Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD + Google Redirect + "Congratulations You've Won!"


  • Please log in to reply
18 replies to this topic

#1 Dittoz

Dittoz

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 07 February 2011 - 08:33 PM

Sounds bad, and it is. I've tried the usual suspects and can't get rid of this problem. I'll take any advice I can get. Started about 2 weeks ago, and just been too busy to sit down and try to fix it. No rhyme or reason to the BSOD. It just started as I became infected, so as of right now I'm assuming it's related. Just let me know any other information you need. Here's the log:


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Chris at 19:28:00.26 on Mon 02/07/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4714 [GMT -6:00]

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\iRacing\iRacingService.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Users\Chris\AppData\Roaming\Casyr\ogilo.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\ProgramData\dgGR5q1H.exe
C:\ProgramData\dgGR5q1H.exe
C:\ProgramData\dgGR5q1H.exe
C:\ProgramData\dgGR5q1H.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Chris\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [{59F2D030-5C0D-B33E-3B6D-E4ACB6BDD7AF}] C:\Users\Chris\AppData\Roaming\Casyr\ogilo.exe
dRun: [CE8SIIFGSU] C:\Windows\TEMP\Agw.exe
dRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe -update activex
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R2 cpuz134;cpuz134;C:\Windows\System32\drivers\cpuz134_x64.sys [2010-8-8 21480]
R2 iRacingService;iRacing helper service;C:\Program Files (x86)\iRacing\iRacingService.exe [2010-12-25 469152]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2010-5-7 30304]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2010-7-27 339040]
R3 lvsels64;Logitech Selective Suspend Filter;C:\Windows\System32\drivers\lvsels64.sys [2010-7-27 68064]
R3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2010-7-27 6465632]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PorscheWheelFilterUsb;PorscheWheelFilterUsb;C:\Windows\System32\drivers\PWFilterUsb.sys [2010-12-15 58448]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 wxpSvc;webcamXP Service;C:\Program Files (x86)\wLite\wService.exe [2010-5-2 5027328]

=============== Created Last 30 ================

2011-02-08 00:40:00 296448 ----a-w- C:\1z6mcnzo.exe
2011-02-07 19:47:33 -------- d-----w- C:\Users\Chris\AppData\Roaming\Cuguog
2011-02-07 19:47:33 -------- d-----w- C:\Users\Chris\AppData\Roaming\Casyr
2011-02-04 08:36:35 -------- d-----w- C:\Program Files (x86)\Winamp Detect
2011-02-04 08:36:33 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-02-03 01:08:12 -------- d-----w- C:\Program Files (x86)\Fisher-Price
2011-01-30 22:30:15 77826 ----a-w- C:\PROGRA~3\dgGR5q1H.exe
2011-01-30 20:08:41 -------- d-----w- C:\Users\Chris\AppData\Roaming\Malwarebytes
2011-01-30 20:08:39 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-30 20:08:39 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-30 20:08:36 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-30 20:08:36 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-30 19:19:29 -------- d-----w- C:\Program Files\Common Files\Intuit
2011-01-30 19:16:23 4194304 ----a-w- C:\Windows\SysWow64\cdintf400.dll
2011-01-30 19:15:47 -------- d-----w- C:\PROGRA~3\Nuance
2011-01-30 19:14:25 -------- d-----w- C:\PROGRA~3\SQL Anywhere 11
2011-01-30 19:06:11 0 ----a-w- C:\Users\Chris\AppData\Local\Gyokoyineba.bin
2011-01-30 19:06:10 -------- d-----w- C:\Users\Chris\AppData\Local\{CE292D19-C230-4682-A668-B9B558E5D14E}
2011-01-30 18:15:03 -------- d-----w- C:\Program Files (x86)\Common Files\SWF Studio
2011-01-29 20:47:55 -------- d-----w- C:\Users\Chris\AppData\Roaming\GrabIt
2011-01-29 20:47:15 -------- d-----w- C:\Program Files (x86)\GrabIt
2011-01-27 20:02:46 -------- d-----w- C:\PROGRA~3\KingsIsle Entertainment
2011-01-23 05:26:20 -------- d-----w- C:\Program Files (x86)\NewsLeecher
2011-01-22 06:24:57 -------- d-----w- C:\PROGRA~3\webcamXP 5
2011-01-22 06:24:56 -------- d-----w- C:\Program Files (x86)\wLite

==================== Find3M ====================

2011-02-06 02:12:34 1409 ----a-w- C:\Windows\QTFont.for
2010-12-26 19:11:13 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2010-12-26 19:11:13 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2010-12-26 19:11:13 122968 ----a-w- C:\Windows\System32\OpenAL32.dll
2010-12-26 19:11:13 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2010-12-15 17:24:18 58448 ----a-w- C:\Windows\System32\drivers\PWFilterUsb.sys
2010-11-20 05:48:58 10 ----a-w- C:\Users\Chris\AppData\Roaming\sysFiles00.dll
2010-11-15 19:21:40 1919968 ----a-w- C:\Windows\System32\WdfCoInstaller01005.dll

============= FINISH: 19:28:11.40 ===============



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-07 19:34:01
Windows 6.1.7600
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x83 0x61 0x71 0x2D ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0xD1 0x5D 0x9A ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0x60 0xA2 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x06 0xD0 0x60 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0xD1 0x5D 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBA 0x9D 0xA1 0x87 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x06 0xD0 0x60 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0xD1 0x5D 0x9A ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBA 0x9D 0xA1 0x87 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes

---- EOF - GMER 1.0.15 ----

Edited by Dittoz, 07 February 2011 - 08:35 PM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 07 February 2011 - 09:01 PM

Hi Dittoz and welcome to Bleeping Computer,

Let's get rid of some of the bad guys first.

Step 1
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image

This is an example, you may rename ComboFix to anything you want.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.

    Vista/Win7 users should right click on the Combofix icon and select run as administrator.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    If running Vista/Win7, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Step 2
  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
Posted Image
  • Now copy the lines in bold below.

    netsvcs
    msconfig
    activex
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
    .
  • Click the Run Scan button.

    Posted Image
  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:
Combofix.txt
and both reports from OTL


Thanks.

BBPP6nz.png


#3 Dittoz

Dittoz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 07 February 2011 - 09:17 PM

Here are the log files you requested. Thanks!

ComboFix 11-02-07.01 - Chris 02/07/2011 20:05:46.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4633 [GMT -6:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\dgGR5q1H.exe
c:\users\Chris\AppData\Local\{CE292D19-C230-4682-A668-B9B558E5D14E}
c:\users\Chris\AppData\Local\{CE292D19-C230-4682-A668-B9B558E5D14E}\chrome.manifest
c:\users\Chris\AppData\Local\{CE292D19-C230-4682-A668-B9B558E5D14E}\chrome\content\_cfg.js
c:\users\Chris\AppData\Local\{CE292D19-C230-4682-A668-B9B558E5D14E}\chrome\content\overlay.xul
c:\users\Chris\AppData\Local\{CE292D19-C230-4682-A668-B9B558E5D14E}\install.rdf
c:\users\Chris\AppData\Roaming\Casyr\ogilo.exe
c:\windows\Tasks\At1.job

<pre>
c:\users\Chris\AppData\Roaming\Casyr\ogilo .exe --->c:\users\Chris\AppData\Roaming\Casyr\ogilo.exe
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2011-01-08 to 2011-02-08 )))))))))))))))))))))))))))))))
.

