Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP RUNDLL errors


  • This topic is locked This topic is locked
12 replies to this topic

#1 Insp. Bumstead

Insp. Bumstead

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 25 January 2011 - 10:26 AM

I recently removed a virus (or two) from my laptop. Since then, I've been getting an error at startup that says that "afoduzuvifukifur.dll" and "kregsv.dll" can't be loaded. I'm pretty sure this has something to do with files remaining or changed by the virus.

Here's my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:13:35 AM, on 1/25/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ComfortKeyboard\CKeyboard.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\ComfortKeyboard\CKeyboardCm.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Dawud\My Documents\Downloads\HijackThis.exe
C:\Program Files\AIM\aim.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo0.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NI Background Service] E:\NI\Shared\Update Service\niupdate.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CKeyboard] C:\Program Files\ComfortKeyboard\CKeyboard.exe
O4 - HKLM\..\Run: [Cfarepuxekuv] rundll32.exe "C:\WINDOWS\afoduzuvifukifur.dll",Startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [Ttiwozahuy] rundll32.exe "C:\WINDOWS\kregsv.dll",Startup
O4 - HKCU\..\Run: [TJHTHX1O7X] C:\WINDOWS\Xkupea.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
O4 - HKCU\..\Run: [Ko7kgqLaGLuQjjV] C:\Documents and Settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe
O4 - HKCU\..\Run: [GvcfEplRcUH.exe] C:\Documents and Settings\All Users\Application Data\GvcfEplRcUH.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CE8SIIFGSU] C:\DOCUME~1\Dawud\LOCALS~1\Temp\Xj1.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - S-1-5-18 Startup: Dropbox.lnk = C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Dropbox.lnk = C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe (User 'Default user')
O4 - .DEFAULT Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Broken Internet access because of LSP provider 'e:\ni\shared\mdns responder\nimdnsnsp.dll' missing
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KMService - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - Unknown owner - E:\NI\MAX\nimxs.exe (file missing)
O23 - Service: NI Application Web Server (NIApplicationWebServer) - Unknown owner - E:\NI\Shared\NI WebServer\ApplicationWebServer.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - Unknown owner - E:\NI\Shared\Security\nidmsrv.exe (file missing)
O23 - Service: NILM License Manager - Unknown owner - E:\NI\Shared\License Manager\Bin\lmgrd.exe (file missing)
O23 - Service: National Instruments mDNS Responder Service (nimDNSResponder) - Unknown owner - E:\NI\Shared\mDNS Responder\nimdnsResponder.exe (file missing)
O23 - Service: NI System Web Server (niSvcLoc) - Unknown owner - E:\NI\Shared\NI WebServer\SystemWebServer.exe (file missing)
O23 - Service: National Instruments Variable Engine (NITaggerService) - Unknown owner - E:\NI\Shared\Tagger\tagsrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 15747 bytes

Edited by Noviciate, 26 January 2011 - 03:36 PM.
Since a log is posted, I am moving this to the Malware Removal forum ~ Elise


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 26 January 2011 - 03:38 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 Insp. Bumstead

Insp. Bumstead
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 27 January 2011 - 09:46 AM

ComboFix 11-01-26.01 - Dawud 01/27/2011 9:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.456 [GMT -5:00]
Running from: c:\documents and settings\Dawud\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dawud\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Dawud\Application Data\Adobe\plugs
c:\documents and settings\Dawud\Application Data\Adobe\plugs\KB8749921.exe
c:\documents and settings\Dawud\Application Data\PriceGong
c:\documents and settings\Dawud\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Dawud\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Dawud\Local Settings\Application Data\{E9DCEA47-0479-4355-A18E-B231B7461DA5}
c:\documents and settings\Dawud\Local Settings\Application Data\{E9DCEA47-0479-4355-A18E-B231B7461DA5}\chrome.manifest
c:\documents and settings\Dawud\Local Settings\Application Data\{E9DCEA47-0479-4355-A18E-B231B7461DA5}\chrome\content\_cfg.js
c:\documents and settings\Dawud\Local Settings\Application Data\{E9DCEA47-0479-4355-A18E-B231B7461DA5}\chrome\content\overlay.xul
c:\documents and settings\Dawud\Local Settings\Application Data\{E9DCEA47-0479-4355-A18E-B231B7461DA5}\install.rdf
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\test.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-12-27 to 2011-01-27 )))))))))))))))))))))))))))))))
.

