Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirect /rootkit


  • This topic is locked This topic is locked
13 replies to this topic

#1 m/beats

m/beats

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 22 December 2010 - 04:41 PM

Hello

I have become infected with some horrible malware hope you can help me.
I first got this infection from some dodgy website which installed a rougue software (defragger) that i thought i had got rid of by following one of the guides on this website but even after removing the rougue software i get redirected to random search/loans/survey/random sites when browsing with ie, get popups even whem i'm not surfing the web, sometimes while browsing the internet i'm redirected to a website that starts java and opens windows media player and also installs rouge software of the fake defragger kind.
mbam finds the file documents and settings/username/start menu/progams/startup/dvqqwwlw.exe along with some other files
and identifies them as spyware but does not delete the files on reboot or they are just reinstalling themselves.
i have even loaded ubcd4win and deleted the file but it is still there when i reboot windows. also tried to delete in safe mode but it says 'the file is in use by another person or program'
while running gmer my computer crashed amd now bluescreens every time i start it up.
so now i am in safemode but my browser still redirects.
thanks in advance for your help.

DDS (Ver_10-12-12.02) - NTFSx86
Run by beats at 20:52:32.71 on 21/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1363 [GMT 0:00]

AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\system32\dgdersvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Prio\prio_svc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Tsutya.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\beats\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\fgxncbhfkydvqqwwlw.exe\dvqqwwlw.exe,
uWindows: Run=?
uWindows: Load=?
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [Hhuravur] rundll32.exe "c:\windows\oleyuhax.dll",Startup
mRun: [Autorun Eater] c:\program files\autorun eater\oldmcdonald.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\beats\start menu\programs\startup\dvqqwwlw.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231188122905
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231188112467
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/gom/receiver/tc/FMSI.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: prio.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beats\applic~1\mozilla\firefox\profiles\1wu7m1p2.default\
FF - plugin: c:\documents and settings\beats\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\beats\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\beats\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {7E95826C-C5CC-4A7C-970D-7B6C6E809757} - c:\documents and settings\beats\local settings\application data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-17 165456]
R1 prio;Prio;c:\windows\system32\drivers\prio.sys [2010-7-28 51408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-17 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2009-12-22 95568]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-6 10384]
R2 prio_svc;Prio Service;c:\program files\prio\prio_svc.exe [2010-7-28 5120]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-17 40384]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2009-12-22 18136]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\rapportbuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-7-16 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\beats\locals~1\temp\f-secure\blacklight\fsbldrv.sys --> c:\docume~1\beats\locals~1\temp\f-secure\blacklight\fsbldrv.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-9-17 36640]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-10-12 50704]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 rootrepeal[1];rootrepeal[1];\??\c:\windows\system32\drivers\rootrepeal[1].sys --> c:\windows\system32\drivers\rootrepeal[1].sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2010-9-22 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2010-9-22 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2010-9-22 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [2010-9-22 100224]
S4 AODService;AODService;c:\program files\amd\overdrive\aodassist.exe --> c:\program files\amd\overdrive\AODAssist.exe [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-9-17 217088]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]

=============== Created Last 30 ================

2010-12-21 20:23:42 -------- d-----w- c:\program files\Prio
2010-12-21 19:33:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Autorun Eater
2010-12-21 19:33:26 -------- d-----w- c:\program files\Autorun Eater
2010-12-21 17:48:16 -------- d-----w- c:\docume~1\beats\applic~1\Unhazi
2010-12-21 17:48:16 -------- d-----w- c:\docume~1\beats\applic~1\Imaglu
2010-12-21 17:48:13 -------- d-----w- c:\docume~1\beats\applic~1\Sapov
2010-12-21 17:48:13 -------- d-----w- c:\docume~1\beats\applic~1\QuosaDDM
2010-12-21 17:47:59 -------- d-----w- c:\docume~1\beats\applic~1\Imlu
2010-12-20 23:06:25 -------- d-----w- C:\Recovered Files
2010-12-19 22:51:15 223744 ----a-w- c:\windows\Tsutya.exe
2010-12-19 22:51:08 126464 --sha-r- c:\windows\system32\compt.dll
2010-12-19 22:01:57 0 ----a-w- c:\windows\Dtevocub.bin
2010-12-19 22:01:56 -------- d-----w- c:\docume~1\beats\locals~1\applic~1\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}
2010-12-19 21:56:25 -------- d--h--w- c:\windows\PIF
2010-12-19 16:45:53 -------- d-----w- c:\program files\fgxNcBHFKY؞dvqqwwlw.exe
2010-12-18 20:34:38 -------- d-----w- c:\program files\tmp
2010-12-18 19:31:55 -------- d-----w- c:\program files\win
2010-12-18 17:24:01 -------- d-----w- c:\program files\windows
2010-12-18 14:33:38 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-18 14:33:36 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-12-18 14:33:36 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-18 14:33:11 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-12-18 14:33:11 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-12-11 19:58:38 -------- d-----w- c:\program files\PokerOfficer
2010-12-08 23:21:41 -------- d-----w- c:\docume~1\beats\locals~1\applic~1\AaaaaRecklessDisregard
2010-11-23 21:25:17 -------- d-----w- c:\docume~1\beats\locals~1\applic~1\Temp
2010-11-23 21:25:14 -------- d-----w- c:\docume~1\beats\locals~1\applic~1\Google
2010-11-23 21:24:57 -------- d-----w- c:\docume~1\beats\locals~1\applic~1\Deployment

==================== Find3M ====================

2010-12-10 15:42:00 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-12-10 15:42:00 270904 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-12-09 19:46:35 270904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2010-12-04 14:35:23 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-10-31 09:55:40 4878 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-22 06:23:30 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-22 06:23:30 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-22 06:23:29 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-22 06:23:29 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-22 06:23:29 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-22 06:23:29 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-10-22 06:23:22 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-22 06:23:22 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-22 06:23:22 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-12 18:19:28 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-10-12 18:19:28 100880 ----a-w- c:\windows\system32\Packet.dll
2010-10-06 15:20:54 138056 ----a-w- c:\docume~1\beats\applic~1\PnkBstrK.sys
2010-10-06 14:24:31 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2009-11-29 18:26:47 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe

============= FINISH: 20:53:32.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 22 December 2010 - 05:18 PM

Greetings m/beats and Welcome to the Forums,

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • When the utility opens click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until the instruction is given.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 m/beats

m/beats
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 22 December 2010 - 05:53 PM

Thank you for the quick reply
i followed your instructions here is the log.

ComboFix 10-12-22.01 - beats 22/12/2010 22:30:50.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1648 [GMT 0:00]
Running from: c:\documents and settings\beats\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\beats\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\beats\Application Data\Adobe\plugs
c:\documents and settings\beats\Application Data\Adobe\plugs\KB9080046.exe
c:\documents and settings\beats\Application Data\Adobe\plugs\KB9122843.exe
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\chrome.manifest
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\chrome\content\_cfg.js
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\chrome\content\overlay.xul
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\install.rdf
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\chrome.manifest
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\chrome\content\_cfg.js
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\chrome\content\overlay.xul
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\install.rdf
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\aratole.dll
c:\windows\hexdump.exe
c:\windows\oleyuhax.dll
c:\windows\services.exe
c:\windows\svchost.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\egv8cf.dll
c:\windows\system32\kb.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xr0e9d7n8.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-11-22 to 2010-12-22 )))))))))))))))))))))))))))))))
.