2011-02-08 02:07 . 2011-02-08 02:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-08 00:40 . 2011-02-08 00:39 296448 ----a-w- C:\1z6mcnzo.exe
2011-02-07 19:47 . 2011-02-08 02:08 -------- d-----w- c:\users\Chris\AppData\Roaming\Casyr
2011-02-07 19:47 . 2011-02-07 22:13 -------- d-----w- c:\users\Chris\AppData\Roaming\Cuguog
2011-02-07 17:16 . 2011-02-07 17:16 133120 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Winamp Detect
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2011-02-04 08:36 . 2011-02-06 02:11 -------- d-----w- c:\users\Chris\AppData\Roaming\Winamp
2011-02-04 08:36 . 2011-02-04 20:07 -------- d-----w- c:\program files (x86)\Winamp
2011-02-03 01:08 . 2011-02-03 01:08 -------- d-----w- c:\program files (x86)\Fisher-Price
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\programdata\Malwarebytes
2011-01-30 20:08 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-30 20:08 . 2011-02-06 02:28 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-30 20:08 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 19:19 . 2011-01-30 19:19 -------- d-----w- c:\program files\Common Files\Intuit
2011-01-30 19:16 . 2009-06-22 15:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2011-01-30 19:15 . 2011-01-30 19:15 -------- d-----w- c:\programdata\Nuance
2011-01-30 19:14 . 2011-01-30 19:18 -------- d-----w- c:\programdata\SQL Anywhere 11
2011-01-30 19:06 . 2011-01-30 19:06 0 ----a-w- c:\users\Chris\AppData\Local\Gyokoyineba.bin
2011-01-30 18:15 . 2011-01-30 18:15 -------- d-----w- c:\program files (x86)\Common Files\SWF Studio
2011-01-29 20:47 . 2011-01-29 20:48 -------- d-----w- c:\users\Chris\AppData\Roaming\GrabIt
2011-01-29 20:47 . 2011-01-29 20:47 -------- d-----w- c:\program files (x86)\GrabIt
2011-01-27 20:02 . 2011-01-27 20:02 -------- d-----w- c:\programdata\KingsIsle Entertainment
2011-01-23 05:26 . 2011-01-23 05:26 -------- d-----w- c:\program files (x86)\NewsLeecher
2011-01-22 17:07 . 2011-01-22 17:07 -------- d-----w- c:\users\Test
2011-01-22 06:24 . 2011-01-22 17:24 -------- d-----w- c:\programdata\webcamXP 5
2011-01-22 06:24 . 2011-01-22 06:24 -------- d-----w- c:\program files (x86)\wLite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-06 02:12 . 2010-11-06 04:43 1409 ----a-w- c:\windows\QTFont.for
2010-12-26 19:11 . 2010-12-26 04:10 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 122968 ----a-w- c:\windows\system32\OpenAL32.dll
2010-12-26 19:11 . 2010-12-26 04:10 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2010-12-15 17:24 . 2010-12-15 17:24 58448 ----a-w- c:\windows\system32\drivers\PWFilterUsb.sys
2010-11-20 05:48 . 2010-11-20 05:48 10 ----a-w- c:\users\Chris\AppData\Roaming\sysFiles00.dll
2010-11-15 19:21 . 2010-11-15 19:21 1919968 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
.
<pre>
c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl .exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files (x86)\DAEMON Tools Lite\DTLite .exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbam .exe
c:\program files (x86)\QuickTime\qttask      .exe
c:\program files (x86)\QuickTime\qttask     .exe
c:\program files (x86)\QuickTime\qttask    .exe
c:\program files (x86)\QuickTime\qttask   .exe
c:\program files (x86)\QuickTime\qttask  .exe
c:\program files (x86)\Winamp\winampa .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{59F2D030-5C0D-B33E-3B6D-E4ACB6BDD7AF}"="c:\users\Chris\AppData\Roaming\Casyr\ogilo.exe" [2010-09-30 133120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-09-25 232912]

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
biirgo.exe [2011-2-7 133120]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ykodh.exe [2011-2-7 133120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dump_wmimmc;dump_wmimmc;f:\ntreev usa\Pangya\GameGuard\dump_wmimmc.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PorscheWheelFilterUsb;PorscheWheelFilterUsb;c:\windows\system32\DRIVERS\PWFilterUsb.sys [2010-12-15 58448]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wxpSvc;webcamXP Service;c:\program files (x86)\wLite\wService.exe [2010-05-02 5027328]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-10 834544]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]
S2 iRacingService;iRacing helper service;c:\program files (x86)\iRacing\iRacingService.exe [2010-12-13 469152]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2010-07-27 339040]
S3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [2010-07-27 68064]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-27 6465632]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.
Contents of the 'Scheduled Tasks' folder
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-03 11464296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files (x86)\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\wxpSvc]
"ImagePath"="c:\program files (x86)\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\

[HKEY_USERS\S-1-5-21-2507059737-3299237889-1687352491-1001\Software\SecuROM\License information*]
"datasecu"=hex:e6,51,71,80,20,1f,cd,d4,4d,8b,8f,7a,79,94,d3,d8,9d,95,f0,f0,f1,
4d,95,68,15,51,da,07,ab,ea,46,b3,c8,b5,96,3b,a2,21,16,b6,e4,4a,07,88,3f,dd,\
"rkeysecu"=hex:3b,95,40,05,99,a9,c0,95,fc,84,5e,69,b0,17,dc,90

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-07 20:09:18
ComboFix-quarantined-files.txt 2011-02-08 02:09

Pre-Run: 13,588,230,144 bytes free
Post-Run: 13,484,687,360 bytes free

- - End Of File - - D6256260FAF6E200E6895AE3C59041D7


---------------------

OTL logfile created on: 2/7/2011 8:11:02 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Chris\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 4.00 Gb Available Physical Memory | 74.00% Memory free
12.00 Gb Paging File | 10.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 59.53 Gb Total Space | 12.63 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive D: | 465.75 Gb Total Space | 4.10 Gb Free Space | 0.88% Space Free | Partition Type: NTFS
Drive E: | 465.76 Gb Total Space | 427.86 Gb Free Space | 91.86% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 167.07 Gb Free Space | 35.87% Space Free | Partition Type: NTFS
Drive G: | 191.00 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: CHRIS-PC | User Name: Chris | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Chris\Desktop\OTL.scr (OldTimer Tools)
PRC - C:\Program Files (x86)\iRacing\iRacingService.exe (iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730)
PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
PRC - C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe (Logitech Inc.)
PRC - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)


========== Modules (SafeList) ==========

MOD - C:\Users\Chris\Desktop\OTL.scr (OldTimer Tools)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV:64bit: - (LVPrcS64) -- C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe (Logitech Inc.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (iRacingService) -- C:\Program Files (x86)\iRacing\iRacingService.exe (iRacing.com Motorsport Simulations, LLC
Bedford, MA 01730)
SRV - (npggsvc) -- C:\Windows\SysWow64\GameMon.des (INCA Internet Co., Ltd.)
SRV - (Stereo Service) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe (NVIDIA Corporation)
SRV - (wxpSvc) -- C:\Program Files (x86)\wLite\wService.exe (Moonware Studios)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (QBCFMonitorService) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (QBFCService) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (PorscheWheelFilterUsb) -- C:\Windows\SysNative\drivers\PWFilterUsb.sys (Windows ® Codename Longhorn DDK provider)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys ()
DRV:64bit: - (LVUVC64) QuickCam Orbit/Sphere AF(UVC) -- C:\Windows\SysNative\drivers\lvuvc64.sys (Logitech Inc.)
DRV:64bit: - (lvsels64) -- C:\Windows\SysNative\drivers\lvsels64.sys (Logitech Inc.)
DRV:64bit: - (LVRS64) -- C:\Windows\SysNative\drivers\lvrs64.sys (Logitech Inc.)
DRV:64bit: - (cpuz134) -- C:\Windows\SysNative\drivers\cpuz134_x64.sys (Windows ® Win 7 DDK provider)
DRV:64bit: - (LVPr2Mon) -- C:\Windows\SysNative\drivers\LVPr2M64.sys ()
DRV:64bit: - (LVPr2M64) -- C:\Windows\SysNative\drivers\LVPr2M64.sys ()
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (Ntfs) -- C:\Windows\SysNative\wbem\ntfs.mof ()
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek Corporation )
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (USB28xxOEM) -- C:\Windows\SysNative\drivers\emOEM64.sys (eMPIA Technology, Inc.)
DRV:64bit: - (USB28xxBGA) -- C:\Windows\SysNative\drivers\emBDA64.sys (eMPIA Technology, Inc.)
DRV - (NPPTNT2) -- C:\Windows\SysWOW64\npptNT2.sys (INCA Internet Co., Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE 3B 23 67 74 37 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/01/22 11:24:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/02/05 18:25:37 | 000,000,000 | ---D | M]