2011-01-27 04:34 . 2011-01-27 04:34 -------- d-----w- c:\documents and settings\Dawud\Application Data\TightVNC
2011-01-27 04:17 . 2011-01-27 04:17 -------- d-----w- c:\program files\Common Files\Skype
2011-01-25 05:30 . 2011-01-25 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2011-01-25 05:30 . 2011-01-25 05:42 -------- d-----w- c:\program files\RegCure
2011-01-25 05:15 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-01-25 05:15 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
2011-01-25 05:15 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-01-25 04:13 . 2007-05-10 15:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2011-01-21 23:02 . 2011-01-23 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-01-20 23:32 . 2011-01-20 23:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 22:58 . 2011-01-20 22:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-20 16:05 . 2011-01-20 16:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-20 15:56 . 2011-01-21 05:31 0 ----a-w- c:\windows\Mticoxicakih.bin
2011-01-20 07:01 . 2011-01-20 07:03 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\National Instruments
2011-01-20 05:27 . 2011-01-20 05:27 -------- d-----w- c:\windows\system32\cvirte
2011-01-20 05:27 . 2011-01-20 07:33 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-01-20 05:24 . 2011-01-20 05:24 -------- d-----w- c:\program files\National Instruments
2011-01-20 05:21 . 2011-01-20 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments
2011-01-16 05:59 . 2011-01-20 07:45 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\Conduit
2011-01-16 05:59 . 2011-01-16 05:59 -------- d-----w- c:\program files\Conduit
2011-01-16 05:59 . 2011-01-20 07:45 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\uTorrentBar
2011-01-16 05:59 . 2011-01-16 05:59 -------- d-----w- c:\program files\uTorrentBar
2011-01-15 17:57 . 2011-01-15 17:57 -------- d-----w- c:\program files\Common Files\Software Update Utility
2011-01-01 08:02 . 2011-01-01 08:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-12-31 07:14 . 2010-12-31 07:14 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\LogiShrd
2010-12-31 07:13 . 2008-04-14 05:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-12-31 07:13 . 2008-04-14 05:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-12-31 07:13 . 2010-12-31 07:13 -------- d-----w- c:\documents and settings\Dawud\Application Data\Leadertech
2010-12-31 07:13 . 2008-04-14 05:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-12-31 07:13 . 2008-04-14 05:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-12-31 07:13 . 2008-04-14 10:42 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-12-31 07:13 . 2008-04-14 05:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-12-31 07:13 . 2008-04-14 05:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-12-31 07:13 . 2008-04-14 05:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-12-31 07:13 . 2008-04-14 05:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-12-31 07:12 . 2008-04-14 05:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-12-31 07:12 . 2008-04-14 05:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-12-31 07:12 . 2008-04-14 05:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-12-31 07:12 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-12-31 07:09 . 2010-12-31 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-12-31 07:09 . 2011-01-01 07:08 -------- d-----w- c:\program files\Logitech
2010-12-29 02:47 . 2010-12-29 02:47 -------- d-----w- c:\program files\YouTube Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-07-04 03:42 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-07-04 03:42 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-07-04 03:43 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-07-04 03:43 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-07-04 03:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-07-04 03:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-07-04 03:43 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-07-04 03:43 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-07-04 03:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-07-04 02:14 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-18 11:25 . 2010-11-18 11:25 96864 ----a-w- c:\windows\~GLC000c.TMP
2010-11-17 22:48 . 2010-11-17 22:48 96864 ----a-w- c:\windows\~GLC000b.TMP
2010-11-17 04:41 . 2010-11-17 04:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-16 12:28 . 2010-11-16 12:28 96864 ----a-w- c:\windows\~GLC000a.TMP
2010-11-12 00:28 . 2010-11-12 00:28 96864 ----a-w- c:\windows\~GLC0009.TMP
2010-11-09 14:52 . 2003-07-16 16:34 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 13:26 . 2010-11-08 13:26 0 ----a-w- c:\windows\VDM2C.tmp
2010-11-08 13:26 . 2010-11-08 13:26 0 ----a-w- c:\windows\VDM2B.tmp
2010-11-08 13:26 . 2010-11-08 13:26 96864 ----a-w- c:\windows\~GLC0008.TMP
2010-11-06 00:26 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2010-07-04 03:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-07-16 16:31 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-11-02 06:01 . 2010-11-02 06:01 96864 ----a-w- c:\windows\~GLC0007.TMP
2010-11-02 05:39 . 2010-11-02 05:39 96864 ----a-w- c:\windows\~GLC0006.TMP
2010-11-02 04:10 . 2010-11-02 04:10 0 ----a-w- c:\windows\VDM25.tmp
2010-11-02 04:10 . 2010-11-02 04:10 0 ----a-w- c:\windows\VDM24.tmp
2010-11-02 04:09 . 2010-11-02 04:09 96864 ----a-w- c:\windows\~GLC0005.TMP
2010-09-16 19:35 . 2010-09-16 19:35 158720 ----a-w- c:\program files\internet explorer\plugins\LV2010ActiveXControl.dll
2010-05-25 17:43 . 2010-05-25 17:43 158720 ----a-w- c:\program files\internet explorer\plugins\LV90ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"Google Update"="c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-21 136176]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"CKeyboard"="c:\program files\ComfortKeyboard\CKeyboard.exe" [2010-06-19 3354440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\documents and settings\Dawud\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-11-3 1039016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Dawud\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/4/2010 9:32 PM 691696]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/3/2010 10:43 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/3/2010 10:43 PM 17744]
S2 KMService;KMService;c:\windows\system32\srvany.exe [7/5/2010 2:26 AM 8192]
S2 NIApplicationWebServer;NI Application Web Server;"e:\ni\Shared\NI WebServer\ApplicationWebServer.exe" -user --> e:\ni\Shared\NI WebServer\ApplicationWebServer.exe [?]
S2 nimDNSResponder;National Instruments mDNS Responder Service;"e:\ni\Shared\mDNS Responder\nimdnsResponder.exe" --> e:\ni\Shared\mDNS Responder\nimdnsResponder.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 12:25 PM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 11:37 PM 4640000]
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1972579041-839522115-1003Core.job
- c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 23:30]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1972579041-839522115-1003UA.job
- c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 23:30]

