks for your response! Here are fresh logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 8:15:54.42 on Sun 08/22/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1243 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\WINDOWS\AsScrPro.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\SetFSBTray\SetFSBTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\RMClock\RMClockHLT.exe
C:\Program Files\RMClock\RMClockHLT.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Media Player Classic\mplayerc.exe
C:\Program Files\KeePass Password Safe 2\KeePass.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\host32.exe,
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRun: [Syuqetube] rundll32.exe "c:\windows\kbgrsbjt.dll",Startup
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [06137159] "c:\docume~1\networ~1\locals~1\applic~1\06137159.exe" 0 45
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\rightm~1.lnk - c:\program files\rmclock\RMClock.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setfsb~1.lnk - c:\program files\setfsbtray\SetFSBTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pq0l64tb.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - HiddenExtension: XULRunner: {B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D} - c:\documents and settings\administrator\local

settings\application data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-

3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-12 304464]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28

275968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-12 20952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-1-22 46752]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-8-4 4608]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-4 12672]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3a.tmp --> c:\windows\system32\3A.tmp [?]
S3 wxpSvc;webcamXP Service;c:\program files\wlite\wService.exe [2009-10-23 3714048]

============== File Associations ===============

txtfile=c:\program files\win32pad\win32pad.exe "%L"

=============== Created Last 30 ================

2010-08-19 13:05:48 0 ----a-w- C:\libanki.mo
2010-08-18 15:28:22 0 d-----w- c:\docume~1\admini~1\applic~1\fltk.org
2010-08-17 16:36:37 0 d-----w- c:\program files\Proxomitron Naoko-4
2010-08-15 18:41:55 0 d-----w- c:\program files\Click-N-Type
2010-08-15 03:17:49 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-13 23:01:49 170 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-13 21:58:52 0 d-----w- c:\program files\Sophos
2010-08-13 21:41:50 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2010-08-13 21:27:28 0 d-sha-r- C:\cmdcons
2010-08-13 18:39:44 47616 ---ha-w- c:\windows\system32\ChCffc.dll
2010-08-13 18:39:36 87552 ----a-w- c:\windows\system32\0.325095580348274.exe
2010-08-13 18:24:57 77312 ----a-w- c:\windows\MBR.exe
2010-08-13 18:24:57 256512 ----a-w- c:\windows\PEV.exe
2010-08-13 18:24:56 98816 ----a-w- c:\windows\sed.exe
2010-08-13 18:24:56 161792 ----a-w- c:\windows\SWREG.exe
2010-08-13 01:21:30 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-13 01:21:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 01:21:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 01:21:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 01:21:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-13 00:47:40 0 d-----r- C:\Sandbox
2010-08-13 00:47:23 1948 ----a-w- c:\windows\Sandboxie.ini
2010-08-13 00:47:13 0 d-----w- c:\program files\Sandboxie
2010-08-13 00:37:36 120 ----a-w- c:\windows\Knorivebaxitivu.dat
2010-08-13 00:37:36 0 ----a-w- c:\windows\Fxupuzaya.bin

==================== Find3M ====================

2010-06-24 01:52:11 81728 ----a-w- c:\windows\fonts\seriff.fon
2010-06-24 01:50:31 57936 ----a-w- c:\windows\fonts\serife.fon
2010-06-24 01:49:23 5312 ----a-w- c:\windows\fonts\ega80woa.fon
2010-06-24 01:47:27 8368 ----a-w- c:\windows\fonts\ega40woa.fon
2010-06-23 20:12:42 9135960 ----a-w- c:\windows\fonts\msmincho.ttc
2010-06-23 20:12:30 10044356 ----a-w- c:\windows\fonts\simhei.ttf
2010-06-23 20:12:25 16258580 ----a-w- c:\windows\fonts\batang.ttc
2010-06-23 20:11:16 8823308 ----a-w- c:\windows\fonts\mingliu.ttc
2010-06-23 20:10:46 10500792 ----a-w- c:\windows\fonts\simsun.ttc
2010-06-23 20:03:07 8272028 ----a-w- c:\windows\fonts\msgothic.ttc
2010-06-23 20:00:36 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-23 20:00:12 13518660 ----a-w- c:\windows\fonts\gulim.ttc
2010-06-23 19:39:31 827438 ----a-w- c:\windows\system32\imjp81k.dll
2010-06-23 18:24:46 7728 ----a-w- c:\windows\fonts\jvgasys.fon
2010-06-23 18:24:46 6528 ----a-w- c:\windows\fonts\jvgafix.fon
2010-06-23 18:24:46 38480 ----a-w- c:\windows\fonts\jsmallf.fon
2010-06-23 18:24:16 41584 ----a-w- c:\windows\fonts\jsmalle.fon
2010-06-23 18:11:56 12400 ----a-w- c:\windows\fonts\h8514oem.fon
2010-06-23 18:11:56 11056 ----a-w- c:\windows\fonts\h8514fix.fon
2010-06-23 18:11:56 10032 ----a-w- c:\windows\fonts\h8514sys.fon
2010-06-23 18:00:05 17760 ----a-w- c:\windows\fonts\c8514sys.fon
2010-06-23 18:00:05 13552 ----a-w- c:\windows\fonts\c8514oem.fon
2010-06-23 18:00:05 10992 ----a-w- c:\windows\fonts\c8514fix.fon
2010-06-23 17:59:29 17760 ----a-w- c:\windows\fonts\s8514sys.fon
2010-06-23 17:59:29 12384 ----a-w- c:\windows\fonts\s8514oem.fon
2010-06-23 17:59:29 11056 ----a-w- c:\windows\fonts\s8514fix.fon
2010-06-23 17:35:03 14432 ----a-w- c:\windows\fonts\j8514oem.fon
2010-06-23 17:35:03 12896 ----a-w- c:\windows\fonts\j8514fix.fon
2010-06-23 17:35:03 10656 ----a-w- c:\windows\fonts\j8514sys.fon
2010-06-23 17:20:54 6512 ----a-w- c:\windows\fonts\hvgasys.fon
2010-06-23 17:20:54 5680 ----a-w- c:\windows\fonts\hvgafix.fon
2010-06-23 17:07:16 5680 ----a-w- c:\windows\fonts\svgafix.fon
2010-06-23 17:07:16 12896 ----a-w- c:\windows\fonts\svgasys.fon
2010-06-23 16:53:47 80896 ----a-w- c:\windows\fonts\app949.fon
2010-06-23 16:52:52 80896 ----a-w- c:\windows\fonts\app932.fon
2010-06-23 16:52:52 70000 ----a-w- c:\windows\fonts\app936.fon
2010-06-23 16:51:47 70000 ----a-w- c:\windows\fonts\app950.fon
2010-06-23 16:21:01 5600 ----a-w- c:\windows\fonts\cvgafix.fon
2010-06-23 16:21:01 12896 ----a-w- c:\windows\fonts\cvgasys.fon
2010-06-23 16:18:54 73216 ----a-w- c:\windows\system32\uniime.dll
2010-06-23 16:18:54 7232 ----a-w- c:\windows\fonts\vga932.fon
2010-06-23 16:17:29 6304 ----a-w- c:\windows\fonts\vga949.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga950.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga936.fon
2010-06-23 16:07:27 21504 ----a-w- c:\windows\fonts\smallf.fon
2010-06-23 02:33:19 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 8:19:17.10 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 22 August 2010 - 09:13 AM