[2010/08/08 21:47:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\Mozilla\Extensions
[2011/02/07 18:57:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\extensions
[2011/01/15 00:59:01 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2011/02/05 20:25:43 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/09/15 03:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/12/09 04:47:06 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
[2011/02/02 12:58:19 | 000,001,919 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2010/10/27 09:56:48 | 000,000,854 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKCU..\Run: [{59F2D030-5C0D-B33E-3B6D-E4ACB6BDD7AF}] C:\Users\Chris\AppData\Roaming\Casyr\ogilo.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18:64bit: - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\qbwc {FC598A64-626C-4447-85B8-53150405FD57} - Reg Error: Key error. File not found
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2007/11/20 18:47:50 | 000,000,050 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)


ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/02/07 20:09:43 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.scr
[2011/02/07 20:09:19 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/02/07 20:05:20 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/02/07 20:05:20 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/02/07 20:05:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/02/07 20:05:17 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/02/07 20:05:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/02/07 20:04:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/02/07 20:04:52 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2011/02/07 18:43:12 | 001,360,472 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Chris\Desktop\TDSSKiller.exe
[2011/02/07 13:47:33 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Cuguog
[2011/02/07 13:47:33 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Casyr
[2011/02/05 20:32:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2011/02/04 02:36:35 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Winamp Detector Plug-in
[2011/02/04 02:36:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Winamp Detect
[2011/02/04 02:36:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Winamp
[2011/02/04 02:36:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PX Storage Engine
[2011/02/04 02:36:32 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Winamp
[2011/02/04 02:36:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Winamp
[2011/02/02 19:08:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Fisher-Price
[2011/01/30 15:03:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Services
[2011/01/30 14:08:41 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\Malwarebytes
[2011/01/30 14:08:39 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/01/30 14:08:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/30 14:08:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/01/30 14:08:36 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/01/30 14:08:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/01/30 13:19:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intuit
[2011/01/30 13:16:23 | 004,194,304 | ---- | C] (Amyuni Technologies
http://www.amyuni.com) -- C:\Windows\SysWow64\cdintf400.dll
[2011/01/30 13:15:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Nuance
[2011/01/30 13:14:25 | 000,000,000 | ---D | C] -- C:\ProgramData\SQL Anywhere 11
[2011/01/30 12:15:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\SWF Studio
[2011/01/29 14:47:55 | 000,000,000 | ---D | C] -- C:\Users\Chris\AppData\Roaming\GrabIt
[2011/01/29 14:47:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GrabIt
[2011/01/29 14:47:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GrabIt
[2011/01/27 14:02:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KingsIsle Entertainment
[2011/01/27 14:02:46 | 000,000,000 | ---D | C] -- C:\ProgramData\KingsIsle Entertainment
[2011/01/22 23:26:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NewsLeecher
[2011/01/22 23:26:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NewsLeecher
[2011/01/22 00:24:57 | 000,000,000 | ---D | C] -- C:\ProgramData\webcamXP 5
[2011/01/22 00:24:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\webcamXP 5
[2011/01/22 00:24:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\wLite
[4 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Users\Chris\Desktop\*.tmp files -> C:\Users\Chris\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/07 20:09:33 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Chris\Desktop\OTL.scr
[2011/02/07 20:04:05 | 004,264,891 | R--- | M] () -- C:\Users\Chris\Desktop\Combo-Fix.exe
[2011/02/07 18:50:14 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/07 18:50:14 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/07 18:49:23 | 000,660,532 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/02/07 18:49:23 | 000,119,576 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/02/07 18:49:23 | 000,004,910 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/02/07 18:45:12 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/07 18:45:07 | 529,932,287 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/07 18:39:52 | 000,296,448 | ---- | M] () -- C:\1z6mcnzo.exe
[2011/02/07 17:56:10 | 443,300,190 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/02/07 16:17:26 | 000,000,112 | ---- | M] () -- C:\ProgramData\HESW16S1.dat
[2011/02/05 20:32:00 | 000,001,070 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2011/02/05 20:12:34 | 000,054,156 | -H-- | M] () -- C:\Windows\QTFont.qfn
[2011/02/05 20:12:34 | 000,001,409 | ---- | M] () -- C:\Windows\QTFont.for
[2011/02/05 18:25:53 | 020,364,702 | ---- | M] () -- C:\Users\Chris\Documents\vlc-1.1.7-win32.exe
[2011/02/04 02:36:35 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Winamp.lnk
[2011/02/03 13:36:59 | 000,000,165 | -H-- | M] () -- C:\Users\Chris\Desktop\~$New Microsoft Excel Worksheet.xlsx
[2011/02/01 10:36:10 | 001,360,472 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Chris\Desktop\TDSSKiller.exe
[2011/01/30 13:30:38 | 000,000,681 | ---- | M] () -- C:\Users\Chris\Desktop\Play League of Legends (2).lnk
[2011/01/30 13:20:03 | 010,260,480 | ---- | M] () -- C:\Users\Chris\Desktop\MTS (Backup Jan 30,2011 01 19 PM).QBB
[2011/01/30 13:16:21 | 000,000,116 | ---- | M] () -- C:\Windows\QBChanUtil_Trigger.ini
[2011/01/30 13:06:43 | 000,036,316 | ---- | M] () -- C:\Users\Public\Documents\dll
[2011/01/30 13:06:11 | 000,000,120 | ---- | M] () -- C:\Users\Chris\AppData\Local\Xsoqu.dat
[2011/01/30 13:06:11 | 000,000,000 | ---- | M] () -- C:\Users\Chris\AppData\Local\Gyokoyineba.bin
[2011/01/30 12:13:31 | 011,083,776 | ---- | M] () -- C:\Users\Chris\Desktop\Mid-Tenn Sitework, LLC (Backup Jan 30,2011 12 13 PM).QBB
[2011/01/30 09:45:32 | 004,862,472 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/01/29 14:47:16 | 000,000,947 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\GrabIt.lnk
[2011/01/29 14:47:16 | 000,000,923 | ---- | M] () -- C:\Users\Chris\Desktop\GrabIt.lnk
[2011/01/27 14:02:47 | 000,000,817 | ---- | M] () -- C:\Users\Public\Desktop\Play Wizard101.lnk
[2011/01/26 16:40:43 | 000,002,019 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/01/24 14:40:46 | 000,016,116 | ---- | M] () -- C:\Users\Chris\Desktop\Reading Outline - Remedies - Class One.docx
[2011/01/23 10:45:11 | 000,017,574 | ---- | M] () -- C:\Users\Chris\Desktop\Reading Outline - Property - Class One.docx
[2011/01/22 12:42:36 | 000,000,015 | ---- | M] () -- C:\Windows\OverlayXP.ini
[2011/01/22 11:24:55 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2011/01/22 00:16:03 | 000,001,365 | ---- | M] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/01/22 00:07:48 | 000,000,213 | ---- | M] () -- C:\Windows\uViewIt.INI
[2011/01/21 17:17:59 | 000,016,127 | ---- | M] () -- C:\Users\Chris\Desktop\Van Valkenburgh v. Lutz.docx
[2011/01/20 21:10:08 | 000,022,134 | ---- | M] () -- C:\Users\Chris\Desktop\Reading Outline - Evidence Class 1.docx
[2011/01/13 20:14:34 | 000,035,702 | ---- | M] () -- C:\Users\Chris\Desktop\Chris Jones - Resume.docx
[4 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Users\Chris\Desktop\*.tmp files -> C:\Users\Chris\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/07 20:05:20 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/02/07 20:05:20 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/02/07 20:05:20 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/02/07 20:05:20 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/02/07 20:05:20 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/02/07 19:29:45 | 000,296,448 | ---- | C] () -- C:\Users\Chris\Desktop\gmer.exe
[2011/02/07 18:40:00 | 000,296,448 | ---- | C] () -- C:\1z6mcnzo.exe
[2011/02/07 17:51:33 | 443,300,190 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/02/07 17:47:00 | 004,264,891 | R--- | C] () -- C:\Users\Chris\Desktop\Combo-Fix.exe
[2011/02/05 20:32:00 | 000,001,070 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2011/02/05 18:25:10 | 020,364,702 | ---- | C] () -- C:\Users\Chris\Documents\vlc-1.1.7-win32.exe
[2011/02/04 02:36:35 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Winamp.lnk
[2011/02/03 13:36:59 | 000,000,165 | -H-- | C] () -- C:\Users\Chris\Desktop\~$New Microsoft Excel Worksheet.xlsx
[2011/01/30 16:27:53 | 000,000,112 | ---- | C] () -- C:\ProgramData\HESW16S1.dat
[2011/01/30 13:30:38 | 000,000,681 | ---- | C] () -- C:\Users\Chris\Desktop\Play League of Legends (2).lnk
[2011/01/30 13:20:00 | 010,260,480 | ---- | C] () -- C:\Users\Chris\Desktop\MTS (Backup Jan 30,2011 01 19 PM).QBB
[2011/01/30 13:14:25 | 000,000,116 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2011/01/30 13:06:11 | 000,000,120 | ---- | C] () -- C:\Users\Chris\AppData\Local\Xsoqu.dat
[2011/01/30 13:06:11 | 000,000,000 | ---- | C] () -- C:\Users\Chris\AppData\Local\Gyokoyineba.bin
[2011/01/30 12:15:47 | 000,036,316 | ---- | C] () -- C:\Users\Public\Documents\dll
[2011/01/30 12:13:20 | 011,083,776 | ---- | C] () -- C:\Users\Chris\Desktop\Mid-Tenn Sitework, LLC (Backup Jan 30,2011 12 13 PM).QBB
[2011/01/29 14:47:16 | 000,000,947 | ---- | C] () -- C:\Users\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\GrabIt.lnk
[2011/01/29 14:47:16 | 000,000,923 | ---- | C] () -- C:\Users\Chris\Desktop\GrabIt.lnk
[2011/01/27 14:02:47 | 000,000,817 | ---- | C] () -- C:\Users\Public\Desktop\Play Wizard101.lnk
[2011/01/26 16:40:43 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/01/26 16:40:43 | 000,002,019 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/01/24 13:30:36 | 000,016,116 | ---- | C] () -- C:\Users\Chris\Desktop\Reading Outline - Remedies - Class One.docx
[2011/01/22 12:42:36 | 000,000,015 | ---- | C] () -- C:\Windows\OverlayXP.ini
[2011/01/22 11:24:55 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2011/01/21 16:27:58 | 000,017,574 | ---- | C] () -- C:\Users\Chris\Desktop\Reading Outline - Property - Class One.docx
[2011/01/21 16:20:58 | 000,016,127 | ---- | C] () -- C:\Users\Chris\Desktop\Van Valkenburgh v. Lutz.docx
[2011/01/20 21:10:08 | 000,022,134 | ---- | C] () -- C:\Users\Chris\Desktop\Reading Outline - Evidence Class 1.docx
[2010/11/19 23:49:29 | 000,000,213 | ---- | C] () -- C:\Windows\uViewIt.INI
[2010/11/19 23:48:58 | 000,000,010 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\sysFiles00.dll
[2010/10/11 07:59:10 | 000,000,093 | ---- | C] () -- C:\Users\Chris\AppData\Local\fusioncache.dat
[2010/10/02 20:32:05 | 000,743,126 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/08/27 21:22:12 | 000,000,132 | ---- | C] () -- C:\Users\Chris\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2010/07/27 02:03:20 | 010,829,656 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2010/07/27 02:03:18 | 000,290,648 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 15:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2006/07/17 11:11:36 | 000,667,280 | ---- | C] () -- C:\Windows\SysWow64\tx12.dll
[2006/02/09 02:20:00 | 000,000,530 | ---- | C] () -- C:\Windows\SysWow64\tx12_ic.ini