2011-01-25 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-01-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-01-27 c:\windows\Tasks\User_Feed_Synchronization-{1D4796D1-F511-4F3A-87D0-EF639457BA11}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Dawud\Application Data\Mozilla\Firefox\Profiles\x8bt823b.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Ttiwozahuy - c:\windows\kregsv.dll
HKCU-Run-TJHTHX1O7X - c:\windows\Xkupea.exe
HKCU-Run-Ko7kgqLaGLuQjjV - c:\documents and settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe
HKCU-Run-GvcfEplRcUH.exe - c:\documents and settings\All Users\Application Data\GvcfEplRcUH.exe
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
HKLM-Run-NI Background Service - e:\ni\Shared\Update Service\niupdate.exe
HKLM-Run-Cfarepuxekuv - c:\windows\afoduzuvifukifur.dll
AddRemove-NI Uninstaller - e:\ni\Shared\NIUninstaller\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 09:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS721080G9SA00 rev.MC4OC10H -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x83072555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x830787b0]; MOV EAX, [0x8307882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x83137AB8]
3 CLASSPNP[0xF75D2FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000083[0x831DE828]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x831E93D0]
\Driver\atapi[0x830D0F38] -> IRP_MJ_CREATE -> 0x83072555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS721080G9SA00_________________MC4OC10H#5&1f698b3f&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8307239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2460)
c:\windows\system32\WININET.dll
c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-27 09:43:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-27 14:43

Pre-Run: 42,213,986,304 bytes free
Post-Run: 43,383,914,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - CFFE41D1255C204755071B88611B9A1F

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 27 January 2011 - 02:15 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

I would also like a fresh DDS log and to know how your PC is now behaving.

So long, and thanks for all the fish.

 

 


#5 Insp. Bumstead

Insp. Bumstead
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 27 January 2011 - 10:01 PM

Log from TDSSKiller:

2011/01/27 18:07:15.0781 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53
2011/01/27 18:07:15.0781 ================================================================================
2011/01/27 18:07:15.0781 SystemInfo:
2011/01/27 18:07:15.0781
2011/01/27 18:07:15.0781 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/27 18:07:15.0781 Product type: Workstation
2011/01/27 18:07:15.0781 ComputerName: BLACKBOXV2
2011/01/27 18:07:15.0781 UserName: Dawud
2011/01/27 18:07:15.0781 Windows directory: C:\WINDOWS
2011/01/27 18:07:15.0781 System windows directory: C:\WINDOWS
2011/01/27 18:07:15.0781 Processor architecture: Intel x86
2011/01/27 18:07:15.0781 Number of processors: 2
2011/01/27 18:07:15.0781 Page size: 0x1000
2011/01/27 18:07:15.0781 Boot type: Normal boot
2011/01/27 18:07:15.0781 ================================================================================
2011/01/27 18:07:16.0921 Initialize success
2011/01/27 18:07:25.0328 ================================================================================
2011/01/27 18:07:25.0328 Scan started
2011/01/27 18:07:25.0328 Mode: Manual;
2011/01/27 18:07:25.0328 ================================================================================
2011/01/27 18:07:26.0500 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/01/27 18:07:26.0625 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/27 18:07:26.0687 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/27 18:07:26.0781 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/27 18:07:26.0984 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/27 18:07:27.0250 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/01/27 18:07:27.0421 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/01/27 18:07:27.0468 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/01/27 18:07:27.0515 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/01/27 18:07:27.0546 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys
2011/01/27 18:07:27.0765 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/01/27 18:07:27.0828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/27 18:07:27.0906 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/27 18:07:27.0968 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/27 18:07:28.0046 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/27 18:07:28.0250 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/27 18:07:28.0359 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/01/27 18:07:28.0578 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/27 18:07:28.0671 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/01/27 18:07:28.0859 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/27 18:07:29.0031 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/27 18:07:29.0109 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/27 18:07:29.0171 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/27 18:07:29.0203 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/27 18:07:29.0437 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/27 18:07:29.0484 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/27 18:07:29.0609 cvintdrv (dbd89bc0dbe00dcd245be8f61dbee291) C:\WINDOWS\system32\drivers\cvintdrv.sys
2011/01/27 18:07:29.0671 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/27 18:07:29.0750 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/27 18:07:29.0968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/27 18:07:30.0015 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/27 18:07:30.0078 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/27 18:07:30.0171 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/27 18:07:30.0406 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/27 18:07:30.0453 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/27 18:07:30.0484 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/27 18:07:30.0515 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/27 18:07:30.0546 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/27 18:07:30.0625 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/01/27 18:07:30.0953 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/27 18:07:31.0015 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/27 18:07:31.0140 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/27 18:07:31.0359 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/27 18:07:31.0546 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys
2011/01/27 18:07:31.0625 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/27 18:07:31.0718 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/27 18:07:31.0859 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/01/27 18:07:32.0109 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/01/27 18:07:32.0375 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/27 18:07:32.0515 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/27 18:07:32.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/27 18:07:32.0828 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/27 18:07:32.0875 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/27 18:07:32.0921 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/27 18:07:32.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/27 18:07:33.0015 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/27 18:07:33.0218 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/27 18:07:33.0265 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/27 18:07:33.0328 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/27 18:07:33.0406 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/27 18:07:33.0468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/27 18:07:33.0671 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/27 18:07:33.0812 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/01/27 18:07:33.0921 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/27 18:07:33.0984 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/27 18:07:34.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/27 18:07:34.0234 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/27 18:07:34.0296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/27 18:07:34.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/27 18:07:34.0406 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/27 18:07:34.0484 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/27 18:07:34.0687 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/27 18:07:34.0750 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/27 18:07:34.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/27 18:07:34.0812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/27 18:07:34.0859 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/27 18:07:35.0000 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/27 18:07:35.0156 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/27 18:07:35.0203 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/27 18:07:35.0250 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/27 18:07:35.0312 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/27 18:07:35.0359 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/27 18:07:35.0515 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/27 18:07:35.0546 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/27 18:07:35.0609 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/27 18:07:35.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/27 18:07:35.0687 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/27 18:07:35.0875 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/27 18:07:36.0062 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/27 18:07:36.0187 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/27 18:07:36.0593 nv (c116d2b008a1640c4484a1dcd1abe12c) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/27 18:07:37.0156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/27 18:07:37.0171 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/27 18:07:37.0250 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/27 18:07:37.0281 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/27 18:07:37.0328 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/27 18:07:37.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/27 18:07:37.0484 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/27 18:07:37.0500 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/27 18:07:37.0718 PID_0928 (d2d2fa02b722336960eeae0ae7107891) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS
2011/01/27 18:07:37.0843 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/27 18:07:37.0859 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/27 18:07:37.0984 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/27 18:07:38.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/27 18:07:38.0078 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/27 18:07:38.0187 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/27 18:07:38.0218 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/27 18:07:38.0312 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/27 18:07:38.0328 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/27 18:07:38.0390 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/27 18:07:38.0515 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/27 18:07:38.0546 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/27 18:07:38.0593 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/27 18:07:38.0640 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/27 18:07:38.0812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/27 18:07:38.0843 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/27 18:07:38.0968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/27 18:07:39.0031 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/27 18:07:39.0109 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/27 18:07:39.0187 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/27 18:07:39.0375 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/01/27 18:07:39.0375 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/01/27 18:07:39.0390 sptd - detected Locked file (1)
2011/01/27 18:07:39.0531 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/27 18:07:39.0578 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/27 18:07:39.0734 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/01/27 18:07:39.0906 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/27 18:07:40.0000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/27 18:07:40.0062 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/27 18:07:40.0203 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/27 18:07:40.0296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/27 18:07:40.0437 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/27 18:07:40.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/27 18:07:40.0546 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/27 18:07:40.0640 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/27 18:07:40.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/27 18:07:40.0765 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/27 18:07:40.0828 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/27 18:07:40.0984 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/27 18:07:41.0062 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/27 18:07:41.0265 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/27 18:07:41.0296 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/27 18:07:41.0328 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/27 18:07:41.0406 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/27 18:07:41.0609 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/27 18:07:41.0703 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/27 18:07:41.0796 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/27 18:07:42.0046 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/01/27 18:07:42.0109 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/27 18:07:42.0171 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/27 18:07:42.0203 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/27 18:07:42.0265 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/27 18:07:42.0281 ================================================================================
2011/01/27 18:07:42.0281 Scan finished
2011/01/27 18:07:42.0281 ================================================================================
2011/01/27 18:07:42.0296 Detected object count: 2
2011/01/27 18:07:50.0187 Locked file(sptd) - User select action: Skip
2011/01/27 18:07:50.0281 \HardDisk0 - will be cured after reboot
2011/01/27 18:07:50.0281 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/27 18:14:40.0750 Deinitialize success

2nd Log from ComboFix:
ComboFix 11-01-26.01 - Dawud 01/27/2011 19:17:09.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.413 [GMT -5:00]
Running from: c:\documents and settings\Dawud\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-28 )))))))))))))))))))))))))))))))
.