Hi,

Please make sure word wrap in notepad is disabled to make logs appear in more readable format


uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 28 August 2010 - 03:55 AM

Are you still there?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 PATRICKRL

PATRICKRL
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 28 August 2010 - 07:51 PM

Sorry for the late reply. I followed your instructions and now there doesn't seem to be anything joyriding other programs for CPU usage anymore. Thanks for your continued assistance.

ComboFix 10-08-27.03 - Administrator 08/28/2010 20:36:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1724 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}
c:\documents and settings\Administrator\Local Settings\Application Data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{B5B803BA-D3A9-4DD1-AB17-DB3FCD9F754D}\install.rdf
c:\documents and settings\NetworkService\Start Menu\Programs\Security Tool.lnk
c:\windows\host32.exe
c:\windows\jh87uhnoe3
c:\windows\jh87uhnoe3\ewf32.nls
c:\windows\jh87uhnoe3\ewfrvbb.nls
c:\windows\system32\0.325095580348274.exe
c:\windows\system32\ChCffc.dll
c:\windows\system32\msconfig.exe

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-22 13:15 . 2010-08-22 13:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Jasc
2010-08-22 13:14 . 2010-08-22 13:14 -------- d-----w- c:\program files\Jasc Software Inc
2010-08-18 15:28 . 2010-08-18 15:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\fltk.org
2010-08-17 16:36 . 2010-08-18 20:43 -------- d-----w- c:\program files\Proxomitron Naoko-4
2010-08-15 18:41 . 2010-08-15 18:41 -------- d-----w- c:\program files\Click-N-Type
2010-08-15 03:24 . 2008-04-14 03:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-08-15 03:17 . 2010-08-15 03:17 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-15 03:15 . 2010-08-15 03:16 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-08-13 21:58 . 2010-08-13 21:58 -------- d-----w- c:\program files\Sophos
2010-08-13 01:21 . 2010-08-13 01:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-13 01:21 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 01:21 . 2010-08-13 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 01:21 . 2010-08-13 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-13 01:21 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 00:47 . 2010-08-13 00:47 -------- d-----r- C:\Sandbox
2010-08-13 00:47 . 2010-08-13 00:47 -------- d-----w- c:\program files\Sandboxie
2010-08-13 00:37 . 2010-08-13 15:01 120 ----a-w- c:\windows\Knorivebaxitivu.dat
2010-08-13 00:37 . 2010-08-13 15:01 0 ----a-w- c:\windows\Fxupuzaya.bin
2010-08-12 16:37 . 2010-08-12 16:37 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-29 00:27 . 2009-08-11 02:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-08-22 18:59 . 2009-11-29 19:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\.anki
2010-08-22 18:56 . 2009-08-06 22:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\KeePass
2010-08-22 02:46 . 2009-08-11 00:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-08-22 01:19 . 2009-08-08 01:28 -------- d-----w- c:\program files\Win32Pad
2010-08-21 13:13 . 2010-02-08 00:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\foobar2000
2010-08-21 02:36 . 2010-06-23 02:33 -------- d-----w- c:\program files\JDownloader
2010-08-19 13:06 . 2009-11-29 19:41 -------- d-----w- c:\program files\Anki
2010-08-15 00:14 . 2009-08-11 02:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-13 21:41 . 2010-08-13 21:41 0 ----a-w- c:\documents and settings\Administrator\ntuser.tmp
2010-08-13 18:39 . 2009-08-06 16:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-13 15:02 . 2009-08-27 08:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\AkhohohkA
2010-08-13 14:39 . 2010-07-06 04:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Hezo
2010-08-13 14:39 . 2009-08-01 18:09 -------- d-----w- c:\program files\Defense Grid - The Awakening
2010-08-13 00:38 . 2009-08-13 12:48 -------- d-----w- c:\program files\Opera 10 Beta
2010-08-13 00:36 . 2009-08-01 02:59 26816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 15:24 . 2010-07-05 00:29 -------- d-----w- c:\program files\Facade
2010-08-11 01:03 . 2009-08-01 03:15 -------- d-----w- c:\program files\SetFSBTray
2010-08-09 13:41 . 2010-07-04 21:21 -------- d-----w- c:\program files\IrfanView
2010-06-24 01:52 . 2001-08-23 12:00 81728 ----a-w- c:\windows\Fonts\seriff.fon
2010-06-24 01:50 . 2001-08-23 12:00 57936 ----a-w- c:\windows\Fonts\serife.fon
2010-06-24 01:49 . 2001-08-23 12:00 5312 ----a-w- c:\windows\Fonts\ega80woa.fon
2010-06-24 01:47 . 2001-08-23 12:00 8368 ----a-w- c:\windows\Fonts\ega40woa.fon
2010-06-23 20:00 . 2010-06-24 01:39 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-23 19:39 . 2010-06-24 01:39 827438 ----a-w- c:\windows\system32\imjp81k.dll
2010-06-23 18:24 . 2010-06-24 01:42 7728 ----a-w- c:\windows\Fonts\jvgasys.fon
2010-06-23 18:24 . 2010-06-24 01:42 6528 ----a-w- c:\windows\Fonts\jvgafix.fon
2010-06-23 18:24 . 2010-06-24 01:42 38480 ----a-w- c:\windows\Fonts\jsmallf.fon
2010-06-23 18:24 . 2010-06-24 01:42 41584 ----a-w- c:\windows\Fonts\jsmalle.fon
2010-06-23 18:11 . 2010-06-24 01:42 12400 ----a-w- c:\windows\Fonts\h8514oem.fon
2010-06-23 18:11 . 2010-06-24 01:42 11056 ----a-w- c:\windows\Fonts\h8514fix.fon
2010-06-23 18:11 . 2010-06-24 01:42 10032 ----a-w- c:\windows\Fonts\h8514sys.fon