========== LOP Check ==========

[2010/11/16 22:06:35 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\.minecraft
[2010/10/13 21:35:48 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Beyluxe
[2011/02/07 20:08:03 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Casyr
[2011/02/07 16:13:09 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Cuguog
[2010/08/09 19:16:43 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\DAEMON Tools Lite
[2010/09/10 16:49:41 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\FOG Downloader
[2011/01/29 14:48:05 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\GrabIt
[2010/10/01 20:26:20 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Grasssoft
[2010/08/15 14:28:57 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\ImgBurn
[2010/09/18 21:16:12 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Leadertech
[2010/12/03 22:46:14 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\LolClient
[2010/08/20 23:10:11 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\ManyCam
[2010/08/29 14:40:32 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Need for Speed World
[2011/01/29 14:34:43 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\NewsLeecher
[2010/11/16 16:23:26 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\runic games
[2010/10/28 16:53:00 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\Unity
[2010/08/15 17:07:25 | 000,000,000 | ---D | M] -- C:\Users\Chris\AppData\Roaming\uTorrent
[2011/02/03 12:39:40 | 000,018,598 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2011/02/07 18:39:52 | 000,296,448 | ---- | M] () -- C:\1z6mcnzo.exe


< MD5 for: AGP440.SYS >
[2009/07/13 19:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysNative\drivers\AGP440.sys
[2009/07/13 19:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysNative\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/13 19:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 19:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\ERDNT\cache64\atapi.sys
[2009/07/13 19:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
[2009/07/13 19:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 19:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 19:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache86\cngaudit.dll
[2009/07/13 19:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 19:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/13 19:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\ERDNT\cache64\cngaudit.dll
[2009/07/13 19:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\SysNative\cngaudit.dll
[2009/07/13 19:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 19:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysNative\drivers\iaStorV.sys
[2009/07/13 19:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 19:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 19:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\ERDNT\cache64\netlogon.dll
[2009/07/13 19:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\SysNative\netlogon.dll
[2009/07/13 19:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/13 19:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache86\netlogon.dll
[2009/07/13 19:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 19:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 19:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysNative\drivers\nvstor.sys
[2009/07/13 19:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 19:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 19:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache86\scecli.dll
[2009/07/13 19:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 19:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/13 19:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\ERDNT\cache64\scecli.dll
[2009/07/13 19:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\SysNative\scecli.dll
[2009/07/13 19:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >

Attached Files


Edited by Starbuck, 08 February 2011 - 06:59 AM.
Added scan reports


#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 08 February 2011 - 07:37 AM

Hi Dittoz,

Ok, we have some work to do.

Step 1
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
RenV::
c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl .exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files (x86)\DAEMON Tools Lite\DTLite .exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbam .exe
c:\program files (x86)\QuickTime\qttask      .exe
c:\program files (x86)\QuickTime\qttask     .exe
c:\program files (x86)\QuickTime\qttask    .exe
c:\program files (x86)\QuickTime\qttask   .exe
c:\program files (x86)\QuickTime\qttask  .exe
c:\program files (x86)\Winamp\winampa .exe

File:
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe

Folder:
c:\users\Chris\AppData\Roaming\Casyr
c:\users\Chris\AppData\Roaming\Cuguog

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{59F2D030-5C0D-B33E-3B6D-E4ACB6BDD7AF}"=-

Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash



Step 2
Double click on OTL to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

:otl
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]


  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
  • Click the red Run Fix button.

    Posted Image
  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles


Step 3
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:
Install one of these, update the definitions and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Note*:
Upon installation MS Security Essentials will check that your OS is a legal copy.