2011-01-27 04:34 . 2011-01-27 04:34 -------- d-----w- c:\documents and settings\Dawud\Application Data\TightVNC
2011-01-27 04:17 . 2011-01-27 04:17 -------- d-----w- c:\program files\Common Files\Skype
2011-01-25 05:30 . 2011-01-25 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2011-01-25 05:30 . 2011-01-25 05:42 -------- d-----w- c:\program files\RegCure
2011-01-25 05:15 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-01-25 05:15 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
2011-01-25 05:15 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-01-25 04:13 . 2007-05-10 15:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2011-01-21 23:02 . 2011-01-23 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-01-20 23:32 . 2011-01-20 23:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 22:58 . 2011-01-20 22:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-20 16:05 . 2011-01-20 16:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-20 15:56 . 2011-01-21 05:31 0 ----a-w- c:\windows\Mticoxicakih.bin
2011-01-20 07:01 . 2011-01-20 07:03 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\National Instruments
2011-01-20 05:27 . 2011-01-20 05:27 -------- d-----w- c:\windows\system32\cvirte
2011-01-20 05:27 . 2011-01-20 07:33 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-01-20 05:24 . 2011-01-20 05:24 -------- d-----w- c:\program files\National Instruments
2011-01-20 05:21 . 2011-01-20 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments
2011-01-16 05:59 . 2011-01-20 07:45 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\Conduit
2011-01-16 05:59 . 2011-01-16 05:59 -------- d-----w- c:\program files\Conduit
2011-01-16 05:59 . 2011-01-20 07:45 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\uTorrentBar
2011-01-16 05:59 . 2011-01-16 05:59 -------- d-----w- c:\program files\uTorrentBar
2011-01-15 17:57 . 2011-01-15 17:57 -------- d-----w- c:\program files\Common Files\Software Update Utility
2011-01-01 08:02 . 2011-01-01 08:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-12-31 07:14 . 2010-12-31 07:14 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\LogiShrd
2010-12-31 07:13 . 2008-04-14 05:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-12-31 07:13 . 2008-04-14 05:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-12-31 07:13 . 2010-12-31 07:13 -------- d-----w- c:\documents and settings\Dawud\Application Data\Leadertech
2010-12-31 07:13 . 2008-04-14 05:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-12-31 07:13 . 2008-04-14 05:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-12-31 07:13 . 2008-04-14 10:42 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-12-31 07:13 . 2008-04-14 05:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-12-31 07:13 . 2008-04-14 05:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-12-31 07:13 . 2008-04-14 05:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-12-31 07:13 . 2008-04-14 05:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-12-31 07:12 . 2008-04-14 05:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-12-31 07:12 . 2008-04-14 05:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-12-31 07:12 . 2008-04-14 05:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-12-31 07:12 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-12-31 07:09 . 2010-12-31 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-12-31 07:09 . 2011-01-01 07:08 -------- d-----w- c:\program files\Logitech
2010-12-29 02:47 . 2010-12-29 02:47 -------- d-----w- c:\program files\YouTube Downloader

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-07-04 03:42 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-07-04 03:42 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-07-04 03:43 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-07-04 03:43 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-07-04 03:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-07-04 03:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-07-04 03:43 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-07-04 03:43 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-07-04 03:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-07-04 02:14 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-18 11:25 . 2010-11-18 11:25 96864 ----a-w- c:\windows\~GLC000c.TMP
2010-11-17 22:48 . 2010-11-17 22:48 96864 ----a-w- c:\windows\~GLC000b.TMP
2010-11-17 04:41 . 2010-11-17 04:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-16 12:28 . 2010-11-16 12:28 96864 ----a-w- c:\windows\~GLC000a.TMP
2010-11-12 00:28 . 2010-11-12 00:28 96864 ----a-w- c:\windows\~GLC0009.TMP
2010-11-09 14:52 . 2003-07-16 16:34 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 13:26 . 2010-11-08 13:26 0 ----a-w- c:\windows\VDM2C.tmp
2010-11-08 13:26 . 2010-11-08 13:26 0 ----a-w- c:\windows\VDM2B.tmp
2010-11-08 13:26 . 2010-11-08 13:26 96864 ----a-w- c:\windows\~GLC0008.TMP
2010-11-06 00:26 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2010-07-04 03:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-07-16 16:31 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-11-02 06:01 . 2010-11-02 06:01 96864 ----a-w- c:\windows\~GLC0007.TMP
2010-11-02 05:39 . 2010-11-02 05:39 96864 ----a-w- c:\windows\~GLC0006.TMP
2010-11-02 04:10 . 2010-11-02 04:10 0 ----a-w- c:\windows\VDM25.tmp
2010-11-02 04:10 . 2010-11-02 04:10 0 ----a-w- c:\windows\VDM24.tmp
2010-11-02 04:09 . 2010-11-02 04:09 96864 ----a-w- c:\windows\~GLC0005.TMP
2010-09-16 19:35 . 2010-09-16 19:35 158720 ----a-w- c:\program files\internet explorer\plugins\LV2010ActiveXControl.dll
2010-05-25 17:43 . 2010-05-25 17:43 158720 ----a-w- c:\program files\internet explorer\plugins\LV90ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ttiwozahuy"="c:\windows\kregsv.dll" [BU]
"TJHTHX1O7X"="c:\windows\Xkupea.exe" [BU]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"Ko7kgqLaGLuQjjV"="c:\documents and settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe" [BU]
"GvcfEplRcUH.exe"="c:\documents and settings\All Users\Application Data\GvcfEplRcUH.exe" [BU]
"Google Update"="c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-21 136176]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe" [BU]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"NI Background Service"="e:\ni\Shared\Update Service\niupdate.exe" [BU]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"CKeyboard"="c:\program files\ComfortKeyboard\CKeyboard.exe" [2010-06-19 3354440]
"Cfarepuxekuv"="c:\windows\afoduzuvifukifur.dll" [BU]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\documents and settings\Dawud\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-11-3 1039016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Dawud\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/4/2010 9:32 PM 691696]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/3/2010 10:43 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/3/2010 10:43 PM 17744]
S2 KMService;KMService;c:\windows\system32\srvany.exe [7/5/2010 2:26 AM 8192]
S2 NIApplicationWebServer;NI Application Web Server;"e:\ni\Shared\NI WebServer\ApplicationWebServer.exe" -user --> e:\ni\Shared\NI WebServer\ApplicationWebServer.exe [?]
S2 nimDNSResponder;National Instruments mDNS Responder Service;"e:\ni\Shared\mDNS Responder\nimdnsResponder.exe" --> e:\ni\Shared\mDNS Responder\nimdnsResponder.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 12:25 PM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 11:37 PM 4640000]
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1972579041-839522115-1003Core.job
- c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 23:30]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1972579041-839522115-1003UA.job
- c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 23:30]