2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\setup.exe
2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\mdm.exe
2010-12-21 23:18 . 2010-12-21 23:18 464384 ----a-w- c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe
2010-12-21 23:18 . 2010-12-22 22:44 763392 ----a-w- c:\windows\system32\drivers\pfrvkgiya.sys
2010-12-21 20:23 . 2010-12-21 20:23 -------- d-----w- c:\program files\Prio
2010-12-21 19:33 . 2010-12-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-12-21 17:48 . 2010-12-21 18:38 -------- d-----w- c:\documents and settings\beats\Application Data\Unhazi
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\Imaglu
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\Sapov
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\QuosaDDM
2010-12-21 17:47 . 2010-12-21 17:47 -------- d-----w- c:\documents and settings\beats\Application Data\Imlu
2010-12-19 22:51 . 2010-12-19 22:51 126464 --sha-r- c:\windows\system32\compt.dll
2010-12-19 22:01 . 2010-12-21 18:32 0 ----a-w- c:\windows\Dtevocub.bin
2010-12-19 21:56 . 2010-12-19 21:56 -------- d--h--w- c:\windows\PIF
2010-12-18 17:24 . 2010-12-21 23:35 -------- d-----w- c:\program files\windows
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-18 14:33 . 2010-12-18 14:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-12-18 14:33 . 2010-10-22 06:23 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-12-18 14:33 . 2010-10-22 06:23 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-12-11 19:58 . 2010-12-11 19:58 -------- d-----w- c:\program files\PokerOfficer
2010-12-08 23:21 . 2010-12-08 23:23 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\AaaaaRecklessDisregard
2010-11-23 21:25 . 2010-12-04 14:30 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Temp
2010-11-23 21:25 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Google
2010-11-23 21:24 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 15:42 . 2010-01-28 21:09 138416 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-12-10 15:42 . 2010-01-28 21:10 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-12-10 15:42 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-12-09 19:46 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2010-12-04 14:35 . 2010-01-28 21:09 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-29 17:42 . 2009-12-14 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2009-12-14 13:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 09:55 . 2010-10-31 09:55 4878 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-22 06:23 . 2010-07-02 15:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-22 06:23 . 2010-07-02 15:46 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-22 06:23 . 2010-07-02 15:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-22 06:23 . 2010-07-02 15:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-22 06:23 . 2010-07-02 15:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-22 06:23 . 2010-07-02 15:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-22 06:23 . 2010-07-02 15:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-22 06:23 . 2010-07-02 12:30 9623680 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-10-22 06:23 . 2010-07-02 12:30 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 12:05 . 2010-10-16 12:05 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 12:05 . 2010-10-16 12:05 335872 ----a-w- c:\windows\system32\nvrsar.dll
2010-10-16 12:05 . 2010-10-16 12:05 331776 ----a-w- c:\windows\system32\nvrshe.dll
2010-10-16 12:05 . 2010-10-16 12:05 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrses.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsel.dll
2010-10-16 12:05 . 2010-10-16 12:05 278528 ----a-w- c:\windows\system32\nvrsde.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsru.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2010-10-16 12:05 . 2010-10-16 12:05 266240 ----a-w- c:\windows\system32\nvrsko.dll
2010-10-16 12:05 . 2010-10-16 12:05 262144 ----a-w- c:\windows\system32\nvrshu.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrstr.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssl.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssk.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsth.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrssv.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsda.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrseng.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrscs.dll
2010-10-16 12:05 . 2010-10-16 12:05 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-10-16 12:05 . 2010-10-16 12:05 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsit.dll
2010-10-16 12:05 . 2010-10-16 12:05 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrspt.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsja.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrspl.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsno.dll
2010-10-16 12:05 . 2010-10-16 12:05 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 12:05 . 2010-10-16 12:05 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-16 12:05 . 2010-10-16 12:05 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 12:05 . 2010-10-16 12:05 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-06 15:20 . 2010-01-28 21:09 138056 ----a-w- c:\documents and settings\beats\Application Data\PnkBstrK.sys
2010-10-06 14:24 . 2010-10-06 15:20 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2009-11-29 18:26 . 2009-11-29 18:25 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"YRUvoXXeDU.exe"="c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe" [2010-12-21 464384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
backup=c:\windows\pss\dvqqwwlw.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-23 21:25 136176 ----atw- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 14:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-06 17:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 17:31 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2008-07-09 12:12 208896 ----a-r- c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"nSvcIp"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AODService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"FsUsbExService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\beats\\Desktop\\mirc.exe"=
"c:\\Documents and Settings\\beats\\My Documents\\utorrent 1.6.1\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\bin\\proe.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\insurgency\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\counter-strike source\\hl2.exe"=

R1 prio;Prio;c:\windows\system32\drivers\prio.sys [28/07/2010 15:36 51408]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/07/2010 21:42 165456]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [10/11/2006 13:08 24064]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/07/2010 21:42 17744]
S2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [22/12/2009 02:31 95568]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [06/01/2009 15:32 10384]
S2 prio_svc;Prio Service;c:\program files\Prio\prio_svc.exe [28/07/2010 15:36 5120]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2010 13:58 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [22/12/2009 02:31 18136]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [17/09/2009 12:21 36640]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 Normandy;Normandy SR2; [x]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [22/09/2010 21:15 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [22/09/2010 21:15 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [22/09/2010 21:15 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [22/09/2010 21:15 100224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe --> c:\program files\AMD\OverDrive\AODAssist.exe [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [17/09/2009 12:21 217088]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2009 16:38 717296]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]

--- Other Services/Drivers In Memory ---

*Deregistered* - pfrvkgiya
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004Core.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004UA.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{037DFE39-D1F8-4E64-A3ED-D280B318EA2E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{9ED11C23-7BCE-40E5-89DD-4BFDCA156EFF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Jseniviyifaniv - c:\windows\aratole.dll
HKLM-Run-Hhuravur - c:\windows\oleyuhax.dll
SafeBoot-klmd23.sys
MSConfigStartUp-Hhuravur - c:\windows\oleyuhax.dll
MSConfigStartUp-JP595IR86O - c:\docume~1\beats\LOCALS~1\Temp\Tq0.exe
MSConfigStartUp-Jseniviyifaniv - c:\windows\aratole.dll
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-22 22:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\pfrvkgiya]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1326574676-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:07,d0,fb,35,c4,68,ce,49,a9,c3,ff,34,87,8a,34,ab,48,a7,73,99,39,
72,6c,87,ef,61,16,88,13,89,7a,0c,aa,94,25,2b,8d,c2,62,e0,b7,1f,15,87,86,be,\
"rkeysecu"=hex:5f,d6,ef,59,6c,eb,38,23,5e,66,10,fd,ea,ba,6f,0f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(652)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2010-12-22 22:50:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-22 22:49
ComboFix2.txt 2010-07-19 17:26

Pre-Run: 2,896,846,848 bytes free
Post-Run: 3,114,672,128 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=2,3,4,5,6,7,8
- - End Of File - - E588B5DA3A8AEA8B216C028B29CD2529

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 22 December 2010 - 08:34 PM

Please upload the following file below, in Bold text, at Virscan for a free scan:
c:\windows\system32\compt.dll
...please remember to post back the results.

Please open a blank Notepad by clicking start-->run...Then, in the run box type Notepad.exe and click "OK".
Copy the below text in the quote box and paste it into the blank Notepad. Be sure to include the url link at the top of the quote box when you copy it. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop.

Next, please drag the CFScript.txt into the ComboFix.exe icon on your Desktop. Combofix will scan again automatically.

Note:
Do not mouseclick combofix's window while it's running...it may cause the scan to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the below script, ComboFix will capture a file (or files) to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

http://www.bleepingcomputer.com/forums/topic368926.html/page__pid__2066428#entry2066428
KILLALL::

File::
c:\windows\Dtevocub.bin
c:\program files\vlc-1.0.3-win32.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} -

Rootkit::
c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
c:\windows\pss\dvqqwwlw.exe
c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe
c:\windows\system32\drivers\pfrvkgiya.sys

Driver::
pfrvkgiya

Collect::
c:\windows\system32\WinSys2.exe
c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe

Firefox::
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -

Folder::
c:\Documents and Settings\beats\My Documents\utorrent 1.6.1
c:\program files\windows
c:\documents and settings\beats\Application Data\Unhazi
c:\documents and settings\beats\Application Data\Imaglu
c:\documents and settings\beats\Application Data\Sapov
c:\documents and settings\beats\Application Data\QuosaDDM
c:\documents and settings\beats\Application Data\Imlu

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

Registry::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@=-
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\Documents and Settings\beats\My Documents\utorrent 1.6.1\utorrent.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
backup=c:\windows\pss\dvqqwwlw.exeStartup
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YRUvoXXeDU.exe"="c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe" [2010-12-21 464384]


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 m/beats

m/beats
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 23 December 2010 - 03:39 PM

virscan came up with an error when i tried to upload compt.dll
but mwbam identified it as 'Trojan.Agent' .


i have uploaded the files as requested

thanks

Edited by m/beats, 23 December 2010 - 03:56 PM.