In your next reply, please submit:
Combofix.txt
Otl fix report

Please copy/paste the reports, don't add them as attachments .... it makes things a lot easier.

Thanks.

BBPP6nz.png


#5 Dittoz

Dittoz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 08 February 2011 - 09:24 PM

Here's what you requested. Thanks again!


ComboFix 11-02-07.01 - Chris 02/08/2011 20:05:52.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4986 [GMT -6:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Chris\AppData\Roaming\Casyr
c:\users\Chris\AppData\Roaming\Casyr\ogilo.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 )))))))))))))))))))))))))))))))
.

2011-02-09 02:07 . 2011-02-09 02:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-08 00:40 . 2011-02-08 00:39 296448 ----a-w- C:\1z6mcnzo.exe
2011-02-07 19:47 . 2011-02-08 05:04 -------- d-----w- c:\users\Chris\AppData\Roaming\Cuguog
2011-02-07 17:16 . 2011-02-07 17:16 133120 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Winamp Detect
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2011-02-04 08:36 . 2011-02-09 02:05 -------- d-----w- c:\program files (x86)\Winamp
2011-02-04 08:36 . 2011-02-06 02:11 -------- d-----w- c:\users\Chris\AppData\Roaming\Winamp
2011-02-03 01:08 . 2011-02-03 01:08 -------- d-----w- c:\program files (x86)\Fisher-Price
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\programdata\Malwarebytes
2011-01-30 20:08 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-30 20:08 . 2011-02-09 02:05 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-30 20:08 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 19:19 . 2011-01-30 19:19 -------- d-----w- c:\program files\Common Files\Intuit
2011-01-30 19:16 . 2009-06-22 15:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2011-01-30 19:15 . 2011-01-30 19:15 -------- d-----w- c:\programdata\Nuance
2011-01-30 19:14 . 2011-01-30 19:18 -------- d-----w- c:\programdata\SQL Anywhere 11
2011-01-30 19:06 . 2011-01-30 19:06 0 ----a-w- c:\users\Chris\AppData\Local\Gyokoyineba.bin
2011-01-30 18:15 . 2011-01-30 18:15 -------- d-----w- c:\program files (x86)\Common Files\SWF Studio
2011-01-29 20:47 . 2011-01-29 20:48 -------- d-----w- c:\users\Chris\AppData\Roaming\GrabIt
2011-01-29 20:47 . 2011-01-29 20:47 -------- d-----w- c:\program files (x86)\GrabIt
2011-01-27 20:02 . 2011-01-27 20:02 -------- d-----w- c:\programdata\KingsIsle Entertainment
2011-01-23 05:26 . 2011-01-23 05:26 -------- d-----w- c:\program files (x86)\NewsLeecher
2011-01-22 17:07 . 2011-01-22 17:07 -------- d-----w- c:\users\Test
2011-01-22 06:24 . 2011-01-22 17:24 -------- d-----w- c:\programdata\webcamXP 5
2011-01-22 06:24 . 2011-01-22 06:24 -------- d-----w- c:\program files (x86)\wLite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-06 02:12 . 2010-11-06 04:43 1409 ----a-w- c:\windows\QTFont.for
2010-12-26 19:11 . 2010-12-26 04:10 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 122968 ----a-w- c:\windows\system32\OpenAL32.dll
2010-12-26 19:11 . 2010-12-26 04:10 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2010-12-15 17:24 . 2010-12-15 17:24 58448 ----a-w- c:\windows\system32\drivers\PWFilterUsb.sys
2010-11-20 05:48 . 2010-11-20 05:48 10 ----a-w- c:\users\Chris\AppData\Roaming\sysFiles00.dll
2010-11-15 19:21 . 2010-11-15 19:21 1919968 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-08_02.08.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 05:10 . 2011-02-08 00:46 33390 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-02-08 04:38 33390 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-08-09 05:26 . 2011-02-08 00:34 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 05:26 . 2011-02-08 13:59 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-02-08 13:59 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-02-08 00:34 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-09 03:30 . 2011-02-08 04:37 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:30 . 2011-02-08 04:37 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-09 03:30 . 2011-02-08 04:37 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:31 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:31 . 2011-02-08 04:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:31 . 2011-02-08 04:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:31 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 04:16 . 2011-02-08 00:46 4394 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2507059737-3299237889-1687352491-1001_UserData.bin
+ 2010-08-09 04:16 . 2011-02-08 04:38 4394 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2507059737-3299237889-1687352491-1001_UserData.bin
- 2011-02-08 00:45 . 2011-02-08 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-02-08 00:45 . 2011-02-08 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-02-08 00:45 . 2011-02-08 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-08 00:45 . 2011-02-08 04:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-02-08 06:40 684960 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-02-08 06:40 127612 c:\windows\system32\perfc009.dat
- 2010-08-09 05:26 . 2011-02-08 00:34 212992 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-09 05:26 . 2011-02-08 13:59 212992 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 02:34 . 2011-01-30 21:03 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-02-08 07:23 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-09-25 232912]

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
biirgo.exe [2011-2-7 133120]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ykodh.exe [2011-2-7 133120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dump_wmimmc;dump_wmimmc;f:\ntreev usa\Pangya\GameGuard\dump_wmimmc.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 PorscheWheelFilterUsb;PorscheWheelFilterUsb;c:\windows\system32\DRIVERS\PWFilterUsb.sys [2010-12-15 58448]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wxpSvc;webcamXP Service;c:\program files (x86)\wLite\wService.exe [2010-05-02 5027328]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-10 834544]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]
S2 iRacingService;iRacing helper service;c:\program files (x86)\iRacing\iRacingService.exe [2010-12-13 469152]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2010-07-27 339040]
S3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [2010-07-27 68064]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-27 6465632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-03 11464296]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files (x86)\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\wxpSvc]
"ImagePath"="c:\program files (x86)\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\

[HKEY_USERS\S-1-5-21-2507059737-3299237889-1687352491-1001\Software\SecuROM\License information*]
"datasecu"=hex:e6,51,71,80,20,1f,cd,d4,4d,8b,8f,7a,79,94,d3,d8,9d,95,f0,f0,f1,
4d,95,68,15,51,da,07,ab,ea,46,b3,c8,b5,96,3b,a2,21,16,b6,e4,4a,07,88,3f,dd,\
"rkeysecu"=hex:3b,95,40,05,99,a9,c0,95,fc,84,5e,69,b0,17,dc,90

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-08 20:09:02
ComboFix-quarantined-files.txt 2011-02-09 02:09
ComboFix2.txt 2011-02-08 02:09

Pre-Run: 13,061,050,368 bytes free
Post-Run: 12,866,453,504 bytes free

- - End Of File - - D1300F836B3F78B9F552853111E42261






All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Chris\Desktop\cmd.bat deleted successfully.
C:\Users\Chris\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Chris
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 98371 bytes
->Java cache emptied: 9404586 bytes
->FireFox cache emptied: 39057878 bytes
->Flash cache emptied: 8372 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Test
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 17897729 bytes
->Flash cache emptied: 57070 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 3229920 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 7367982 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 74.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: All Users

User: Chris
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Test
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.20.6 log created on 02082011_201018

Files\Folders moved on Reboot...
C:\Users\Chris\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...