2011-01-25 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-01-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-01-28 c:\windows\Tasks\User_Feed_Synchronization-{1D4796D1-F511-4F3A-87D0-EF639457BA11}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Dawud\Application Data\Mozilla\Firefox\Profiles\x8bt823b.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 19:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WININET.dll
c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\program files\ComfortKeyboard\CKeyboardH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\ComfortKeyboard\CKeyboardCm.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-01-27 19:39:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-28 00:39
ComboFix2.txt 2011-01-27 14:43

Pre-Run: 43,367,079,936 bytes free
Post-Run: 43,296,309,248 bytes free

- - End Of File - - 77D2A7C7B928F336727CDB70C1252FD5

Edited by Noviciate, 28 January 2011 - 02:20 PM.
Removed "quote" tags.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 28 January 2011 - 02:23 PM

Good evening. :)

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#7 Insp. Bumstead

Insp. Bumstead
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 28 January 2011 - 09:21 PM

MalwareBytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5632

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/28/2011 7:09:10 PM
mbam-log-2011-01-28 (19-09-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 380978
Time elapsed: 1 hour(s), 35 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CE8SIIFGSU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TJHTHX1O7X (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TJHTHX1O7X (Trojan.FakeAlert) -> Value: TJHTHX1O7X -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Dawud\Desktop\chje11trn.exe (Trojan.Genome) -> Quarantined and deleted successfully.

Still getting the same errors on startup even after removing the Trojans.

Newest Combofix Log:

ComboFix 11-01-28.02 - Dawud 01/28/2011 21:26:28.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.475 [GMT -5:00]
Running from: c:\documents and settings\Dawud\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))
.