#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 23 December 2010 - 04:08 PM

May I see the combofix log then please?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 m/beats

m/beats
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 23 December 2010 - 04:51 PM

ComboFix 10-12-23.02 - beats 23/12/2010 20:07:18.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1575 [GMT 0:00]
Running from: c:\documents and settings\beats\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\beats\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

FILE ::
"c:\program files\vlc-1.0.3-win32.exe"
"c:\windows\Dtevocub.bin"

file zipped: c:\windows\system32\WinSys2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\beats\Application Data\Imaglu
c:\documents and settings\beats\Application Data\Imlu
c:\documents and settings\beats\Application Data\QuosaDDM
c:\documents and settings\beats\Application Data\QuosaDDM\quosaddm.properties
c:\documents and settings\beats\Application Data\Sapov
c:\documents and settings\beats\Application Data\Unhazi
c:\documents and settings\beats\My Documents\utorrent 1.6.1
c:\documents and settings\beats\My Documents\utorrent 1.6.1\utorrent 1.6.1.nfo
c:\documents and settings\beats\My Documents\utorrent 1.6.1\utorrent 1.6.1.sfv
c:\documents and settings\beats\My Documents\utorrent 1.6.1\utorrent.1.6.1.rar
c:\documents and settings\beats\My Documents\utorrent 1.6.1\utorrent.exe
c:\documents and settings\beats\My Documents\utorrent 1.6.1\uTorrent.txt
c:\program files\vlc-1.0.3-win32.exe
c:\program files\windows
c:\windows\Dtevocub.bin
c:\windows\system32\WinSys2.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-23 to 2010-12-23 )))))))))))))))))))))))))))))))
.

2010-12-23 00:10 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-23 00:10 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\setup.exe
2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\mdm.exe
2010-12-21 23:18 . 2010-12-22 23:38 763392 ----a-w- c:\windows\system32\drivers\pfrvkgiya.sys
2010-12-21 20:23 . 2010-12-21 20:23 -------- d-----w- c:\program files\Prio
2010-12-21 19:33 . 2010-12-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-12-19 21:56 . 2010-12-19 21:56 -------- d--h--w- c:\windows\PIF
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-18 14:33 . 2010-12-18 14:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-12-18 14:33 . 2010-10-22 06:23 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-12-18 14:33 . 2010-10-22 06:23 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-12-11 19:58 . 2010-12-11 19:58 -------- d-----w- c:\program files\PokerOfficer
2010-12-08 23:21 . 2010-12-08 23:23 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\AaaaaRecklessDisregard
2010-11-23 21:25 . 2010-12-04 14:30 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Temp
2010-11-23 21:25 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Google
2010-11-23 21:24 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2009-12-14 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-12-14 13:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 15:42 . 2010-01-28 21:09 138416 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-12-10 15:42 . 2010-01-28 21:10 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-12-10 15:42 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-12-09 19:46 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2010-12-04 14:35 . 2010-01-28 21:09 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-18 18:12 . 2009-01-05 19:30 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-18 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-31 09:55 . 2010-10-31 09:55 4878 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-28 13:13 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-18 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-22 06:23 . 2010-07-02 15:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-22 06:23 . 2010-07-02 15:46 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-22 06:23 . 2010-07-02 15:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-22 06:23 . 2010-07-02 15:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-22 06:23 . 2010-07-02 15:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-22 06:23 . 2010-07-02 15:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-22 06:23 . 2010-07-02 15:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-22 06:23 . 2010-07-02 12:30 9623680 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-10-22 06:23 . 2010-07-02 12:30 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 12:05 . 2010-10-16 12:05 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 12:05 . 2010-10-16 12:05 335872 ----a-w- c:\windows\system32\nvrsar.dll
2010-10-16 12:05 . 2010-10-16 12:05 331776 ----a-w- c:\windows\system32\nvrshe.dll
2010-10-16 12:05 . 2010-10-16 12:05 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrses.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsel.dll
2010-10-16 12:05 . 2010-10-16 12:05 278528 ----a-w- c:\windows\system32\nvrsde.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsru.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2010-10-16 12:05 . 2010-10-16 12:05 266240 ----a-w- c:\windows\system32\nvrsko.dll
2010-10-16 12:05 . 2010-10-16 12:05 262144 ----a-w- c:\windows\system32\nvrshu.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrstr.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssl.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssk.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsth.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrssv.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsda.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrseng.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrscs.dll
2010-10-16 12:05 . 2010-10-16 12:05 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-10-16 12:05 . 2010-10-16 12:05 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsit.dll
2010-10-16 12:05 . 2010-10-16 12:05 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrspt.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsja.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrspl.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsno.dll
2010-10-16 12:05 . 2010-10-16 12:05 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 12:05 . 2010-10-16 12:05 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-16 12:05 . 2010-10-16 12:05 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 12:05 . 2010-10-16 12:05 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-06 15:20 . 2010-01-28 21:09 138056 ----a-w- c:\documents and settings\beats\Application Data\PnkBstrK.sys
2010-10-06 14:24 . 2010-10-06 15:20 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
backup=c:\windows\pss\dvqqwwlw.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-23 21:25 136176 ----atw- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 14:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-06 17:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 17:31 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"nSvcIp"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AODService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"FsUsbExService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\beats\\Desktop\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\bin\\proe.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\insurgency\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\counter-strike source\\hl2.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/07/2010 21:42 165456]
R1 prio;Prio;c:\windows\system32\drivers\prio.sys [28/07/2010 15:36 51408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/07/2010 21:42 17744]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [22/12/2009 02:31 95568]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [06/01/2009 15:32 10384]
R2 prio_svc;Prio Service;c:\program files\Prio\prio_svc.exe [28/07/2010 15:36 5120]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [22/12/2009 02:31 18136]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [10/11/2006 13:08 24064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2010 13:58 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [17/09/2009 12:21 36640]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [22/09/2010 21:15 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [22/09/2010 21:15 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [22/09/2010 21:15 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [22/09/2010 21:15 100224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe --> c:\program files\AMD\OverDrive\AODAssist.exe [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [17/09/2009 12:21 217088]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2009 16:38 717296]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004Core.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004UA.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-WinSys2 - c:\windows\system32\winsys2.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 20:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet008\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1326574676-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:07,d0,fb,35,c4,68,ce,49,a9,c3,ff,34,87,8a,34,ab,48,a7,73,99,39,
72,6c,87,ef,61,16,88,13,89,7a,0c,aa,94,25,2b,8d,c2,62,e0,b7,1f,15,87,86,be,\
"rkeysecu"=hex:5f,d6,ef,59,6c,eb,38,23,5e,66,10,fd,ea,ba,6f,0f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-12-23 20:26:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-23 20:26
ComboFix2.txt 2010-12-23 00:11
ComboFix3.txt 2010-12-22 22:50
ComboFix4.txt 2010-07-19 17:26

Pre-Run: 2,267,312,128 bytes free
Post-Run: 2,668,490,752 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 61671799C0192A6342EFFECEBC1FBB38

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 23 December 2010 - 07:08 PM

Thanks. I'd like to ask, while I'm reviewing this recent combofix log...can you show me combofix logs numbered 1, 3 and 4 please?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 m/beats

m/beats
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 23 December 2010 - 08:48 PM

3

ComboFix 10-12-22.01 - beats 22/12/2010 22:30:50.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1648 [GMT 0:00]
Running from: c:\documents and settings\beats\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\beats\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\beats\Application Data\Adobe\plugs
c:\documents and settings\beats\Application Data\Adobe\plugs\KB9080046.exe
c:\documents and settings\beats\Application Data\Adobe\plugs\KB9122843.exe
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\chrome.manifest
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\chrome\content\_cfg.js
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\chrome\content\overlay.xul
c:\documents and settings\beats\Local Settings\Application Data\{7E95826C-C5CC-4A7C-970D-7B6C6E809757}\install.rdf
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\chrome.manifest
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\chrome\content\_cfg.js
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\chrome\content\overlay.xul
c:\documents and settings\jadey b\Local Settings\Application Data\{097C3DB3-E119-47C1-8013-2567255F9A00}\install.rdf
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\aratole.dll
c:\windows\hexdump.exe
c:\windows\oleyuhax.dll
c:\windows\services.exe
c:\windows\svchost.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\egv8cf.dll
c:\windows\system32\kb.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xr0e9d7n8.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-11-22 to 2010-12-22 )))))))))))))))))))))))))))))))
.