Avira AntiVir Personal
Report file date: Tuesday, February 08, 2011 20:17

Scanning for 2467357 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : Chris
Computer name : CHRIS-PC

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 1/14/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 1/10/2011 20:23:31
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 1/10/2011 20:23:40
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 20:23:50
VBASE002.VDF : 7.11.0.1 2048 Bytes 12/14/2010 20:23:50
VBASE003.VDF : 7.11.0.2 2048 Bytes 12/14/2010 20:23:50
VBASE004.VDF : 7.11.0.3 2048 Bytes 12/14/2010 20:23:50
VBASE005.VDF : 7.11.0.4 2048 Bytes 12/14/2010 20:23:50
VBASE006.VDF : 7.11.0.5 2048 Bytes 12/14/2010 20:23:50
VBASE007.VDF : 7.11.0.6 2048 Bytes 12/14/2010 20:23:50
VBASE008.VDF : 7.11.0.7 2048 Bytes 12/14/2010 20:23:50
VBASE009.VDF : 7.11.0.8 2048 Bytes 12/14/2010 20:23:50
VBASE010.VDF : 7.11.0.9 2048 Bytes 12/14/2010 20:23:50
VBASE011.VDF : 7.11.0.10 2048 Bytes 12/14/2010 20:23:50
VBASE012.VDF : 7.11.0.11 2048 Bytes 12/14/2010 20:23:50
VBASE013.VDF : 7.11.0.52 128000 Bytes 12/16/2010 21:54:35
VBASE014.VDF : 7.11.0.91 226816 Bytes 12/20/2010 23:12:47
VBASE015.VDF : 7.11.0.122 136192 Bytes 12/21/2010 01:09:26
VBASE016.VDF : 7.11.0.156 122880 Bytes 12/24/2010 15:41:13
VBASE017.VDF : 7.11.0.185 146944 Bytes 12/27/2010 20:39:57
VBASE018.VDF : 7.11.0.228 132608 Bytes 12/30/2010 22:23:58
VBASE019.VDF : 7.11.1.5 148480 Bytes 1/3/2011 23:45:39
VBASE020.VDF : 7.11.1.37 156672 Bytes 1/7/2011 15:30:06
VBASE021.VDF : 7.11.1.65 140800 Bytes 1/10/2011 19:12:43
VBASE022.VDF : 7.11.1.87 225280 Bytes 1/11/2011 20:47:36
VBASE023.VDF : 7.11.1.124 125440 Bytes 1/14/2011 02:16:50
VBASE024.VDF : 7.11.1.155 132096 Bytes 1/17/2011 02:16:52
VBASE025.VDF : 7.11.1.189 451072 Bytes 1/20/2011 02:16:55
VBASE026.VDF : 7.11.1.230 138752 Bytes 1/24/2011 02:16:56
VBASE027.VDF : 7.11.2.12 164352 Bytes 1/27/2011 02:16:57
VBASE028.VDF : 7.11.2.43 178176 Bytes 2/1/2011 02:16:59
VBASE029.VDF : 7.11.2.78 206336 Bytes 2/4/2011 02:17:01
VBASE030.VDF : 7.11.2.79 2048 Bytes 2/4/2011 02:17:01
VBASE031.VDF : 7.11.2.104 153600 Bytes 2/8/2011 02:17:02
Engineversion : 8.2.4.162
AEVDF.DLL : 8.1.2.1 106868 Bytes 1/10/2011 20:23:26
AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 2/9/2011 02:17:20
AESCN.DLL : 8.1.7.2 127349 Bytes 1/10/2011 20:23:26
AESBX.DLL : 8.1.3.2 254324 Bytes 1/10/2011 20:23:26
AERDL.DLL : 8.1.9.2 635252 Bytes 1/10/2011 20:23:25
AEPACK.DLL : 8.2.4.9 512374 Bytes 2/9/2011 02:17:18
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 2/9/2011 02:17:15
AEHEUR.DLL : 8.1.2.73 3207541 Bytes 2/9/2011 02:17:15
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/9/2011 02:17:09
AEGEN.DLL : 8.1.5.2 397683 Bytes 2/9/2011 02:17:07
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/10/2011 20:23:18
AECORE.DLL : 8.1.19.2 196983 Bytes 2/9/2011 02:17:05
AEBB.DLL : 8.1.1.0 53618 Bytes 1/10/2011 20:23:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/10/2011 20:23:32
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/10/2011 20:23:30
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 20:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 1/10/2011 20:23:31
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 1/10/2011 20:23:31
AVARKT.DLL : 10.0.22.6 231784 Bytes 1/10/2011 20:23:27
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/10/2011 20:23:28
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 20:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 1/10/2011 20:23:31
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 20:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 1/10/2011 20:23:52

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files (x86)\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, February 08, 2011 20:17

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avnotify.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'nvSCPAPISvr.exe' - '1' Module(s) have been scanned
Scan process 'LVPrS64H.exe' - '1' Module(s) have been scanned
Scan process 'QBCFMonitorService.exe' - '1' Module(s) have been scanned
Scan process 'iRacingService.exe' - '1' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '150' files ).



End of the scan: Tuesday, February 08, 2011 20:18
Used time: 00:13 Minute(s)

The scan has been done completely.

0 Scanned directories
599 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
599 Files not concerned
3 Archives were scanned
0 Warnings
0 Notes

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 08 February 2011 - 09:54 PM

Hi Dittoz,

I'd like you to get a few files checked out for me:

Step 1
We need to show the 'hidden files' now:

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Click on the Start button.
3. Click on the Control Panel menu option.
4. When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
1. Double-click on the Folder Options icon.
2. Click on the View tab.
3. Go to step 5.

If you are in the Control Panel Home view do the following:
1. Click on the Appearance and Personalization link .
2. Click on Show Hidden Files or Folders.
3. Go to step 5.

5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK

Step 2
Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following files (one at a time) and click Submit.

C:\1z6mcnzo.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biirgo.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

You can rehide the hidden files/folders again when the scans are complete. (just retrace the steps and tick those boxes)

Thanks

BBPP6nz.png


#7 Dittoz

Dittoz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 08 February 2011 - 10:12 PM

Filename: 1z6mcnzo.exe
Status:
Scan finished. 1 out of 19 scanners reported malware.
Scan taken on: Wed 9 Feb 2011 04:10:26 (CET) Permalink

Additional info
File size: 296448 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: df7501a91a7c99cc3f0269080748ee61
SHA1: 453b6bed84bcc63f52d00b76ab6572f039c69b1f
Packer (Drweb): UPX
Packer (Kaspersky): UPX




Scanners
[ArcaVir]
2011-02-09 Found nothing
[G DATA]
2011-02-09 Found nothing
[Avast! antivirus]
2011-02-08 Found nothing
[Ikarus]
2011-02-09 Trojan.SuspectCRC
[Grisoft AVG Anti-Virus]
2011-02-08 Found nothing
[Kaspersky Anti-Virus]
2011-02-08 Found nothing
[Avira AntiVir]
2011-02-08 Found nothing
[ESET NOD32]
2011-02-08 Found nothing
[Softwin BitDefender]
2011-02-09 Found nothing
[Panda Antivirus]
2011-02-08 Found nothing
[ClamAV]
2011-02-09 Found nothing
[Quick Heal]
2011-02-08 Found nothing
[CPsecure]
2011-02-09 Found nothing
[Sophos]
2011-02-09 Found nothing
[Dr.Web]
2011-02-09 Found nothing
[VirusBlokAda VBA32]
2011-02-08 Found nothing
[Frisk F-Prot Antivirus]
2011-02-08 Found nothing
[VirusBuster]
2011-02-08 Found nothing
[F-Secure Anti-Virus]
2011-02-09 Found nothing


When I try to upload the file ykodh.exe I get "You do not have permission to open this file".
And I do not see biirgo.exe

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 09 February 2011 - 05:34 AM

Hi Dittoz,

Ok, let's not take any chances then.
I noticed that ykodh.exe didn't get removed last time.
This time we'll get it.

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Rootkit::
C:\1z6mcnzo.exe
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biirgo.exe

Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

In your next reply, please submit:
Combofix.txt
and let me know how the system is running now.


Thanks.

BBPP6nz.png


#9 Dittoz

Dittoz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 09 February 2011 - 11:35 AM

So far so good. I'll give it another day or so to see if any remnants of the malware raises its ugly head. Thanks again!


ComboFix 11-02-07.01 - Chris 02/09/2011 10:30:12.3.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4975 [GMT -6:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 )))))))))))))))))))))))))))))))
.