2011-01-29 02:40 . 2011-01-29 02:40 1893 ----a-w- c:\windows\bcmwltrytmp.reg
2011-01-27 04:34 . 2011-01-27 04:34 -------- d-----w- c:\documents and settings\Dawud\Application Data\TightVNC
2011-01-27 04:17 . 2011-01-27 04:17 -------- d-----w- c:\program files\Common Files\Skype
2011-01-25 05:30 . 2011-01-25 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2011-01-25 05:30 . 2011-01-25 05:42 -------- d-----w- c:\program files\RegCure
2011-01-25 05:15 . 2007-05-10 15:23 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2011-01-25 05:15 . 2007-05-10 15:22 405504 ----a-w- c:\windows\stsystra.exe
2011-01-25 05:15 . 2007-04-10 22:02 1601536 ----a-w- c:\windows\system32\stlang.dll
2011-01-25 04:13 . 2007-05-10 15:23 270336 ----a-w- c:\windows\system32\stacapi.dll
2011-01-21 23:02 . 2011-01-23 03:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-01-20 23:32 . 2011-01-20 23:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 22:58 . 2011-01-20 22:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-20 16:05 . 2011-01-20 16:05 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-20 15:56 . 2011-01-21 05:31 0 ----a-w- c:\windows\Mticoxicakih.bin
2011-01-20 07:01 . 2011-01-20 07:03 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\National Instruments
2011-01-20 05:27 . 2011-01-20 05:27 -------- d-----w- c:\windows\system32\cvirte
2011-01-20 05:27 . 2011-01-20 07:33 -------- d-----w- c:\program files\Common Files\Merge Modules
2011-01-20 05:24 . 2011-01-20 05:24 -------- d-----w- c:\program files\National Instruments
2011-01-20 05:21 . 2011-01-20 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\National Instruments
2011-01-16 05:59 . 2011-01-20 07:45 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\Conduit
2011-01-16 05:59 . 2011-01-16 05:59 -------- d-----w- c:\program files\Conduit
2011-01-16 05:59 . 2011-01-20 07:45 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\uTorrentBar
2011-01-16 05:59 . 2011-01-16 05:59 -------- d-----w- c:\program files\uTorrentBar
2011-01-15 17:57 . 2011-01-15 17:57 -------- d-----w- c:\program files\Common Files\Software Update Utility
2011-01-01 08:02 . 2011-01-01 08:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-12-31 07:14 . 2010-12-31 07:14 -------- d-----w- c:\documents and settings\Dawud\Local Settings\Application Data\LogiShrd
2010-12-31 07:13 . 2008-04-14 05:16 10880 -c--a-w- c:\windows\system32\dllcache\ndisip.sys
2010-12-31 07:13 . 2008-04-14 05:16 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys
2010-12-31 07:13 . 2010-12-31 07:13 -------- d-----w- c:\documents and settings\Dawud\Application Data\Leadertech
2010-12-31 07:13 . 2008-04-14 05:16 15232 -c--a-w- c:\windows\system32\dllcache\streamip.sys
2010-12-31 07:13 . 2008-04-14 05:16 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys
2010-12-31 07:13 . 2008-04-14 10:42 16384 ----a-w- c:\windows\system32\ipsink.ax
2010-12-31 07:13 . 2008-04-14 05:16 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-12-31 07:13 . 2008-04-14 05:16 11136 ----a-w- c:\windows\system32\drivers\SLIP.sys
2010-12-31 07:13 . 2008-04-14 05:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-12-31 07:13 . 2008-04-14 05:16 19200 ----a-w- c:\windows\system32\drivers\WSTCODEC.SYS
2010-12-31 07:12 . 2008-04-14 05:16 85248 -c--a-w- c:\windows\system32\dllcache\nabtsfec.sys
2010-12-31 07:12 . 2008-04-14 05:16 85248 ----a-w- c:\windows\system32\drivers\NABTSFEC.sys
2010-12-31 07:12 . 2008-04-14 05:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-12-31 07:12 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-12-31 07:09 . 2010-12-31 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-12-31 07:09 . 2011-01-01 07:08 -------- d-----w- c:\program files\Logitech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-07-04 03:42 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-07-04 03:42 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-07-04 03:43 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-07-04 03:43 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-07-04 03:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-07-04 03:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-07-04 03:43 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-07-04 03:43 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-07-04 03:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-20 23:09 . 2010-07-04 03:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-07-04 03:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2010-07-04 02:14 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-18 11:25 . 2010-11-18 11:25 96864 ----a-w- c:\windows\~GLC000c.TMP
2010-11-17 22:48 . 2010-11-17 22:48 96864 ----a-w- c:\windows\~GLC000b.TMP
2010-11-17 04:41 . 2010-11-17 04:41 323624 ----a-w- c:\windows\system32\wiaaut.dll
2010-11-16 12:28 . 2010-11-16 12:28 96864 ----a-w- c:\windows\~GLC000a.TMP
2010-11-12 00:28 . 2010-11-12 00:28 96864 ----a-w- c:\windows\~GLC0009.TMP
2010-11-09 14:52 . 2003-07-16 16:34 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 13:26 . 2010-11-08 13:26 0 ----a-w- c:\windows\VDM2C.tmp
2010-11-08 13:26 . 2010-11-08 13:26 0 ----a-w- c:\windows\VDM2B.tmp
2010-11-08 13:26 . 2010-11-08 13:26 96864 ----a-w- c:\windows\~GLC0008.TMP
2010-11-06 00:26 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2010-07-04 03:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2003-07-16 16:31 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-11-02 06:01 . 2010-11-02 06:01 96864 ----a-w- c:\windows\~GLC0007.TMP
2010-11-02 05:39 . 2010-11-02 05:39 96864 ----a-w- c:\windows\~GLC0006.TMP
2010-11-02 04:10 . 2010-11-02 04:10 0 ----a-w- c:\windows\VDM25.tmp
2010-11-02 04:10 . 2010-11-02 04:10 0 ----a-w- c:\windows\VDM24.tmp
2010-11-02 04:09 . 2010-11-02 04:09 96864 ----a-w- c:\windows\~GLC0005.TMP
2010-09-16 19:35 . 2010-09-16 19:35 158720 ----a-w- c:\program files\internet explorer\plugins\LV2010ActiveXControl.dll
2010-05-25 17:43 . 2010-05-25 17:43 158720 ----a-w- c:\program files\internet explorer\plugins\LV90ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 17:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTo0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-12-09 3911776]

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ttiwozahuy"="c:\windows\kregsv.dll" [BU]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"Ko7kgqLaGLuQjjV"="c:\documents and settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe" [BU]
"GvcfEplRcUH.exe"="c:\documents and settings\All Users\Application Data\GvcfEplRcUH.exe" [BU]
"Google Update"="c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-21 136176]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe" [BU]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"nwiz"="nwiz.exe" [2008-06-09 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 86016]
"NVHotkey"="nvHotkey.dll" [2008-06-09 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"NI Background Service"="e:\ni\Shared\Update Service\niupdate.exe" [BU]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"CKeyboard"="c:\program files\ComfortKeyboard\CKeyboard.exe" [2010-06-19 3354440]
"Cfarepuxekuv"="c:\windows\afoduzuvifukifur.dll" [BU]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\documents and settings\Dawud\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2010-11-3 1039016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Dawud\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/4/2010 9:32 PM 691696]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/3/2010 10:43 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/3/2010 10:43 PM 17744]
S2 KMService;KMService;c:\windows\system32\srvany.exe [7/5/2010 2:26 AM 8192]
S2 NIApplicationWebServer;NI Application Web Server;"e:\ni\Shared\NI WebServer\ApplicationWebServer.exe" -user --> e:\ni\Shared\NI WebServer\ApplicationWebServer.exe [?]
S2 nimDNSResponder;National Instruments mDNS Responder Service;"e:\ni\Shared\mDNS Responder\nimdnsResponder.exe" --> e:\ni\Shared\mDNS Responder\nimdnsResponder.exe [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 12:25 PM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 11:37 PM 4640000]
.
Contents of the 'Scheduled Tasks' folder

2011-01-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-01-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1972579041-839522115-1003Core.job
- c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 23:30]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1972579041-839522115-1003UA.job
- c:\documents and settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 23:30]