2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\setup.exe
2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\mdm.exe
2010-12-21 23:18 . 2010-12-21 23:18 464384 ----a-w- c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe
2010-12-21 23:18 . 2010-12-22 22:44 763392 ----a-w- c:\windows\system32\drivers\pfrvkgiya.sys
2010-12-21 20:23 . 2010-12-21 20:23 -------- d-----w- c:\program files\Prio
2010-12-21 19:33 . 2010-12-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-12-21 17:48 . 2010-12-21 18:38 -------- d-----w- c:\documents and settings\beats\Application Data\Unhazi
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\Imaglu
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\Sapov
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\QuosaDDM
2010-12-21 17:47 . 2010-12-21 17:47 -------- d-----w- c:\documents and settings\beats\Application Data\Imlu
2010-12-19 22:51 . 2010-12-19 22:51 126464 --sha-r- c:\windows\system32\compt.dll
2010-12-19 22:01 . 2010-12-21 18:32 0 ----a-w- c:\windows\Dtevocub.bin
2010-12-19 21:56 . 2010-12-19 21:56 -------- d--h--w- c:\windows\PIF
2010-12-18 17:24 . 2010-12-21 23:35 -------- d-----w- c:\program files\windows
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-18 14:33 . 2010-12-18 14:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-12-18 14:33 . 2010-10-22 06:23 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-12-18 14:33 . 2010-10-22 06:23 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-12-11 19:58 . 2010-12-11 19:58 -------- d-----w- c:\program files\PokerOfficer
2010-12-08 23:21 . 2010-12-08 23:23 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\AaaaaRecklessDisregard
2010-11-23 21:25 . 2010-12-04 14:30 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Temp
2010-11-23 21:25 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Google
2010-11-23 21:24 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 15:42 . 2010-01-28 21:09 138416 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-12-10 15:42 . 2010-01-28 21:10 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-12-10 15:42 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-12-09 19:46 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2010-12-04 14:35 . 2010-01-28 21:09 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-29 17:42 . 2009-12-14 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2009-12-14 13:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 09:55 . 2010-10-31 09:55 4878 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-22 06:23 . 2010-07-02 15:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-22 06:23 . 2010-07-02 15:46 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-22 06:23 . 2010-07-02 15:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-22 06:23 . 2010-07-02 15:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-22 06:23 . 2010-07-02 15:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-22 06:23 . 2010-07-02 15:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-22 06:23 . 2010-07-02 15:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-22 06:23 . 2010-07-02 12:30 9623680 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-10-22 06:23 . 2010-07-02 12:30 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 12:05 . 2010-10-16 12:05 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 12:05 . 2010-10-16 12:05 335872 ----a-w- c:\windows\system32\nvrsar.dll
2010-10-16 12:05 . 2010-10-16 12:05 331776 ----a-w- c:\windows\system32\nvrshe.dll
2010-10-16 12:05 . 2010-10-16 12:05 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrses.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsel.dll
2010-10-16 12:05 . 2010-10-16 12:05 278528 ----a-w- c:\windows\system32\nvrsde.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsru.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2010-10-16 12:05 . 2010-10-16 12:05 266240 ----a-w- c:\windows\system32\nvrsko.dll
2010-10-16 12:05 . 2010-10-16 12:05 262144 ----a-w- c:\windows\system32\nvrshu.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrstr.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssl.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssk.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsth.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrssv.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsda.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrseng.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrscs.dll
2010-10-16 12:05 . 2010-10-16 12:05 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-10-16 12:05 . 2010-10-16 12:05 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsit.dll
2010-10-16 12:05 . 2010-10-16 12:05 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrspt.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsja.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrspl.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsno.dll
2010-10-16 12:05 . 2010-10-16 12:05 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 12:05 . 2010-10-16 12:05 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-16 12:05 . 2010-10-16 12:05 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 12:05 . 2010-10-16 12:05 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-06 15:20 . 2010-01-28 21:09 138056 ----a-w- c:\documents and settings\beats\Application Data\PnkBstrK.sys
2010-10-06 14:24 . 2010-10-06 15:20 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2009-11-29 18:26 . 2009-11-29 18:25 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"YRUvoXXeDU.exe"="c:\documents and settings\All Users\Application Data\YRUvoXXeDU.exe" [2010-12-21 464384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
backup=c:\windows\pss\dvqqwwlw.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-23 21:25 136176 ----atw- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 14:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-06 17:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 17:31 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2008-07-09 12:12 208896 ----a-r- c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"nSvcIp"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AODService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"FsUsbExService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\beats\\Desktop\\mirc.exe"=
"c:\\Documents and Settings\\beats\\My Documents\\utorrent 1.6.1\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\bin\\proe.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\insurgency\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\counter-strike source\\hl2.exe"=

R1 prio;Prio;c:\windows\system32\drivers\prio.sys [28/07/2010 15:36 51408]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/07/2010 21:42 165456]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [10/11/2006 13:08 24064]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/07/2010 21:42 17744]
S2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [22/12/2009 02:31 95568]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [06/01/2009 15:32 10384]
S2 prio_svc;Prio Service;c:\program files\Prio\prio_svc.exe [28/07/2010 15:36 5120]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2010 13:58 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [22/12/2009 02:31 18136]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [17/09/2009 12:21 36640]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 Normandy;Normandy SR2; [x]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [22/09/2010 21:15 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [22/09/2010 21:15 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [22/09/2010 21:15 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [22/09/2010 21:15 100224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe --> c:\program files\AMD\OverDrive\AODAssist.exe [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [17/09/2009 12:21 217088]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2009 16:38 717296]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]

--- Other Services/Drivers In Memory ---

*Deregistered* - pfrvkgiya
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004Core.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004UA.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{037DFE39-D1F8-4E64-A3ED-D280B318EA2E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2010-12-21 c:\windows\Tasks\User_Feed_Synchronization-{9ED11C23-7BCE-40E5-89DD-4BFDCA156EFF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Jseniviyifaniv - c:\windows\aratole.dll
HKLM-Run-Hhuravur - c:\windows\oleyuhax.dll
SafeBoot-klmd23.sys
MSConfigStartUp-Hhuravur - c:\windows\oleyuhax.dll
MSConfigStartUp-JP595IR86O - c:\docume~1\beats\LOCALS~1\Temp\Tq0.exe
MSConfigStartUp-Jseniviyifaniv - c:\windows\aratole.dll
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-22 22:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\pfrvkgiya]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1326574676-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:07,d0,fb,35,c4,68,ce,49,a9,c3,ff,34,87,8a,34,ab,48,a7,73,99,39,
72,6c,87,ef,61,16,88,13,89,7a,0c,aa,94,25,2b,8d,c2,62,e0,b7,1f,15,87,86,be,\
"rkeysecu"=hex:5f,d6,ef,59,6c,eb,38,23,5e,66,10,fd,ea,ba,6f,0f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(652)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
Completion time: 2010-12-22 22:50:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-22 22:49
ComboFix2.txt 2010-07-19 17:26


Pre-Run: 2,896,846,848 bytes free
Post-Run: 3,114,672,128 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=2,3,4,5,6,7,8
- - End Of File - - E588B5DA3A8AEA8B216C028B29CD2529



4

ComboFix 10-07-18.05 - beats 19/07/2010 18:18:57.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1487 [GMT 1:00]
Running from: c:\documents and settings\beats\Desktop\subsFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\beats\Application Data\SystemProc
c:\documents and settings\beats\Application Data\SystemProc\lsass.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\regedit.com
c:\windows\system32\system