2010-06-23 18:00 . 2010-06-24 01:42 17760 ----a-w- c:\windows\Fonts\c8514sys.fon
2010-06-23 18:00 . 2010-06-24 01:42 13552 ----a-w- c:\windows\Fonts\c8514oem.fon
2010-06-23 18:00 . 2010-06-24 01:42 10992 ----a-w- c:\windows\Fonts\c8514fix.fon
2010-06-23 17:59 . 2010-06-24 01:42 17760 ----a-w- c:\windows\Fonts\s8514sys.fon
2010-06-23 17:59 . 2010-06-24 01:42 12384 ----a-w- c:\windows\Fonts\s8514oem.fon
2010-06-23 17:59 . 2010-06-24 01:42 11056 ----a-w- c:\windows\Fonts\s8514fix.fon
2010-06-23 17:35 . 2010-06-24 01:42 14432 ----a-w- c:\windows\Fonts\j8514oem.fon
2010-06-23 17:35 . 2010-06-24 01:42 12896 ----a-w- c:\windows\Fonts\j8514fix.fon
2010-06-23 17:35 . 2010-06-24 01:42 10656 ----a-w- c:\windows\Fonts\j8514sys.fon
2010-06-23 17:20 . 2010-06-24 01:42 6512 ----a-w- c:\windows\Fonts\hvgasys.fon
2010-06-23 17:20 . 2010-06-24 01:42 5680 ----a-w- c:\windows\Fonts\hvgafix.fon
2010-06-23 17:07 . 2010-06-24 01:42 5680 ----a-w- c:\windows\Fonts\svgafix.fon
2010-06-23 17:07 . 2010-06-24 01:42 12896 ----a-w- c:\windows\Fonts\svgasys.fon
2010-06-23 16:53 . 2010-06-24 01:42 80896 ----a-w- c:\windows\Fonts\app949.fon
2010-06-23 16:52 . 2010-06-24 01:42 70000 ----a-w- c:\windows\Fonts\app936.fon
2010-06-23 16:52 . 2010-06-24 01:42 80896 ----a-w- c:\windows\Fonts\app932.fon
2010-06-23 16:51 . 2010-06-24 01:42 70000 ----a-w- c:\windows\Fonts\app950.fon
2010-06-23 16:21 . 2010-06-24 01:42 5600 ----a-w- c:\windows\Fonts\cvgafix.fon
2010-06-23 16:21 . 2010-06-24 01:42 12896 ----a-w- c:\windows\Fonts\cvgasys.fon
2010-06-23 16:18 . 2010-06-24 01:42 7232 ----a-w- c:\windows\Fonts\vga932.fon
2010-06-23 16:18 . 2010-06-24 01:39 73216 ----a-w- c:\windows\system32\uniime.dll
2010-06-23 16:17 . 2010-06-24 01:42 6272 ----a-w- c:\windows\Fonts\vga950.fon
2010-06-23 16:17 . 2010-06-24 01:42 6272 ----a-w- c:\windows\Fonts\vga936.fon
2010-06-23 16:17 . 2010-06-24 01:42 6304 ----a-w- c:\windows\Fonts\vga949.fon
2010-06-23 16:07 . 2009-07-31 22:09 21504 ----a-w- c:\windows\Fonts\smallf.fon
2010-06-23 02:33 . 2010-06-23 02:33 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54b27361-n\msvcp71.dll
2010-06-23 02:33 . 2010-06-23 02:33 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54b27361-n\jmc.dll
2010-06-23 02:33 . 2010-06-23 02:33 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54b27361-n\msvcr71.dll
2010-06-23 02:33 . 2010-06-23 02:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-06-23 02:33 . 2010-06-23 02:33 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-06-23 02:30 . 2010-06-23 02:30 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

------- Sigcheck -------

[-] 2009-07-14 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys




c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-07-04 398568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2007-11-04 106496]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-01-12 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-08-04 217088]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-05 3054136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 131072]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2010-06-23 208949]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2010-06-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2010-06-23 77824]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2010-06-23 737360]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2010-06-23 737360]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
RightMark CPU Clock Utility.lnk - c:\program files\RMClock\RMClock.exe [2009-8-4 1750016]
SetFSBTray.lnk - c:\program files\SetFSBTray\SetFSBTray.exe [2009-7-25 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\UBISOFT\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"d:\\Program Files\\UBISOFT\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp3.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp4.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp5.bat"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\doom 2\\doom2.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\ultimate doom\\ultimate.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\doom 3\\Doom3.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\wLite\\wLite.exe"=
"c:\\Program Files\\wLite\\wService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2010 9:21 PM 304464]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2010 9:21 PM 20952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/22/2009 3:43 PM 46752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3A.tmp --> c:\windows\system32\3A.tmp [?]
S3 wxpSvc;webcamXP Service;c:\program files\wLite\wService.exe [10/23/2009 11:18 AM 3714048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/4/2009 2:23 PM 717296]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pq0l64tb.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\NPSWF32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
txtfile=c:\program files\Win32Pad\win32pad.exe "%L"
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Syuqetube - c:\windows\kbgrsbjt.dll
HKU-Default-RunOnce-06137159 - c:\docume~1\NETWOR~1\LOCALS~1\APPLIC~1\06137159.exe
AddRemove-Flashpoint - c:\program files\Codemasters\UnInstall.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wxpSvc]
"ImagePath"="c:\program files\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3A.tmp"
.
Completion time: 2010-08-28 20:42:57
ComboFix-quarantined-files.txt 2010-08-29 00:42