2011-01-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-01-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2011-01-29 c:\windows\Tasks\User_Feed_Synchronization-{1D4796D1-F511-4F3A-87D0-EF639457BA11}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Dawud\Application Data\Mozilla\Firefox\Profiles\x8bt823b.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-28 21:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_asw_aisI.tm~a01820
c:\windows\TEMP\_asw_aisI.tm~a01820\onefile 542 bytes
c:\windows\TEMP\_asw_aisI.tm~a01820\setup.lok 0 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(188)
c:\windows\system32\WININET.dll
c:\documents and settings\Dawud\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\program files\ComfortKeyboard\CKeyboardH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\lkads.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\ComfortKeyboard\CKeyboardCm.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-28 21:48:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-29 02:48
ComboFix2.txt 2011-01-28 00:39
ComboFix3.txt 2011-01-27 14:43

Pre-Run: 43,144,237,056 bytes free
Post-Run: 43,141,005,312 bytes free

- - End Of File - - 3BFDBC26D1AC27E4C77CBB3C0A3BDC05

Edited by Insp. Bumstead, 28 January 2011 - 09:51 PM.


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 29 January 2011 - 02:57 PM

Good evening. :)

Run HJT again and let me have a fresh log.

So long, and thanks for all the fish.

 

 


#9 Insp. Bumstead

Insp. Bumstead
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 29 January 2011 - 04:13 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:12:57 PM, on 1/29/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ComfortKeyboard\CKeyboard.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\ComfortKeyboard\CKeyboardCm.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Dawud\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo0.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTo0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NI Background Service] E:\NI\Shared\Update Service\niupdate.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CKeyboard] C:\Program Files\ComfortKeyboard\CKeyboard.exe
O4 - HKLM\..\Run: [Cfarepuxekuv] rundll32.exe "C:\WINDOWS\afoduzuvifukifur.dll",Startup
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [Ttiwozahuy] rundll32.exe "C:\WINDOWS\kregsv.dll",Startup
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
O4 - HKCU\..\Run: [Ko7kgqLaGLuQjjV] C:\Documents and Settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe
O4 - HKCU\..\Run: [GvcfEplRcUH.exe] C:\Documents and Settings\All Users\Application Data\GvcfEplRcUH.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dawud\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Dropbox.lnk = C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Dropbox.lnk = C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe (User 'Default user')
O4 - .DEFAULT Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Dawud\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Logitech\Logitech WebCam Software\eReg.exe
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Broken Internet access because of LSP provider 'e:\ni\shared\mdns responder\nimdnsnsp.dll' missing
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KMService - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NI Configuration Manager (mxssvr) - Unknown owner - E:\NI\MAX\nimxs.exe (file missing)
O23 - Service: NI Application Web Server (NIApplicationWebServer) - Unknown owner - E:\NI\Shared\NI WebServer\ApplicationWebServer.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - Unknown owner - E:\NI\Shared\Security\nidmsrv.exe (file missing)
O23 - Service: NILM License Manager - Unknown owner - E:\NI\Shared\License Manager\Bin\lmgrd.exe (file missing)
O23 - Service: National Instruments mDNS Responder Service (nimDNSResponder) - Unknown owner - E:\NI\Shared\mDNS Responder\nimdnsResponder.exe (file missing)
O23 - Service: NI System Web Server (niSvcLoc) - Unknown owner - E:\NI\Shared\NI WebServer\SystemWebServer.exe (file missing)
O23 - Service: National Instruments Variable Engine (NITaggerService) - Unknown owner - E:\NI\Shared\Tagger\tagsrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 16036 bytes

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 29 January 2011 - 06:34 PM

Run HijackThis as you did to generate a log, but this time click on 'Scan'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [Cfarepuxekuv] rundll32.exe "C:\WINDOWS\afoduzuvifukifur.dll",Startup
O4 - HKCU\..\Run: [Ko7kgqLaGLuQjjV] C:\Documents and Settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe
O4 - HKCU\..\Run: [GvcfEplRcUH.exe] C:\Documents and Settings\All Users\Application Data\GvcfEplRcUH.exe


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

Reboot the system and check for naughty messages and also do the following:

Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\afoduzuvifukifur.dll
C:\Documents and Settings\All Users\Application Data\Ko7kgqLaGLuQjjV.exe
C:\Documents and Settings\All Users\Application Data\GvcfEplRcUH.exe


As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop or in the Start menu.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


Tell me how you get on.

So long, and thanks for all the fish.

 

 


#11 Insp. Bumstead

Insp. Bumstead
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 AM

Posted 29 January 2011 - 09:12 PM

I couldn't find any of the files you said to delete, but the afoduzuvifukifur.dll error is gone. It's still saying it's looking for "kregsv.dll". If you'll notice, kregsv.dll came up in HJT, so can I just run HT and fix it like I did to the other errors?

O4 - HKCU\..\Run: [Ttiwozahuy] rundll32.exe "C:\WINDOWS\kregsv.dll",Startup

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 30 January 2011 - 03:39 PM

Good evening. :)

:whistle: Sorry, my bad - fix that one too.

Once you've done that, will you go here and follow steps 7 and 9 and let me have the logs produced.

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 04 February 2011 - 04:19 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users