.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-19 13:12 . 2010-07-19 13:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-19 03:07 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-19 02:50 . 2010-07-19 02:51 -------- d-----w- C:\xpsp2
2010-07-19 02:22 . 2010-07-19 03:37 -------- d-----w- C:\UBCD4Win
2010-07-19 02:13 . 2010-07-19 03:30 -------- d-----w- C:\xpcd
2010-07-19 01:17 . 2010-07-19 01:17 -------- d-----w- c:\program files\RootKit Hook Analyzer
2010-07-19 01:17 . 2007-07-06 23:39 19248 ----a-w- c:\windows\system32\drivers\rspsc32.sys
2010-07-18 22:47 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-18 21:50 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-18 21:49 . 2010-07-18 21:49 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-18 21:44 . 2010-07-18 21:44 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Sunbelt Software
2010-07-18 21:38 . 2010-07-18 21:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-18 21:38 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-18 21:38 . 2010-07-18 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-18 21:38 . 2010-07-18 21:38 -------- d-----w- c:\program files\Lavasoft
2010-07-18 14:24 . 2010-07-18 14:24 -------- d-----w- c:\program files\CCleaner
2010-07-18 13:33 . 2010-07-18 13:33 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-17 21:42 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-17 21:42 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-17 21:42 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-17 21:42 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-17 21:42 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-17 21:42 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-17 21:42 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-17 21:42 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-17 21:42 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-17 21:41 . 2010-07-17 21:41 -------- d-----w- c:\program files\Alwil Software
2010-07-17 21:41 . 2010-07-17 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-16 13:58 . 2010-07-06 17:27 359016 ----a-w- c:\windows\vncutil.exe
2010-07-16 13:58 . 2010-07-06 17:26 53864 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-07-16 13:58 . 2010-07-06 17:26 129640 ----a-w- c:\windows\RtkAudioService.exe
2010-07-16 13:58 . 2009-11-18 06:17 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-07-16 13:58 . 2009-11-18 06:16 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-07-15 22:47 . 2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE
2010-07-14 14:16 . 2010-07-14 14:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-14 11:43 . 2010-07-14 11:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-13 21:44 . 2010-07-13 21:44 -------- d-----w- c:\program files\Electronic Arts
2010-07-13 17:51 . 2010-07-13 17:51 -------- d-----w- c:\program files\Trend Micro
2010-07-11 21:56 . 2010-07-11 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 16:41 . 2010-07-02 16:41 -------- d-----w- c:\program files\AMD
2010-07-02 16:41 . 2006-07-01 21:39 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2010-07-02 16:36 . 2010-07-02 16:36 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-07-02 16:36 . 2010-07-02 16:36 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\eSupport.com
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\windows\DEA314C409294250BC9298E4C105F28D.TMP
2010-07-02 15:46 . 2010-04-03 22:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-02 15:46 . 2010-04-03 22:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-02 15:46 . 2010-04-03 22:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-02 15:46 . 2010-04-03 22:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-02 15:46 . 2010-04-03 22:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-02 15:46 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-02 15:46 . 2010-04-03 22:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-07-02 15:46 . 2010-04-03 22:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-07-02 15:46 . 2010-04-03 22:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-02 15:46 . 2010-04-03 22:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-07-02 12:30 . 2010-04-03 22:55 10232128 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2010-07-02 12:30 . 2010-04-03 22:55 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-07-02 12:30 . 2010-04-03 22:55 6432128 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2010-07-02 12:30 . 2010-04-03 22:55 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-02 12:19 . 2010-07-06 17:27 1833576 ----a-w- c:\windows\SkyTel.exe
2010-07-02 12:19 . 2010-07-06 17:27 1489512 ----a-w- c:\windows\RtlUpd.exe
2010-07-02 12:19 . 2010-06-24 10:13 1251944 ----a-w- c:\windows\RtlExUpd.dll
2010-07-02 12:16 . 2006-07-11 20:38 110592 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2010-07-02 12:16 . 2007-09-25 16:08 356352 ----a-w- c:\windows\system32\nvunrm.exe
2010-07-02 12:13 . 2010-05-28 11:58 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-07-02 12:07 . 2006-07-11 20:38 20480 ----a-w- c:\windows\system32\drivers\nvnetbus.sys
2010-07-02 12:07 . 2006-07-11 20:38 57856 ----a-w- c:\windows\system32\drivers\NVENETFD.sys
2010-07-02 12:07 . 2006-07-11 20:38 1160448 ----a-w- c:\windows\system32\drivers\nvnrm.sys
2010-07-02 12:07 . 2006-07-11 20:37 261632 ----a-w- c:\windows\system32\drivers\nvsnpu.sys
2010-07-02 12:07 . 2006-06-29 14:40 35840 ----a-w- c:\windows\system32\nvconrm.dll
2010-07-02 12:07 . 2006-07-11 20:36 201728 ----a-w- c:\windows\system32\fdco1.dll
2010-07-02 12:07 . 2006-07-11 20:36 11264 ----a-w- c:\windows\system32\bdco1.dll
2010-07-02 11:41 . 2010-07-02 11:41 70200 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-02 11:30 . 2010-07-02 11:30 -------- d-----w- c:\program files\Phyxion.net
2010-06-28 23:17 . 2010-07-14 14:16 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-28 22:39 . 2010-06-28 22:39 -------- d-----w- c:\documents and settings\beats\Application Data\InstallShield
2010-06-28 22:38 . 2006-07-11 20:36 201728 ----a-w- c:\windows\system32\fdco1ins.dll
2010-06-28 22:38 . 2006-07-11 20:36 11264 ----a-w- c:\windows\system32\bdco1ins.dll
2010-06-28 22:37 . 2008-01-25 18:48 37888 ----a-w- c:\windows\system32\NvRCoTr.dll
2010-06-28 22:37 . 2008-01-25 18:48 37888 ----a-w- c:\windows\system32\NvRCoSl.dll
2010-06-28 22:37 . 2008-01-25 18:48 37888 ----a-w- c:\windows\system32\NvRCoSk.dll
2010-06-28 22:37 . 2008-01-25 18:48 37376 ----a-w- c:\windows\system32\NvRCoTh.dll
2010-06-28 22:37 . 2008-01-25 18:48 38400 ----a-w- c:\windows\system32\NvRCoPt.dll
2010-06-28 22:37 . 2008-01-25 18:48 37888 ----a-w- c:\windows\system32\NvRCoPl.dll
2010-06-28 22:37 . 2008-01-25 18:48 37888 ----a-w- c:\windows\system32\NvRCoHu.dll
2010-06-28 22:37 . 2008-01-25 18:48 36864 ----a-w- c:\windows\system32\NvRCoHe.dll
2010-06-28 22:37 . 2008-01-25 18:48 38400 ----a-w- c:\windows\system32\NvRCoEl.dll
2010-06-28 22:37 . 2008-01-25 18:48 37376 ----a-w- c:\windows\system32\NvRCoCs.dll
2010-06-28 22:37 . 2008-01-25 18:48 37376 ----a-w- c:\windows\system32\NvRCoAr.dll
2010-06-28 20:05 . 2010-06-02 03:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-28 20:05 . 2010-06-02 03:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-28 20:05 . 2010-06-02 03:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-28 20:05 . 2010-05-26 10:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-06-28 20:05 . 2010-05-26 10:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-06-28 20:05 . 2010-05-26 10:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-06-28 20:05 . 2010-05-26 10:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-06-28 20:05 . 2010-05-26 10:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-06-28 20:05 . 2010-02-04 09:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-06-28 20:05 . 2010-02-04 09:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-06-28 20:05 . 2010-02-04 09:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-06-28 20:05 . 2010-02-04 09:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-06-28 20:04 . 2010-06-28 20:04 -------- d--h--w- c:\windows\msdownld.tmp
2010-06-25 19:19 . 2010-06-25 19:19 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 17:10 . 2009-01-06 14:48 -------- d-----w- c:\program files\Steam
2010-07-19 13:14 . 2010-01-11 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-19 01:22 . 2001-08-18 12:00 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2010-07-18 23:59 . 2010-07-18 23:59 52480 ----a-w- c:\windows\system32\drivers\tsk4.tmp
2010-07-18 19:58 . 2010-01-28 21:09 137256 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-18 19:58 . 2010-01-28 21:09 218808 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-18 14:44 . 2009-07-20 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-18 14:44 . 2009-09-30 21:21 -------- d-----w- c:\documents and settings\beats\Application Data\Media Player Classic
2010-07-16 13:59 . 2009-01-05 21:22 -------- d-----w- c:\program files\Realtek
2010-07-15 17:57 . 2009-07-20 15:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 18:11 . 2009-12-14 22:26 -------- d-----w- c:\documents and settings\beats\Application Data\Qava
2010-07-13 17:42 . 2010-07-14 14:16 142712 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
2010-07-11 20:30 . 2009-01-25 20:47 -------- d-----w- c:\documents and settings\beats\Application Data\uTorrent
2010-07-11 14:33 . 2009-01-06 14:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-06 17:27 . 2009-01-05 21:22 84584 ----a-w- c:\windows\SOUNDMAN.EXE
2010-07-06 17:26 . 2009-01-05 21:22 9721960 ----a-w- c:\windows\RTLCPL.EXE
2010-07-06 17:26 . 2009-01-05 21:22 6088296 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-07-06 17:26 . 2009-01-05 21:22 19556968 ----a-w- c:\windows\RTHDCPL.EXE
2010-07-06 17:26 . 2009-01-05 21:22 2815592 ----a-w- c:\windows\ALCWZRD.EXE
2010-07-06 17:26 . 2009-01-05 21:22 2180712 ----a-w- c:\windows\MicCal.exe
2010-07-02 16:41 . 2009-01-05 20:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 15:51 . 2009-01-05 20:31 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-02 15:46 . 2009-11-14 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-06-28 23:24 . 2009-10-27 18:35 -------- d-----w- c:\program files\SpeedFan
2010-06-28 23:22 . 2010-01-28 21:09 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-06-25 19:19 . 2009-10-04 16:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-15 19:39 . 2009-07-28 23:16 -------- d-----w- c:\documents and settings\beats\Application Data\ZoomBrowser EX
2010-06-15 19:39 . 2009-07-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-06-14 14:31 . 2009-01-05 19:30 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-07 17:07 . 2010-06-07 17:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-06 14:55 . 2009-02-22 06:16 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 21:57 . 2009-12-14 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 20:41 . 2010-05-25 20:41 503808 ----a-w- c:\documents and settings\jadey b\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7da65101-n\msvcp71.dll
2010-05-25 20:41 . 2010-05-25 20:41 499712 ----a-w- c:\documents and settings\jadey b\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7da65101-n\jmc.dll
2010-05-25 20:41 . 2010-05-25 20:41 348160 ----a-w- c:\documents and settings\jadey b\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-7da65101-n\msvcr71.dll
2010-05-06 10:41 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-12-14 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-12-14 13:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 18:26 . 2009-11-29 18:25 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hfyqgbyf