2011-02-09 16:32 . 2011-02-09 16:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-09 02:10 . 2011-02-09 02:10 -------- d-----w- C:\_OTL
2011-02-08 00:40 . 2011-02-08 00:39 296448 ----a-w- C:\1z6mcnzo.exe
2011-02-07 19:47 . 2011-02-08 05:04 -------- d-----w- c:\users\Chris\AppData\Roaming\Cuguog
2011-02-07 17:16 . 2011-02-07 17:16 133120 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Winamp Detect
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2011-02-04 08:36 . 2011-02-09 02:05 -------- d-----w- c:\program files (x86)\Winamp
2011-02-04 08:36 . 2011-02-06 02:11 -------- d-----w- c:\users\Chris\AppData\Roaming\Winamp
2011-02-03 01:08 . 2011-02-03 01:08 -------- d-----w- c:\program files (x86)\Fisher-Price
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\programdata\Malwarebytes
2011-01-30 20:08 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-30 20:08 . 2011-02-09 02:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-30 20:08 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 19:19 . 2011-01-30 19:19 -------- d-----w- c:\program files\Common Files\Intuit
2011-01-30 19:16 . 2009-06-22 15:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2011-01-30 19:15 . 2011-01-30 19:15 -------- d-----w- c:\programdata\Nuance
2011-01-30 19:14 . 2011-01-30 19:18 -------- d-----w- c:\programdata\SQL Anywhere 11
2011-01-30 19:06 . 2011-01-30 19:06 0 ----a-w- c:\users\Chris\AppData\Local\Gyokoyineba.bin
2011-01-30 18:15 . 2011-01-30 18:15 -------- d-----w- c:\program files (x86)\Common Files\SWF Studio
2011-01-29 20:47 . 2011-01-29 20:48 -------- d-----w- c:\users\Chris\AppData\Roaming\GrabIt
2011-01-29 20:47 . 2011-01-29 20:47 -------- d-----w- c:\program files (x86)\GrabIt
2011-01-27 20:02 . 2011-01-27 20:02 -------- d-----w- c:\programdata\KingsIsle Entertainment
2011-01-23 05:26 . 2011-01-23 05:26 -------- d-----w- c:\program files (x86)\NewsLeecher
2011-01-22 17:07 . 2011-01-22 17:07 -------- d-----w- c:\users\Test
2011-01-22 06:24 . 2011-01-22 17:24 -------- d-----w- c:\programdata\webcamXP 5
2011-01-22 06:24 . 2011-01-22 06:24 -------- d-----w- c:\program files (x86)\wLite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-06 02:12 . 2010-11-06 04:43 1409 ----a-w- c:\windows\QTFont.for
2010-12-26 19:11 . 2010-12-26 04:10 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 122968 ----a-w- c:\windows\system32\OpenAL32.dll
2010-12-26 19:11 . 2010-12-26 04:10 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2010-12-15 17:24 . 2010-12-15 17:24 58448 ----a-w- c:\windows\system32\drivers\PWFilterUsb.sys
2010-11-20 05:48 . 2010-11-20 05:48 10 ----a-w- c:\users\Chris\AppData\Roaming\sysFiles00.dll
2010-11-15 19:21 . 2010-11-15 19:21 1919968 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-08_02.08.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-10 06:25 . 2011-02-09 02:13 25724 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-02-08 00:46 33390 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-02-09 02:13 33390 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-08-09 05:26 . 2011-02-08 00:34 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 05:26 . 2011-02-08 13:59 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-02-08 00:34 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-08 13:59 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:30 . 2011-02-09 02:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:30 . 2011-02-09 02:12 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-09 03:30 . 2011-02-09 02:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-09 03:31 . 2011-02-09 02:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-09 03:31 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:31 . 2011-02-09 02:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:31 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 04:16 . 2011-02-08 00:46 4394 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2507059737-3299237889-1687352491-1001_UserData.bin
+ 2010-08-09 04:16 . 2011-02-09 02:13 4394 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2507059737-3299237889-1687352491-1001_UserData.bin
- 2011-02-08 00:45 . 2011-02-08 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-09 16:33 . 2011-02-09 16:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2011-02-08 02:02 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-02-09 02:16 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-02-08 02:02 688128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-09 02:16 688128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 02:36 . 2011-02-09 16:27 709388 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-02-09 16:27 135648 c:\windows\system32\perfc009.dat
- 2009-07-14 04:54 . 2011-02-08 02:02 1900544 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-09 02:16 1900544 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 02:34 . 2011-01-30 21:03 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-02-08 07:23 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-09-25 232912]

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
biirgo.exe [2011-2-7 133120]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ykodh.exe [2011-2-7 133120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dump_wmimmc;dump_wmimmc;f:\ntreev usa\Pangya\GameGuard\dump_wmimmc.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PorscheWheelFilterUsb;PorscheWheelFilterUsb;c:\windows\system32\DRIVERS\PWFilterUsb.sys [2010-12-15 58448]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wxpSvc;webcamXP Service;c:\program files (x86)\wLite\wService.exe [2010-05-02 5027328]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-10 834544]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]
S2 iRacingService;iRacing helper service;c:\program files (x86)\iRacing\iRacingService.exe [2010-12-13 469152]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2010-07-27 339040]
S3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [2010-07-27 68064]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-27 6465632]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-03 11464296]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files (x86)\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\wxpSvc]
"ImagePath"="c:\program files (x86)\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\

[HKEY_USERS\S-1-5-21-2507059737-3299237889-1687352491-1001\Software\SecuROM\License information*]
"datasecu"=hex:e6,51,71,80,20,1f,cd,d4,4d,8b,8f,7a,79,94,d3,d8,9d,95,f0,f0,f1,
4d,95,68,15,51,da,07,ab,ea,46,b3,c8,b5,96,3b,a2,21,16,b6,e4,4a,07,88,3f,dd,\
"rkeysecu"=hex:3b,95,40,05,99,a9,c0,95,fc,84,5e,69,b0,17,dc,90

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
.
**************************************************************************
.
Completion time: 2011-02-09 10:34:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-09 16:34
ComboFix2.txt 2011-02-09 02:09
ComboFix3.txt 2011-02-08 02:09

Pre-Run: 12,772,052,992 bytes free
Post-Run: 12,670,935,040 bytes free

- - End Of File - - 87B9D5AF270ABC4B0B6DBFE99A80BF6C

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 10 February 2011 - 09:35 AM

Hi Dittoz

Although everything seems to be running ok, i'm slightly concerned about a couple of files reappearing.
Also a folder ear marked for deletion earlier, didn't delete.
I'd like to see what is in that folder:

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
DirLook::
c:\users\Chris\AppData\Roaming\Cuguog

Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Thanks

BBPP6nz.png


#11 Dittoz

Dittoz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 10 February 2011 - 05:57 PM

ComboFix 11-02-07.01 - Chris 02/10/2011 16:53:54.4.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.4892 [GMT -6:00]
Running from: c:\users\Chris\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
.