Pre-Run: 1,047,826,432 bytes free
Post-Run: 1,368,879,104 bytes free

- - End Of File - - 6DA244B6628D1191DEE53F8C54B879AA

--------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 20:44:33.83 on Sat 08/28/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1658 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\ComboFix\CF10741.cfxxe
C:\ComboFix\mbr.cfxxe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\rightm~1.lnk - c:\program files\rmclock\RMClock.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setfsb~1.lnk - c:\program files\setfsbtray\SetFSBTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pq0l64tb.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-12 304464]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-12 20952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-1-22 46752]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-4 12672]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3a.tmp --> c:\windows\system32\3A.tmp [?]
S3 wxpSvc;webcamXP Service;c:\program files\wlite\wService.exe [2009-10-23 3714048]

============== File Associations ===============

txtfile=c:\program files\win32pad\win32pad.exe "%L"

=============== Created Last 30 ================

2010-08-29 00:29:59 0 d-----w- C:\ComboFix
2010-08-22 13:15:35 0 d-----w- c:\docume~1\admini~1\applic~1\Jasc
2010-08-22 13:14:34 0 d-----w- c:\program files\Jasc Software Inc
2010-08-19 13:05:48 0 ----a-w- C:\libanki.mo
2010-08-18 15:28:22 0 d-----w- c:\docume~1\admini~1\applic~1\fltk.org
2010-08-17 16:36:37 0 d-----w- c:\program files\Proxomitron Naoko-4
2010-08-15 18:41:55 0 d-----w- c:\program files\Click-N-Type
2010-08-15 03:17:49 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-13 23:01:49 170 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-13 21:58:52 0 d-----w- c:\program files\Sophos
2010-08-13 21:41:50 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2010-08-13 21:27:28 0 d-sha-r- C:\cmdcons
2010-08-13 18:24:57 77312 ----a-w- c:\windows\MBR.exe
2010-08-13 18:24:57 256512 ----a-w- c:\windows\PEV.exe
2010-08-13 18:24:56 98816 ----a-w- c:\windows\sed.exe
2010-08-13 18:24:56 161792 ----a-w- c:\windows\SWREG.exe
2010-08-13 01:21:30 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-13 01:21:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 01:21:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 01:21:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 01:21:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-13 00:47:40 0 d-----r- C:\Sandbox
2010-08-13 00:47:23 1948 ----a-w- c:\windows\Sandboxie.ini
2010-08-13 00:47:13 0 d-----w- c:\program files\Sandboxie
2010-08-13 00:37:36 120 ----a-w- c:\windows\Knorivebaxitivu.dat
2010-08-13 00:37:36 0 ----a-w- c:\windows\Fxupuzaya.bin

==================== Find3M ====================

2010-06-24 01:52:11 81728 ----a-w- c:\windows\fonts\seriff.fon
2010-06-24 01:50:31 57936 ----a-w- c:\windows\fonts\serife.fon
2010-06-24 01:49:23 5312 ----a-w- c:\windows\fonts\ega80woa.fon
2010-06-24 01:47:27 8368 ----a-w- c:\windows\fonts\ega40woa.fon
2010-06-23 20:12:42 9135960 ----a-w- c:\windows\fonts\msmincho.ttc
2010-06-23 20:12:30 10044356 ----a-w- c:\windows\fonts\simhei.ttf
2010-06-23 20:12:25 16258580 ----a-w- c:\windows\fonts\batang.ttc
2010-06-23 20:11:16 8823308 ----a-w- c:\windows\fonts\mingliu.ttc
2010-06-23 20:10:46 10500792 ----a-w- c:\windows\fonts\simsun.ttc
2010-06-23 20:03:07 8272028 ----a-w- c:\windows\fonts\msgothic.ttc
2010-06-23 20:00:36 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-23 20:00:12 13518660 ----a-w- c:\windows\fonts\gulim.ttc
2010-06-23 19:39:31 827438 ----a-w- c:\windows\system32\imjp81k.dll
2010-06-23 18:24:46 7728 ----a-w- c:\windows\fonts\jvgasys.fon
2010-06-23 18:24:46 6528 ----a-w- c:\windows\fonts\jvgafix.fon
2010-06-23 18:24:46 38480 ----a-w- c:\windows\fonts\jsmallf.fon
2010-06-23 18:24:16 41584 ----a-w- c:\windows\fonts\jsmalle.fon
2010-06-23 18:11:56 12400 ----a-w- c:\windows\fonts\h8514oem.fon
2010-06-23 18:11:56 11056 ----a-w- c:\windows\fonts\h8514fix.fon
2010-06-23 18:11:56 10032 ----a-w- c:\windows\fonts\h8514sys.fon
2010-06-23 18:00:05 17760 ----a-w- c:\windows\fonts\c8514sys.fon
2010-06-23 18:00:05 13552 ----a-w- c:\windows\fonts\c8514oem.fon
2010-06-23 18:00:05 10992 ----a-w- c:\windows\fonts\c8514fix.fon
2010-06-23 17:59:29 17760 ----a-w- c:\windows\fonts\s8514sys.fon
2010-06-23 17:59:29 12384 ----a-w- c:\windows\fonts\s8514oem.fon
2010-06-23 17:59:29 11056 ----a-w- c:\windows\fonts\s8514fix.fon
2010-06-23 17:35:03 14432 ----a-w- c:\windows\fonts\j8514oem.fon
2010-06-23 17:35:03 12896 ----a-w- c:\windows\fonts\j8514fix.fon
2010-06-23 17:35:03 10656 ----a-w- c:\windows\fonts\j8514sys.fon
2010-06-23 17:20:54 6512 ----a-w- c:\windows\fonts\hvgasys.fon
2010-06-23 17:20:54 5680 ----a-w- c:\windows\fonts\hvgafix.fon
2010-06-23 17:07:16 5680 ----a-w- c:\windows\fonts\svgafix.fon
2010-06-23 17:07:16 12896 ----a-w- c:\windows\fonts\svgasys.fon
2010-06-23 16:53:47 80896 ----a-w- c:\windows\fonts\app949.fon
2010-06-23 16:52:52 80896 ----a-w- c:\windows\fonts\app932.fon
2010-06-23 16:52:52 70000 ----a-w- c:\windows\fonts\app936.fon
2010-06-23 16:51:47 70000 ----a-w- c:\windows\fonts\app950.fon
2010-06-23 16:21:01 5600 ----a-w- c:\windows\fonts\cvgafix.fon
2010-06-23 16:21:01 12896 ----a-w- c:\windows\fonts\cvgasys.fon
2010-06-23 16:18:54 73216 ----a-w- c:\windows\system32\uniime.dll
2010-06-23 16:18:54 7232 ----a-w- c:\windows\fonts\vga932.fon
2010-06-23 16:17:29 6304 ----a-w- c:\windows\fonts\vga949.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga950.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga936.fon
2010-06-23 16:07:27 21504 ----a-w- c:\windows\fonts\smallf.fon
2010-06-23 02:33:19 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 20:44:49.55 ===============