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 14:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-06 17:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2008-07-09 12:12 208896 ----a-r- c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"nSvcIp"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AODService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\beats\\Desktop\\mirc.exe"=
"c:\\Documents and Settings\\beats\\My Documents\\utorrent 1.6.1\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\bin\\proe.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\insurgency\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [18/07/2010 22:50 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/07/2010 22:42 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/07/2010 22:42 17744]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [06/01/2009 16:32 10384]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [10/11/2006 14:08 24064]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/07/2010 09:55 1352832]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2010 14:58 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [02/07/2010 17:36 23456]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [17/09/2009 13:21 36608]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [17/09/2009 13:21 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [17/09/2009 13:21 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [17/09/2009 13:21 121856]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe --> c:\program files\AMD\OverDrive\AODAssist.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2009 17:38 717296]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 16:05 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-06-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-07-19 c:\windows\Tasks\User_Feed_Synchronization-{037DFE39-D1F8-4E64-A3ED-D280B318EA2E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2010-07-19 c:\windows\Tasks\User_Feed_Synchronization-{9ED11C23-7BCE-40E5-89DD-4BFDCA156EFF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&amp;source=iglk
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-nwiz - nwiz.exe
SafeBoot-klmdb.sys
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\daemon.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 18:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1326574676-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:07,d0,fb,35,c4,68,ce,49,a9,c3,ff,34,87,8a,34,ab,48,a7,73,99,39,
72,6c,87,ef,61,16,88,13,89,7a,0c,aa,94,25,2b,8d,c2,62,e0,b7,1f,15,87,86,be,\
"rkeysecu"=hex:5f,d6,ef,59,6c,eb,38,23,5e,66,10,fd,ea,ba,6f,0f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-07-19 18:26:49
ComboFix-quarantined-files.txt 2010-07-19 17:26

Pre-Run: 8,574,070,784 bytes free
Post-Run: 9,331,519,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 7D0EAA13E34DD0F8B20DDA2929D1D4C3




i can't see a combofix1 where should it be?

#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 23 December 2010 - 09:21 PM

lol I didn't want this to get so complicated for you but here goes...the first time that I asked you to run combofix and post the log, the log you posted showed me that it was actually from the second time you ran it. That was accurate at the time evidently...the first time (I think) that you actually ran combfix on that machine was last July.

The next combofix log you posted was from the cfscript that I wrote for you which was fine. It should have been numbered "2" but it's not. It was the log from the 5th time combofix was run on that machine.

That also had to be accurate...which meant that the logs I had not seen at that point, would have been logs numbered 1, 3 and 4. Maybe you can explain why combofix was run back in July, and while you're at it, also explain why the TDSSKiller utility was used. It does appear as though you have been worried about rootkit infections with all the various rootkit scanner remnants. Perhaps your answer might be relevant to your present situation.

Log number 1, as it turns out, was actually from your run back in July...which wasn't from me having asked you to run it.

Logs numbered 3 and 4 however, are what I would be interested in.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 m/beats

m/beats
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2010 - 06:48 AM

ok so i had a similar thing with a redirect rootkit back in july i guess i don't remember when and i probably just searched for any removal tools i could find and came across combofix somehow and ran it. I thought it must have worked because i no longer had the browser redirects.
This time i couldnt remember how i got rid of the rootkit last time so i tried a few different tools such as tdss killer which didnt work so then i came and here and asked for help which i now know i should have done first of all as i didn't really know what i was doing.
i don't think 3 and 4 will be proper logs as i stopped combofix just after it started as i didn't think i had wrote the script properly.
this is the only log i havent posted named combofix2 i have already posted 'combofix3' and 'comboxfix4' in my last post all in the Qoobox folder and i have posted 'combofix' from c: there aren't any more logs in those folder.

ComboFix 10-12-22.01 - beats 22/12/2010 23:52:32.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1564 [GMT 0:00]
Running from: c:\documents and settings\beats\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\syclik.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF
-------\Service_uovdvm


((((((((((((((((((((((((( Files Created from 2010-11-23 to 2010-12-23 )))))))))))))))))))))))))))))))
.

2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\setup.exe
2010-12-21 23:19 . 2010-12-21 23:19 54276 ---h--w- c:\windows\mdm.exe
2010-12-21 23:18 . 2010-12-22 23:38 763392 ----a-w- c:\windows\system32\drivers\pfrvkgiya.sys
2010-12-21 20:23 . 2010-12-21 20:23 -------- d-----w- c:\program files\Prio
2010-12-21 19:33 . 2010-12-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-12-21 17:48 . 2010-12-21 18:38 -------- d-----w- c:\documents and settings\beats\Application Data\Unhazi
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\Imaglu
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\Sapov
2010-12-21 17:48 . 2010-12-21 17:48 -------- d-----w- c:\documents and settings\beats\Application Data\QuosaDDM
2010-12-21 17:47 . 2010-12-21 17:47 -------- d-----w- c:\documents and settings\beats\Application Data\Imlu
2010-12-19 22:51 . 2010-12-19 22:51 126464 --sha-r- c:\windows\system32\compt.dll
2010-12-19 22:01 . 2010-12-21 18:32 0 ----a-w- c:\windows\Dtevocub.bin
2010-12-19 21:56 . 2010-12-19 21:56 -------- d--h--w- c:\windows\PIF
2010-12-18 17:24 . 2010-12-21 23:35 -------- d-----w- c:\program files\windows
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-18 14:33 . 2010-12-18 14:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-12-18 14:33 . 2010-10-22 06:23 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-12-18 14:33 . 2010-10-22 06:23 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-12-11 19:58 . 2010-12-11 19:58 -------- d-----w- c:\program files\PokerOfficer
2010-12-08 23:21 . 2010-12-08 23:23 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\AaaaaRecklessDisregard
2010-11-23 21:25 . 2010-12-04 14:30 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Temp
2010-11-23 21:25 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Google
2010-11-23 21:24 . 2010-11-23 21:25 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-10 15:42 . 2010-01-28 21:09 138416 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-12-10 15:42 . 2010-01-28 21:10 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-12-10 15:42 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-12-09 19:46 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2010-12-04 14:35 . 2010-01-28 21:09 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-29 17:42 . 2009-12-14 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2009-12-14 13:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-31 09:55 . 2010-10-31 09:55 4878 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-22 06:23 . 2010-07-02 15:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-22 06:23 . 2010-07-02 15:46 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-22 06:23 . 2010-07-02 15:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-22 06:23 . 2010-07-02 15:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-22 06:23 . 2010-07-02 15:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-22 06:23 . 2010-07-02 15:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-22 06:23 . 2010-07-02 15:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-22 06:23 . 2010-07-02 12:30 9623680 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-10-22 06:23 . 2010-07-02 12:30 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 12:05 . 2010-10-16 12:05 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 12:05 . 2010-10-16 12:05 335872 ----a-w- c:\windows\system32\nvrsar.dll
2010-10-16 12:05 . 2010-10-16 12:05 331776 ----a-w- c:\windows\system32\nvrshe.dll
2010-10-16 12:05 . 2010-10-16 12:05 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrses.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsel.dll
2010-10-16 12:05 . 2010-10-16 12:05 278528 ----a-w- c:\windows\system32\nvrsde.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsru.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2010-10-16 12:05 . 2010-10-16 12:05 266240 ----a-w- c:\windows\system32\nvrsko.dll
2010-10-16 12:05 . 2010-10-16 12:05 262144 ----a-w- c:\windows\system32\nvrshu.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrstr.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssl.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssk.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsth.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrssv.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsda.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrseng.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrscs.dll
2010-10-16 12:05 . 2010-10-16 12:05 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-10-16 12:05 . 2010-10-16 12:05 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsit.dll
2010-10-16 12:05 . 2010-10-16 12:05 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrspt.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsja.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrspl.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsno.dll
2010-10-16 12:05 . 2010-10-16 12:05 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 12:05 . 2010-10-16 12:05 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-16 12:05 . 2010-10-16 12:05 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 12:05 . 2010-10-16 12:05 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-06 15:20 . 2010-01-28 21:09 138056 ----a-w- c:\documents and settings\beats\Application Data\PnkBstrK.sys
2010-10-06 14:24 . 2010-10-06 15:20 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
2009-11-29 18:26 . 2009-11-29 18:25 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
backup=c:\windows\pss\dvqqwwlw.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-23 21:25 136176 ----atw- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 14:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-06 17:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 17:31 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
2008-07-09 12:12 208896 ----a-r- c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"nSvcIp"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AODService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"FsUsbExService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\beats\\Desktop\\mirc.exe"=
"c:\\Documents and Settings\\beats\\My Documents\\utorrent 1.6.1\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\bin\\proe.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\insurgency\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\counter-strike source\\hl2.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/07/2010 21:42 165456]
R1 prio;Prio;c:\windows\system32\drivers\prio.sys [28/07/2010 15:36 51408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/07/2010 21:42 17744]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [22/12/2009 02:31 95568]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [06/01/2009 15:32 10384]
R2 prio_svc;Prio Service;c:\program files\Prio\prio_svc.exe [28/07/2010 15:36 5120]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [22/12/2009 02:31 18136]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [10/11/2006 13:08 24064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2010 13:58 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [17/09/2009 12:21 36640]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [22/09/2010 21:15 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [22/09/2010 21:15 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [22/09/2010 21:15 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [22/09/2010 21:15 100224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe --> c:\program files\AMD\OverDrive\AODAssist.exe [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [17/09/2009 12:21 217088]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2009 16:38 717296]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004Core.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004UA.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:50370
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-23 00:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet008\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1326574676-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:07,d0,fb,35,c4,68,ce,49,a9,c3,ff,34,87,8a,34,ab,48,a7,73,99,39,
72,6c,87,ef,61,16,88,13,89,7a,0c,aa,94,25,2b,8d,c2,62,e0,b7,1f,15,87,86,be,\
"rkeysecu"=hex:5f,d6,ef,59,6c,eb,38,23,5e,66,10,fd,ea,ba,6f,0f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4088)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-12-23 00:11:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-23 00:11
ComboFix2.txt 2010-12-22 22:50
ComboFix3.txt 2010-07-19 17:26