2011-02-10 22:55 . 2011-02-10 22:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-09 02:10 . 2011-02-09 02:10 -------- d-----w- C:\_OTL
2011-02-08 00:40 . 2011-02-08 00:39 296448 ----a-w- C:\1z6mcnzo.exe
2011-02-07 19:47 . 2011-02-08 05:04 -------- d-----w- c:\users\Chris\AppData\Roaming\Cuguog
2011-02-07 17:16 . 2011-02-07 17:16 133120 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Winamp Detect
2011-02-04 08:36 . 2011-02-04 08:36 -------- d-----w- c:\program files (x86)\Common Files\PX Storage Engine
2011-02-04 08:36 . 2011-02-09 02:05 -------- d-----w- c:\program files (x86)\Winamp
2011-02-04 08:36 . 2011-02-06 02:11 -------- d-----w- c:\users\Chris\AppData\Roaming\Winamp
2011-02-03 01:08 . 2011-02-03 01:08 -------- d-----w- c:\program files (x86)\Fisher-Price
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2011-01-30 20:08 . 2011-01-30 20:08 -------- d-----w- c:\programdata\Malwarebytes
2011-01-30 20:08 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-30 20:08 . 2011-02-09 02:22 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-30 20:08 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 19:19 . 2011-01-30 19:19 -------- d-----w- c:\program files\Common Files\Intuit
2011-01-30 19:16 . 2009-06-22 15:14 4194304 ----a-w- c:\windows\SysWow64\cdintf400.dll
2011-01-30 19:15 . 2011-01-30 19:15 -------- d-----w- c:\programdata\Nuance
2011-01-30 19:14 . 2011-01-30 19:18 -------- d-----w- c:\programdata\SQL Anywhere 11
2011-01-30 19:06 . 2011-01-30 19:06 0 ----a-w- c:\users\Chris\AppData\Local\Gyokoyineba.bin
2011-01-30 18:15 . 2011-01-30 18:15 -------- d-----w- c:\program files (x86)\Common Files\SWF Studio
2011-01-29 20:47 . 2011-01-29 20:48 -------- d-----w- c:\users\Chris\AppData\Roaming\GrabIt
2011-01-29 20:47 . 2011-01-29 20:47 -------- d-----w- c:\program files (x86)\GrabIt
2011-01-27 20:02 . 2011-01-27 20:02 -------- d-----w- c:\programdata\KingsIsle Entertainment
2011-01-23 05:26 . 2011-01-23 05:26 -------- d-----w- c:\program files (x86)\NewsLeecher
2011-01-22 17:07 . 2011-01-22 17:07 -------- d-----w- c:\users\Test
2011-01-22 06:24 . 2011-01-22 17:24 -------- d-----w- c:\programdata\webcamXP 5
2011-01-22 06:24 . 2011-01-22 06:24 -------- d-----w- c:\program files (x86)\wLite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-06 02:12 . 2010-11-06 04:43 1409 ----a-w- c:\windows\QTFont.for
2010-12-26 19:11 . 2010-12-26 04:10 466520 ----a-w- c:\windows\system32\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 445016 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2010-12-26 19:11 . 2010-12-26 04:10 122968 ----a-w- c:\windows\system32\OpenAL32.dll
2010-12-26 19:11 . 2010-12-26 04:10 109144 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2010-12-15 17:24 . 2010-12-15 17:24 58448 ----a-w- c:\windows\system32\drivers\PWFilterUsb.sys
2010-11-20 05:48 . 2010-11-20 05:48 10 ----a-w- c:\users\Chris\AppData\Roaming\sysFiles00.dll
2010-11-15 19:21 . 2010-11-15 19:21 1919968 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Chris\AppData\Roaming\Cuguog ----



((((((((((((((((((((((((((((( SnapShot@2011-02-08_02.08.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-10 06:25 . 2011-02-09 16:34 26162 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-02-09 16:34 33398 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-08-09 05:26 . 2011-02-08 00:34 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 05:26 . 2011-02-08 13:59 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-02-08 00:34 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-08 13:59 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-09 03:30 . 2011-02-09 16:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:30 . 2011-02-09 16:33 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-08-09 03:30 . 2011-02-09 16:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:30 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-08-09 03:31 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-08-09 03:31 . 2011-02-09 16:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-09 03:31 . 2011-02-08 00:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-09 03:31 . 2011-02-09 16:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-09 04:16 . 2011-02-09 16:34 4518 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2507059737-3299237889-1687352491-1001_UserData.bin
- 2011-02-08 00:45 . 2011-02-08 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-02-09 16:33 . 2011-02-09 16:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-02-08 00:45 . 2011-02-08 00:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-09 16:33 . 2011-02-09 16:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2011-02-08 02:02 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-02-09 02:16 212992 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-02-08 02:02 688128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-09 02:16 688128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 02:36 . 2011-02-10 17:50 733816 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-02-10 17:50 143684 c:\windows\system32\perfc009.dat
- 2009-07-14 04:54 . 2011-02-08 02:02 1900544 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-09 02:16 1900544 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 02:34 . 2011-01-30 21:03 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-02-08 07:23 9961472 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-09-25 232912]

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
biirgo.exe [2011-2-7 133120]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ykodh.exe [2011-2-7 133120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 197976]
R3 ALSysIO;ALSysIO;c:\users\Chris\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dump_wmimmc;dump_wmimmc;f:\ntreev usa\Pangya\GameGuard\dump_wmimmc.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 PorscheWheelFilterUsb;PorscheWheelFilterUsb;c:\windows\system32\DRIVERS\PWFilterUsb.sys [2010-12-15 58448]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 wxpSvc;webcamXP Service;c:\program files (x86)\wLite\wService.exe [2010-05-02 5027328]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-10 834544]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x64.sys [2010-07-09 21480]
S2 iRacingService;iRacing helper service;c:\program files (x86)\iRacing\iRacingService.exe [2010-12-13 469152]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2010-07-27 339040]
S3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [2010-07-27 68064]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-27 6465632]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-09-03 11464296]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files (x86)\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\vlo6ego8.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\wxpSvc]
"ImagePath"="c:\program files (x86)\wLite\wService.exe /startedbyscm:5053B757-40E35B3B-webcamSRV"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,74,6c,aa,55,84,47,8f,98,54,\

[HKEY_USERS\S-1-5-21-2507059737-3299237889-1687352491-1001\Software\SecuROM\License information*]
"datasecu"=hex:e6,51,71,80,20,1f,cd,d4,4d,8b,8f,7a,79,94,d3,d8,9d,95,f0,f0,f1,
4d,95,68,15,51,da,07,ab,ea,46,b3,c8,b5,96,3b,a2,21,16,b6,e4,4a,07,88,3f,dd,\
"rkeysecu"=hex:3b,95,40,05,99,a9,c0,95,fc,84,5e,69,b0,17,dc,90

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-10 16:56:59
ComboFix-quarantined-files.txt 2011-02-10 22:56
ComboFix2.txt 2011-02-09 16:34
ComboFix3.txt 2011-02-09 02:09
ComboFix4.txt 2011-02-08 02:09

Pre-Run: 11,710,377,984 bytes free
Post-Run: 11,512,352,768 bytes free

- - End Of File - - 4CA60584095E8BF0668251CF39391F0A

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 11 February 2011 - 08:48 AM

Hi Dittoz,

The folder is not showing any data.
Please bare with me for awhile while i ask some colleagues about this.

Thanks

BBPP6nz.png


#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 13 February 2011 - 11:21 AM

Hi Dittoz

As you said:

When I try to upload the file ykodh.exe I get "You do not have permission to open this file".

Let's see if we can correct this.

Please download ResetPerms to your desktop.
Click the downloaded icon to run the program.
Copy and paste the following into the edit box and press the Restore Permissions button:
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biirgo.exe
c:\users\Chris\AppData\Roaming\Cuguog
c:\users\Chris\AppData\Roaming\Cuguog\*

When finished click OK.
Then press List Permissions and post the Perms.txt in your next reply.

Thanks

BBPP6nz.png


#14 Dittoz

Dittoz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 13 February 2011 - 05:45 PM

ResetPerms by Farbar
Ran by Chris at 2011-02-13 16:44:50

=================================================
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe BUILTIN\Users:R
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
Everyone:(ID)R

c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biirgo.exe BUILTIN\Users:R
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
Chris-PC\Test:(ID)F

c:\users\Chris\AppData\Roaming\Cuguog BUILTIN\Users:(OI)(CI)R
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
Chris-PC\Chris:(OI)(CI)(ID)F

#15 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:06:01 PM

Posted 15 February 2011 - 05:45 AM

Hi Dittoz,

Let's see if they'll go this time.

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
File::
c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ykodh.exe
c:\users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\biirgo.exe
c:\users\Chris\AppData\Local\Gyokoyineba.bin

Folder::
c:\users\Chris\AppData\Roaming\Cuguog


Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

In your next reply, please submit:
new Combofix.txt


Thanks.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users