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 29 August 2010 - 02:43 AM

Hi again,

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l %systemdrive%\wscntfy.exe or %systemdrive%\regsvc.dll >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.



Open notepad and copy/paste the text in the quotebox below into it:

CODE
File::
c:\windows\Knorivebaxitivu.dat
c:\windows\Fxupuzaya.bin
Folder::
c:\documents and settings\Administrator\Application Data\AkhohohkA
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 21.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 PATRICKRL

PATRICKRL
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 29 August 2010 - 09:34 PM

The virus scan turned up a few things which I had moved into the sandbox for testing, though I don't mind deleting it now.

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0

--------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 29, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 29, 2010 18:44:42
Records in database: 4167612
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 118747
Threats found: 11
Infected objects found: 15
Suspicious objects found: 0
Scan duration: 04:45:04


File name / Threat / Threats count
C:\Documents and Settings\Administrator\Local Settings\Application Data\771621052.7z Infected: Packed.Win32.Katusha.q 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera 10 Beta\temporary_downloads\operapassview\OperaPassView.exe Infected: not-a-virus:PSWTool.Win32.NetPass.wr 1
C:\Documents and Settings\Administrator\My Documents\My Music\virus\scdata\wispex.html Infected: Trojan.HTML.Fraud.bb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ChCffc.dll.vir Infected: Backdoor.Win32.Papras.nb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rdpcdd.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\Sandbox\Administrator\DefaultBox\user\current\Local Settings\Application Data\2190712053.exe Infected: Packed.Win32.Katusha.q 1
C:\Sandbox\Administrator\Fasdf\drive\C\Program Files\adc32.dll Infected: Trojan.Win32.FraudPack.avui 1
C:\Sandbox\Administrator\Fasdf\drive\C\Program Files\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.exe Infected: Trojan.Win32.Agent2.crgt 1
C:\Sandbox\Administrator\Fasdf\drive\C\Program Files\alggui.exe Infected: Trojan.Win32.Agent2.crir 1
C:\Sandbox\Administrator\Fasdf\drive\C\Program Files\svchost.exe Infected: Trojan.Win32.Agent2.criq 1
C:\Sandbox\Administrator\Fasdf\user\current\Local Settings\Temp\win4.tmp Infected: Trojan-Downloader.Win32.Small.aqzv 1
C:\System Volume Information\_restore{03BC5F3D-ED10-459E-A374-5EA0AEAFE666}\RP1\A0006008.exe Infected: Packed.Win32.Katusha.q 1
C:\System Volume Information\_restore{03BC5F3D-ED10-459E-A374-5EA0AEAFE666}\RP5\A0008252.exe Infected: Trojan-Spy.Win32.Zbot.amwk 1
C:\System Volume Information\_restore{03BC5F3D-ED10-459E-A374-5EA0AEAFE666}\RP7\A0013423.sys Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{03BC5F3D-ED10-459E-A374-5EA0AEAFE666}\RP7\A0013478.dll Infected: Backdoor.Win32.Papras.nb 1

Selected area has been scanned.

--------------------------------------------


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 22:26:22.95 on Sun 08/29/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1272 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\ATK Hotkey\MsgTranAgt.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\ASUS\ATK Hotkey\HControl.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\WINDOWS\AsScrPro.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\RMClock\RMClock.exe
C:\Program Files\SetFSBTray\SetFSBTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files\RMClock\RMClockHLT.exe
C:\Program Files\RMClock\RMClockHLT.exe
C:\Program Files\ASUS\ATK Hotkey\WDC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Opera 10 Beta\opera.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [ACU] "c:\program files\atheros\ACU.exe" -nogui
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsgTranAgt] c:\program files\asus\atk hotkey\MsgTranAgt.exe
mRun: [HControlUser] c:\program files\asus\atk hotkey\HControlUser.exe
mRun: [ATKHOTKEY] c:\program files\asus\atk hotkey\HControl.exe
mRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\rightm~1.lnk - c:\program files\rmclock\RMClock.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\setfsb~1.lnk - c:\program files\setfsbtray\SetFSBTray.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pq0l64tb.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-12 304464]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-12 20952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-1-22 46752]
R3 RTCore32;RTCore32;c:\program files\rmclock\RTCore32.sys [2009-8-4 4608]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-4 12672]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3a.tmp --> c:\windows\system32\3A.tmp [?]
S3 wxpSvc;webcamXP Service;c:\program files\wlite\wService.exe [2009-10-23 3714048]

============== File Associations ===============

txtfile=c:\program files\win32pad\win32pad.exe "%L"