Pre-Run: 3,116,576,768 bytes free
Post-Run: 3,019,702,272 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 7D50D364BD5B5F4F35B06DBCED3BC76D

#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 24 December 2010 - 11:28 AM

On 12/22 at 10:30 PM, combofix was run, then again, the same evening just about an hour and a half later, you ran combofix again and it found more garbage to remove which tells me that during that hour and a half, there was more online activity. Please keep that machine offline except for checking in here for my responses...and please do nothing else with your machine except what I instruct, at least during our cleanup sessions here. Otherwise, it gets very complicated for both of us.

Further, during your combofix runs, you had Avast enabled...outdated nonetheless, but enabled, so please be careful to read the material I present to you thoroughly. Anything less will result in failure to cleanup that machine properly...that said, back to business.

I should explain a bit why you are, and have been experiencing malware issues. Your usage of file sharing programs such as uTorrent are certainly involved. Peer to peer programs where ANYONE can upload and download files are literal cesspools of every type of malicious code known to man. Downloading files from such software is a recipe for disaster.

I recommend that you uninstall/delete/remove any files or programs (to include music and videos) that you know with certainty that you downloaded using the file sharing software.

Next, we need to see the logs from a couple more tools...Please run a scan with CKScanner

Click HERE to download CKScanner and save it to your Desktop. <- Important
  • Double-click CKScanner.exe to open the program.
  • Click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt file on your desktop to open it.
Copy the contents and paste them in your next reply.

Next, please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool.
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Next, please open another blank notepad...Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated and please remember to post the logs from CKScanner and the Rooter scan. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

Rootkit::
c:\windows\system32\drivers\pfrvkgiya.sys
c:\windows\pss\dvqqwwlw.exeStartup
c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe

Registry::
[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=-

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 m/beats

m/beats
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 December 2010 - 01:13 PM

ok thanks i will take on board your advice and get rid of all the download stuff and also stay offline until this is cleaned up.

i disabled avast every time i did the scans so i don't know why it says it's still active

anyway here are the logs;

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\beats\favorites\alstom graduate programme gradcracker - the careers website for engineering students.url
c:\documents and settings\beats\favorites\gradcracker - the careers website for engineering students.url
c:\documents and settings\beats\my documents\my music\itunes\itunes music\coffins\ther cracks of doom\thumbs.db
c:\documents and settings\beats\my documents\my music\itunes\itunes music\mastodon - crack the skye___jud0\thumbs.db
c:\documents and settings\beats\my documents\my music\itunes\itunes music\mastodon - crack the skye___jud0\emj & tld\el mundo de judo 2.0.txt
c:\documents and settings\beats\my documents\my music\itunes\itunes music\mastodon - crack the skye___jud0\emj & tld\el mundo jud0 2.0.url
c:\documents and settings\beats\my documents\my music\itunes\itunes music\mastodon - crack the skye___jud0\emj & tld\thelastdisaster!.url
c:\documents and settings\beats\my documents\my music\itunes\itunes music\mastodon - crack the skye___jud0\emj & tld\ read this first.txt
scanner sequence 3.ED.11
----- EOF -----


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 107 Stepping 1, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.10 (en-GB)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:127 Go - Free:2 Go )
D:\ [CD_Rom]
E:\ [Fixed-NTFS] .. ( Total:111 Go - Free:20 Go )
.
Scan : 17:23.19
Path : C:\Documents and Settings\beats\Desktop\Rooter.exe
User : beats ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (592)
______ \??\C:\WINDOWS\system32\csrss.exe (652)
______ \??\C:\WINDOWS\system32\winlogon.exe (676)
______ C:\WINDOWS\system32\services.exe (720)
______ C:\WINDOWS\system32\lsass.exe (732)
______ C:\WINDOWS\system32\nvsvc32.exe (892)
______ C:\WINDOWS\system32\svchost.exe (972)
______ C:\WINDOWS\system32\svchost.exe (1028)
______ C:\WINDOWS\System32\svchost.exe (1124)
______ C:\WINDOWS\system32\svchost.exe (1168)
______ C:\WINDOWS\System32\svchost.exe (1292)
______ C:\WINDOWS\system32\svchost.exe (1404)
______ C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (1496)
______ C:\WINDOWS\system32\spoolsv.exe (1728)
______ C:\WINDOWS\System32\svchost.exe (420)
______ C:\WINDOWS\system32\dgdersvc.exe (464)
______ C:\WINDOWS\system32\PnkBstrA.exe (528)
______ C:\Program Files\Prio\prio_svc.exe (544)
______ C:\WINDOWS\System32\svchost.exe (584)
______ C:\WINDOWS\System32\alg.exe (1112)
______ C:\WINDOWS\Explorer.EXE (1080)
______ C:\WINDOWS\RTHDCPL.EXE (2272)
______ C:\WINDOWS\system32\RUNDLL32.EXE (2344)
______ C:\WINDOWS\system32\ctfmon.exe (2664)
______ C:\Documents and Settings\beats\Desktop\Rooter.exe (2644)
______ C:\Program Files\Alwil Software\Avast5\AvastUI.exe (3312)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:120023253504)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004UA.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\beats\Favorites\Alstom Graduate Programme Gradcracker - The careers website for engineering students.url
C:\DOCUME~1\beats\Favorites\Gradcracker - The careers website for engineering students.url
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 17:23.25
.
C:\Rooter$\Rooter_1.txt - (24/12/2010 | 17:23.25).c