=============== Created Last 30 ================

2010-08-29 20:31:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-29 20:27:42 0 d-----w- c:\windows\system32\xircom
2010-08-29 20:27:42 0 d-----w- c:\windows\system32\wbem\snmp
2010-08-29 20:27:42 0 d-----w- c:\windows\system32\oobe
2010-08-29 20:27:42 0 d-----w- c:\windows\srchasst
2010-08-29 20:27:42 0 d-----w- c:\windows\msagent
2010-08-29 20:27:42 0 d-----w- c:\program files\msn gaming zone
2010-08-29 20:27:41 0 d-----w- c:\windows\system32\inetsrv
2010-08-29 20:24:37 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-29 20:14:15 0 d-----w- C:\ComboFix
2010-08-22 13:15:35 0 d-----w- c:\docume~1\admini~1\applic~1\Jasc
2010-08-22 13:14:34 0 d-----w- c:\program files\Jasc Software Inc
2010-08-19 13:05:48 0 ----a-w- C:\libanki.mo
2010-08-18 15:28:22 0 d-----w- c:\docume~1\admini~1\applic~1\fltk.org
2010-08-17 16:36:37 0 d-----w- c:\program files\Proxomitron Naoko-4
2010-08-15 18:41:55 0 d-----w- c:\program files\Click-N-Type
2010-08-15 03:17:49 0 d-----w- c:\program files\Windows Media Connect 2
2010-08-13 23:01:49 170 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-08-13 21:58:52 0 d-----w- c:\program files\Sophos
2010-08-13 21:41:50 0 ----a-w- c:\documents and settings\administrator\ntuser.tmp
2010-08-13 21:27:28 0 d-sha-r- C:\cmdcons
2010-08-13 18:24:57 77312 ----a-w- c:\windows\MBR.exe
2010-08-13 18:24:57 256512 ----a-w- c:\windows\PEV.exe
2010-08-13 18:24:56 98816 ----a-w- c:\windows\sed.exe
2010-08-13 18:24:56 161792 ----a-w- c:\windows\SWREG.exe
2010-08-13 01:21:30 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-13 01:21:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 01:21:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 01:21:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 01:21:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-13 00:47:40 0 d-----r- C:\Sandbox
2010-08-13 00:47:23 1948 ----a-w- c:\windows\Sandboxie.ini
2010-08-13 00:47:13 0 d-----w- c:\program files\Sandboxie

==================== Find3M ====================

2010-06-24 01:52:11 81728 ----a-w- c:\windows\fonts\seriff.fon
2010-06-24 01:50:31 57936 ----a-w- c:\windows\fonts\serife.fon
2010-06-24 01:49:23 5312 ----a-w- c:\windows\fonts\ega80woa.fon
2010-06-24 01:47:27 8368 ----a-w- c:\windows\fonts\ega40woa.fon
2010-06-23 20:12:42 9135960 ----a-w- c:\windows\fonts\msmincho.ttc
2010-06-23 20:12:30 10044356 ----a-w- c:\windows\fonts\simhei.ttf
2010-06-23 20:12:25 16258580 ----a-w- c:\windows\fonts\batang.ttc
2010-06-23 20:11:16 8823308 ----a-w- c:\windows\fonts\mingliu.ttc
2010-06-23 20:10:46 10500792 ----a-w- c:\windows\fonts\simsun.ttc
2010-06-23 20:03:07 8272028 ----a-w- c:\windows\fonts\msgothic.ttc
2010-06-23 20:00:36 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-23 20:00:12 13518660 ----a-w- c:\windows\fonts\gulim.ttc
2010-06-23 19:39:31 827438 ----a-w- c:\windows\system32\imjp81k.dll
2010-06-23 18:24:46 7728 ----a-w- c:\windows\fonts\jvgasys.fon
2010-06-23 18:24:46 6528 ----a-w- c:\windows\fonts\jvgafix.fon
2010-06-23 18:24:46 38480 ----a-w- c:\windows\fonts\jsmallf.fon
2010-06-23 18:24:16 41584 ----a-w- c:\windows\fonts\jsmalle.fon
2010-06-23 18:11:56 12400 ----a-w- c:\windows\fonts\h8514oem.fon
2010-06-23 18:11:56 11056 ----a-w- c:\windows\fonts\h8514fix.fon
2010-06-23 18:11:56 10032 ----a-w- c:\windows\fonts\h8514sys.fon
2010-06-23 18:00:05 17760 ----a-w- c:\windows\fonts\c8514sys.fon
2010-06-23 18:00:05 13552 ----a-w- c:\windows\fonts\c8514oem.fon
2010-06-23 18:00:05 10992 ----a-w- c:\windows\fonts\c8514fix.fon
2010-06-23 17:59:29 17760 ----a-w- c:\windows\fonts\s8514sys.fon
2010-06-23 17:59:29 12384 ----a-w- c:\windows\fonts\s8514oem.fon
2010-06-23 17:59:29 11056 ----a-w- c:\windows\fonts\s8514fix.fon
2010-06-23 17:35:03 14432 ----a-w- c:\windows\fonts\j8514oem.fon
2010-06-23 17:35:03 12896 ----a-w- c:\windows\fonts\j8514fix.fon
2010-06-23 17:35:03 10656 ----a-w- c:\windows\fonts\j8514sys.fon
2010-06-23 17:20:54 6512 ----a-w- c:\windows\fonts\hvgasys.fon
2010-06-23 17:20:54 5680 ----a-w- c:\windows\fonts\hvgafix.fon
2010-06-23 17:07:16 5680 ----a-w- c:\windows\fonts\svgafix.fon
2010-06-23 17:07:16 12896 ----a-w- c:\windows\fonts\svgasys.fon
2010-06-23 16:53:47 80896 ----a-w- c:\windows\fonts\app949.fon
2010-06-23 16:52:52 80896 ----a-w- c:\windows\fonts\app932.fon
2010-06-23 16:52:52 70000 ----a-w- c:\windows\fonts\app936.fon
2010-06-23 16:51:47 70000 ----a-w- c:\windows\fonts\app950.fon
2010-06-23 16:21:01 5600 ----a-w- c:\windows\fonts\cvgafix.fon
2010-06-23 16:21:01 12896 ----a-w- c:\windows\fonts\cvgasys.fon
2010-06-23 16:18:54 73216 ----a-w- c:\windows\system32\uniime.dll
2010-06-23 16:18:54 7232 ----a-w- c:\windows\fonts\vga932.fon
2010-06-23 16:17:29 6304 ----a-w- c:\windows\fonts\vga949.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga950.fon
2010-06-23 16:17:29 6272 ----a-w- c:\windows\fonts\vga936.fon
2010-06-23 16:07:27 21504 ----a-w- c:\windows\fonts\smallf.fon

============= FINISH: 22:27:01.28 ===============

--------------------------------------------

ComboFix 10-08-28.02 - Administrator 08/29/2010 16:15:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1545 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\Fxupuzaya.bin"
"c:\windows\Knorivebaxitivu.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\AkhohohkA
c:\documents and settings\Administrator\Application Data\AkhohohkA\esanc.exe
c:\documents and settings\Administrator\Application Data\AkhohohkA\esanc.exe.md5
c:\windows\Fxupuzaya.bin
c:\windows\Knorivebaxitivu.dat

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-22 13:15 . 2010-08-22 13:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Jasc
2010-08-22 13:14 . 2010-08-22 13:14 -------- d-----w- c:\program files\Jasc Software Inc
2010-08-18 15:28 . 2010-08-18 15:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\fltk.org
2010-08-17 16:36 . 2010-08-18 20:43 -------- d-----w- c:\program files\Proxomitron Naoko-4
2010-08-15 18:41 . 2010-08-15 18:41 -------- d-----w- c:\program files\Click-N-Type
2010-08-15 03:24 . 2008-04-14 03:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-08-15 03:17 . 2010-08-15 03:17 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-15 03:15 . 2010-08-15 03:16 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-08-13 21:58 . 2010-08-13 21:58 -------- d-----w- c:\program files\Sophos
2010-08-13 01:21 . 2010-08-13 01:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-13 01:21 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 01:21 . 2010-08-13 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 01:21 . 2010-08-13 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-13 01:21 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 00:47 . 2010-08-13 00:47 -------- d-----r- C:\Sandbox
2010-08-13 00:47 . 2010-08-13 00:47 -------- d-----w- c:\program files\Sandboxie
2010-08-12 16:37 . 2010-08-12 16:37 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-29 00:27 . 2009-08-11 02:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-08-22 18:59 . 2009-11-29 19:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\.anki
2010-08-22 18:56 . 2009-08-06 22:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\KeePass
2010-08-22 02:46 . 2009-08-11 00:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-08-22 01:19 . 2009-08-08 01:28 -------- d-----w- c:\program files\Win32Pad
2010-08-21 13:13 . 2010-02-08 00:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\foobar2000
2010-08-21 02:36 . 2010-06-23 02:33 -------- d-----w- c:\program files\JDownloader
2010-08-19 13:06 . 2009-11-29 19:41 -------- d-----w- c:\program files\Anki
2010-08-15 00:14 . 2009-08-11 02:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-13 21:41 . 2010-08-13 21:41 0 ----a-w- c:\documents and settings\Administrator\ntuser.tmp
2010-08-13 18:39 . 2009-08-06 16:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-13 14:39 . 2010-07-06 04:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Hezo
2010-08-13 14:39 . 2009-08-01 18:09 -------- d-----w- c:\program files\Defense Grid - The Awakening
2010-08-13 00:38 . 2009-08-13 12:48 -------- d-----w- c:\program files\Opera 10 Beta
2010-08-13 00:36 . 2009-08-01 02:59 26816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 15:24 . 2010-07-05 00:29 -------- d-----w- c:\program files\Facade
2010-08-11 01:03 . 2009-08-01 03:15 -------- d-----w- c:\program files\SetFSBTray
2010-08-09 13:41 . 2010-07-04 21:21 -------- d-----w- c:\program files\IrfanView
2010-06-24 01:52 . 2001-08-23 12:00 81728 ----a-w- c:\windows\Fonts\seriff.fon
2010-06-24 01:50 . 2001-08-23 12:00 57936 ----a-w- c:\windows\Fonts\serife.fon
2010-06-24 01:49 . 2001-08-23 12:00 5312 ----a-w- c:\windows\Fonts\ega80woa.fon
2010-06-24 01:47 . 2001-08-23 12:00 8368 ----a-w- c:\windows\Fonts\ega40woa.fon
2010-06-23 20:00 . 2010-06-24 01:39 218112 ----a-w- c:\windows\system32\c_g18030.dll
2010-06-23 19:39 . 2010-06-24 01:39 827438 ----a-w- c:\windows\system32\imjp81k.dll
2010-06-23 18:24 . 2010-06-24 01:42 7728 ----a-w- c:\windows\Fonts\jvgasys.fon
2010-06-23 18:24 . 2010-06-24 01:42 6528 ----a-w- c:\windows\Fonts\jvgafix.fon
2010-06-23 18:24 . 2010-06-24 01:42 38480 ----a-w- c:\windows\Fonts\jsmallf.fon
2010-06-23 18:24 . 2010-06-24 01:42 41584 ----a-w- c:\windows\Fonts\jsmalle.fon
2010-06-23 18:11 . 2010-06-24 01:42 12400 ----a-w- c:\windows\Fonts\h8514oem.fon
2010-06-23 18:11 . 2010-06-24 01:42 11056 ----a-w- c:\windows\Fonts\h8514fix.fon
2010-06-23 18:11 . 2010-06-24 01:42 10032 ----a-w- c:\windows\Fonts\h8514sys.fon
2010-06-23 18:00 . 2010-06-24 01:42 17760 ----a-w- c:\windows\Fonts\c8514sys.fon
2010-06-23 18:00 . 2010-06-24 01:42 13552 ----a-w- c:\windows\Fonts\c8514oem.fon
2010-06-23 18:00 . 2010-06-24 01:42 10992 ----a-w- c:\windows\Fonts\c8514fix.fon
2010-06-23 17:59 . 2010-06-24 01:42 17760 ----a-w- c:\windows\Fonts\s8514sys.fon
2010-06-23 17:59 . 2010-06-24 01:42 12384 ----a-w- c:\windows\Fonts\s8514oem.fon
2010-06-23 17:59 . 2010-06-24 01:42 11056 ----a-w- c:\windows\Fonts\s8514fix.fon
2010-06-23 17:35 . 2010-06-24 01:42 14432 ----a-w- c:\windows\Fonts\j8514oem.fon
2010-06-23 17:35 . 2010-06-24 01:42 12896 ----a-w- c:\windows\Fonts\j8514fix.fon
2010-06-23 17:35 . 2010-06-24 01:42 10656 ----a-w- c:\windows\Fonts\j8514sys.fon
2010-06-23 17:20 . 2010-06-24 01:42 6512 ----a-w- c:\windows\Fonts\hvgasys.fon
2010-06-23 17:20 . 2010-06-24 01:42 5680 ----a-w- c:\windows\Fonts\hvgafix.fon
2010-06-23 17:07 . 2010-06-24 01:42 5680 ----a-w- c:\windows\Fonts\svgafix.fon
2010-06-23 17:07 . 2010-06-24 01:42 12896 ----a-w- c:\windows\Fonts\svgasys.fon
2010-06-23 16:53 . 2010-06-24 01:42 80896 ----a-w- c:\windows\Fonts\app949.fon
2010-06-23 16:52 . 2010-06-24 01:42 70000 ----a-w- c:\windows\Fonts\app936.fon
2010-06-23 16:52 . 2010-06-24 01:42 80896 ----a-w- c:\windows\Fonts\app932.fon
2010-06-23 16:51 . 2010-06-24 01:42 70000 ----a-w- c:\windows\Fonts\app950.fon
2010-06-23 16:21 . 2010-06-24 01:42 5600 ----a-w- c:\windows\Fonts\cvgafix.fon
2010-06-23 16:21 . 2010-06-24 01:42 12896 ----a-w- c:\windows\Fonts\cvgasys.fon
2010-06-23 16:18 . 2010-06-24 01:42 7232 ----a-w- c:\windows\Fonts\vga932.fon
2010-06-23 16:18 . 2010-06-24 01:39 73216 ----a-w- c:\windows\system32\uniime.dll
2010-06-23 16:17 . 2010-06-24 01:42 6272 ----a-w- c:\windows\Fonts\vga950.fon
2010-06-23 16:17 . 2010-06-24 01:42 6272 ----a-w- c:\windows\Fonts\vga936.fon
2010-06-23 16:17 . 2010-06-24 01:42 6304 ----a-w- c:\windows\Fonts\vga949.fon
2010-06-23 16:07 . 2009-07-31 22:09 21504 ----a-w- c:\windows\Fonts\smallf.fon
2010-06-23 02:33 . 2010-06-23 02:33 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54b27361-n\msvcp71.dll
2010-06-23 02:33 . 2010-06-23 02:33 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54b27361-n\jmc.dll
2010-06-23 02:33 . 2010-06-23 02:33 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-54b27361-n\msvcr71.dll
2010-06-23 02:33 . 2010-06-23 02:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-06-23 02:33 . 2010-06-23 02:33 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-06-23 02:30 . 2010-06-23 02:30 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