ComboFix 10-12-24.01 - beats 24/12/2010 17:42:33.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1550 [GMT 0:00]
Running from: c:\documents and settings\beats\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\beats\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-24 17:23 . 2010-12-24 17:23 -------- d-----w- C:\Rooter$
2010-12-23 00:10 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-23 00:10 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-21 23:18 . 2010-12-22 23:38 763392 ----a-w- c:\windows\system32\drivers\pfrvkgiya.sys
2010-12-21 20:23 . 2010-12-21 20:23 -------- d-----w- c:\program files\Prio
2010-12-21 19:33 . 2010-12-21 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2010-12-19 21:56 . 2010-12-19 21:56 -------- d--h--w- c:\windows\PIF
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-12-18 14:33 . 2010-12-18 14:33 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-18 14:33 . 2010-12-18 14:33 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-12-18 14:33 . 2010-10-22 06:23 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-12-18 14:33 . 2010-10-22 06:23 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-12-11 19:58 . 2010-12-11 19:58 -------- d-----w- c:\program files\PokerOfficer
2010-12-08 23:21 . 2010-12-08 23:23 -------- d-----w- c:\documents and settings\beats\Local Settings\Application Data\AaaaaRecklessDisregard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2009-12-14 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-12-14 13:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 15:42 . 2010-01-28 21:09 138416 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-12-10 15:42 . 2010-01-28 21:10 270904 ----a-w- c:\windows\system32\PnkBstrB.xtr
2010-12-10 15:42 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-12-09 19:46 . 2010-01-28 21:09 270904 ----a-w- c:\windows\system32\PnkBstrB.ex0
2010-12-04 14:35 . 2010-01-28 21:09 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-11-18 18:12 . 2009-01-05 19:30 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-18 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-18 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-31 09:55 . 2010-10-31 09:55 4878 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-10-28 13:13 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-18 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-22 06:23 . 2010-07-02 15:46 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-22 06:23 . 2010-07-02 15:46 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-22 06:23 . 2010-07-02 15:46 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-22 06:23 . 2010-07-02 15:46 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-22 06:23 . 2010-07-02 15:46 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-22 06:23 . 2010-07-02 15:46 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-22 06:23 . 2010-07-02 15:46 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-22 06:23 . 2010-07-02 12:30 9623680 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-10-22 06:23 . 2010-07-02 12:30 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 12:05 . 2010-10-16 12:05 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 12:05 . 2010-10-16 12:05 335872 ----a-w- c:\windows\system32\nvrsar.dll
2010-10-16 12:05 . 2010-10-16 12:05 331776 ----a-w- c:\windows\system32\nvrshe.dll
2010-10-16 12:05 . 2010-10-16 12:05 286720 ----a-w- c:\windows\system32\nvrsfr.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrses.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsel.dll
2010-10-16 12:05 . 2010-10-16 12:05 278528 ----a-w- c:\windows\system32\nvrsde.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsnl.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrsesm.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsru.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsptb.dll
2010-10-16 12:05 . 2010-10-16 12:05 266240 ----a-w- c:\windows\system32\nvrsko.dll
2010-10-16 12:05 . 2010-10-16 12:05 262144 ----a-w- c:\windows\system32\nvrshu.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrstr.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssl.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrssk.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsth.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrssv.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsda.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrsfi.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrseng.dll
2010-10-16 12:05 . 2010-10-16 12:05 249856 ----a-w- c:\windows\system32\nvrscs.dll
2010-10-16 12:05 . 2010-10-16 12:05 229376 ----a-w- c:\windows\system32\nvrszhc.dll
2010-10-16 12:05 . 2010-10-16 12:05 126976 ----a-w- c:\windows\system32\nvrszht.dll
2010-10-16 12:05 . 2010-10-16 12:05 282624 ----a-w- c:\windows\system32\nvrsit.dll
2010-10-16 12:05 . 2010-10-16 12:05 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 12:05 . 2010-10-16 12:05 274432 ----a-w- c:\windows\system32\nvrspt.dll
2010-10-16 12:05 . 2010-10-16 12:05 270336 ----a-w- c:\windows\system32\nvrsja.dll
2010-10-16 12:05 . 2010-10-16 12:05 258048 ----a-w- c:\windows\system32\nvrspl.dll
2010-10-16 12:05 . 2010-10-16 12:05 253952 ----a-w- c:\windows\system32\nvrsno.dll
2010-10-16 12:05 . 2010-10-16 12:05 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 12:05 . 2010-10-16 12:05 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-16 12:05 . 2010-10-16 12:05 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 12:05 . 2010-10-16 12:05 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-06 15:20 . 2010-01-28 21:09 138056 ----a-w- c:\documents and settings\beats\Application Data\PnkBstrK.sys
2010-10-06 14:24 . 2010-10-06 15:20 2601752 ----a-w- c:\windows\system32\pbsvc_moh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-07-06 19556968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-16 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^dvqqwwlw.exe]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\dvqqwwlw.exe
backup=c:\windows\pss\dvqqwwlw.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^beats^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\beats\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 03:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-07-06 17:26 64104 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-23 21:25 136176 ----atw- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-10-10 14:46 69632 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-06 17:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-17 17:31 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 04:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"nSvcLog"=2 (0x2)
"ForcewareWebInterface"=2 (0x2)
"nSvcIp"=2 (0x2)
"TomTomHOMEService"=2 (0x2)
"ServiceLayer"=3 (0x3)
"RapportMgmtService"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"CCALib8"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AODService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"FsUsbExService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\beats\\Desktop\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\nms\\nmsd.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\pro_comm_msg.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\i486_nt\\obj\\xtop.exe"=
"c:\\Program Files\\ProENGINEER Schools Edition\\bin\\proe.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\insurgency\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\BFBC2Game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield bad company 2\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\mikespuffler\\counter-strike source\\hl2.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/07/2010 21:42 165456]
R1 prio;Prio;c:\windows\system32\drivers\prio.sys [28/07/2010 15:36 51408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/07/2010 21:42 17744]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [22/12/2009 02:31 95568]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [06/01/2009 15:32 10384]
R2 prio_svc;Prio Service;c:\program files\Prio\prio_svc.exe [28/07/2010 15:36 5120]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [22/12/2009 02:31 18136]
S1 RapportBuka;RapportBuka;\??\c:\windows\system32\drivers\RapportBuka.sys --> c:\windows\system32\drivers\RapportBuka.sys [?]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [10/11/2006 13:08 24064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/07/2010 13:58 1691480]
S3 cpuz130;cpuz130;\??\c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\beats\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\beats\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [17/09/2009 12:21 36640]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]
S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [22/09/2010 21:15 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [22/09/2010 21:15 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [22/09/2010 21:15 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [22/09/2010 21:15 100224]
S4 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe --> c:\program files\AMD\OverDrive\AODAssist.exe [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [17/09/2009 12:21 217088]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2009 16:38 717296]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [27/08/2009 15:05 92008]
.
Contents of the 'Scheduled Tasks' folder

2010-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004Core.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1326574676-839522115-1004UA.job
- c:\documents and settings\beats\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-23 21:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\beats\Application Data\Mozilla\Firefox\Profiles\1wu7m1p2.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-24 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet008\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1326574676-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:07,d0,fb,35,c4,68,ce,49,a9,c3,ff,34,87,8a,34,ab,48,a7,73,99,39,
72,6c,87,ef,61,16,88,13,89,7a,0c,aa,94,25,2b,8d,c2,62,e0,b7,1f,15,87,86,be,\
"rkeysecu"=hex:5f,d6,ef,59,6c,eb,38,23,5e,66,10,fd,ea,ba,6f,0f
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-12-24 17:57:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-24 17:57
ComboFix2.txt 2010-12-23 20:26
ComboFix3.txt 2010-12-23 00:11
ComboFix4.txt 2010-12-22 22:50
ComboFix5.txt 2010-12-24 17:39

Pre-Run: 2,622,726,144 bytes free
Post-Run: 2,615,910,400 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=1 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 7A42C7EA9523E0362E6940AC33B42666

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:10 AM

Posted 24 December 2010 - 04:41 PM

My assistance ends here. Your rootkit remains onboard...and the reason is obvious to me. You are only fooling yourself my friend, if you insist on keeping cracked software. It's the entire reason for your issue.

Since you've edited both the CKScanner and Rooter logs to remove the content of their findings, I can only assume it was an attempt at trying to keep information hidden to ensure my continued support.

The manner in which the logs were edited leaves no doubt whatsoever that there was positive proof of bootleg software on board. I will in no way render any assistance to any user who knowingly uses stolen software.

My recommendation, as we part, is that you reformat the entire disk and reinstall the operating system. Good luck in your future endeavors.

This thread is now closed.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users