------- Sigcheck -------

[-] 2009-07-14 . A29E1209F925A0E9B330E11DA5FC7BAB . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys




c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-08-29_00.41.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-29 01:01 . 2008-04-14 02:42 169984 c:\windows\PCHealth\HelpCtr\Binaries\msconfig.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-07-04 398568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ACU"="c:\program files\Atheros\ACU.exe" [2008-07-21 450649]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"MsgTranAgt"="c:\program files\ASUS\ATK Hotkey\MsgTranAgt.exe" [2007-11-04 106496]
"HControlUser"="c:\program files\ASUS\ATK Hotkey\HControlUser.exe" [2008-01-12 98304]
"ATKHOTKEY"="c:\program files\ASUS\ATK Hotkey\HControl.exe" [2008-08-04 217088]
"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-23 7766016]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2008-02-01 61440]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-08-05 3054136]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 131072]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2010-06-23 208949]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2010-06-23 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2010-06-23 77824]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2010-06-23 737360]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2010-06-23 737360]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
RightMark CPU Clock Utility.lnk - c:\program files\RMClock\RMClock.exe [2009-8-4 1750016]
SetFSBTray.lnk - c:\program files\SetFSBTray\SetFSBTray.exe [2009-7-25 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\UBISOFT\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"d:\\Program Files\\UBISOFT\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp3.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp4.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp5.bat"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\doom 2\\doom2.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\ultimate doom\\ultimate.bat"=
"d:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\doom 3\\Doom3.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=
"c:\\Program Files\\Opera 10 Beta\\opera.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\wLite\\wLite.exe"=
"c:\\Program Files\\wLite\\wService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2010 9:21 PM 304464]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2010 9:21 PM 20952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [1/22/2009 3:43 PM 46752]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3A.tmp --> c:\windows\system32\3A.tmp [?]
S3 wxpSvc;webcamXP Service;c:\program files\wLite\wService.exe [10/23/2009 11:18 AM 3714048]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/4/2009 2:23 PM 717296]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pq0l64tb.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\NPSWF32.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 16:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wxpSvc]
"ImagePath"="c:\program files\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3A.tmp"
.
Completion time: 2010-08-29 16:20:25
ComboFix-quarantined-files.txt 2010-08-29 20:20
ComboFix2.txt 2010-08-29 00:42

Pre-Run: 1,373,548,544 bytes free
Post-Run: 1,362,423,808 bytes free

- - End Of File - - 31608138BD04833719CE493035866354


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 29 August 2010 - 11:41 PM

Hi,

Do you have your Windows XP Professional cd handy? We need to restore a couple of files from it.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 PATRICKRL

PATRICKRL
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 02 September 2010 - 08:04 AM

QUOTE(Blade81 @ Aug 30 2010, 12:41 AM) View Post
Hi,

Do you have your Windows XP Professional cd handy? We need to restore a couple of files from it.

I installed this XP installation using an OEM CD that came with the netbook, however I unfortunately lost it. I do have the XP Pro CD for my desktop computer. Will this work?

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 02 September 2010 - 09:25 AM

Yes, that will do. Please copy following files in i386 folder in XP Pro CD to your desktop. Let me know when that's done.
wscntfy.ex_
regsvc.dl_

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 11 September 2010 - 04:41 AM

Still there?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:00 PM

Posted 19 September 2010 - 10:36 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users