Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects, crit sys proceeses infected


  • This topic is locked This topic is locked
7 replies to this topic

#1 Kawaiikoneko

Kawaiikoneko

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 16 April 2011 - 03:34 PM

Hi, recently I'm hit with the a variant of the Google Redirect malware and my network resources seems to be hogged as a result. I have ran scans from numerous programs (AVG, Spybot, MBAM etc) but they are not able to thoroughly clean my system. I would like to ask for help in removing the malware, cleaning my critical system processes and as well as disabling processes that are not a priority to my system.

Steps taken prior to posting:

1) ran ComboFix for a scan
2) ran defrogger to disable my emulation softwares
3) ran DDS for the log files
4) ran HJT for the log file
4) currently running gmer, will post logs when ready

ComboFix 11-04-16.02 - Administrator 04/17/2011  21:23:57.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.61.1033.18.2046.1470 [GMT 8:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}
SP: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\regedit.exe . . . is infected!!
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
c:\windows\system32\logonui.exe . . . is infected!!
.
c:\windows\system32\userinit.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-17 to 2011-04-17  )))))))))))))))))))))))))))))))
.
.
2011-04-17 12:53 . 2010-12-20 10:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 12:53 . 2010-12-20 10:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-04-17 12:52 . 2011-04-17 12:52	--------	d-----w-	c:\program files\Common Files\Java
2011-04-17 12:20 . 2011-04-17 12:20	--------	d-----w-	C:\Autoruns
2011-04-17 06:44 . 2011-03-15 12:59	7154	----a-w-	c:\windows\_000032_.tmp.dll
2011-04-17 06:44 . 2010-10-23 01:10	7797	----a-w-	c:\windows\_000009_.tmp.dll
2011-04-17 06:44 . 2010-10-23 01:10	7797	----a-w-	c:\windows\_000008_.tmp.dll
2011-04-17 06:44 . 2011-03-15 12:59	7154	----a-w-	c:\windows\_000031_.tmp.dll
2011-04-17 06:44 . 2010-12-21 19:44	7860	----a-w-	c:\windows\_000022_.tmp.dll
2011-04-17 06:44 . 2010-12-21 19:44	7860	----a-w-	c:\windows\_000021_.tmp.dll
2011-04-17 06:44 . 2011-03-04 06:40	8566	----a-w-	c:\windows\_000034_.tmp.dll
2011-04-17 06:44 . 2011-03-04 06:40	8566	----a-w-	c:\windows\_000033_.tmp.dll
2011-04-17 04:57 . 2011-04-17 06:21	--------	d-----w-	c:\windows\$$$Temp_&&&_Hives
2011-04-17 04:57 . 2011-04-17 05:08	--------	d-----w-	c:\users\Administrator\Local Settings\Application Data\ExpertScan
2011-04-17 04:57 . 2011-04-17 04:57	--------	d-----w-	c:\program files\Ascensio System
2011-04-16 16:37 . 2011-04-16 16:37	--------	d-----w-	c:\program files\Nightly
2011-04-16 16:12 . 2011-04-16 16:12	--------	d-----w-	c:\users\Administrator\Local Settings\Application Data\Identities
2011-04-15 14:06 . 2010-07-09 07:08	327368	----a-w-	c:\windows\system32\drivers\bdfsfltr.sys
2011-04-15 14:05 . 2010-07-27 04:50	253072	----a-w-	c:\windows\system32\drivers\Trufos.sys
2011-04-15 14:05 . 2010-06-28 04:55	970320	----a-w-	c:\windows\system32\drivers\avckf.sys
2011-04-15 14:05 . 2010-06-28 04:55	633424	----a-w-	c:\windows\system32\drivers\avc3.sys
2011-04-15 14:05 . 2010-06-18 08:11	111696	----a-w-	c:\windows\system32\drivers\bdfndisf.sys
2011-04-15 14:05 . 2010-04-22 05:19	149520	----a-w-	c:\windows\system32\drivers\bdfm.sys
2011-04-15 14:05 . 2010-05-13 09:02	12960	----a-w-	c:\windows\system32\drivers\bdrawpr.sys
2011-04-15 14:05 . 2009-03-08 09:10	110592	----a-w-	c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-04-15 14:05 . 2010-10-23 01:10	7797	----a-w-	c:\windows\_000004_.tmp.dll
2011-04-15 14:04 . 2010-08-26 13:37	357248	----a-w-	c:\windows\system32\drivers\_000007_.tmp.dll
2011-04-15 14:04 . 2010-02-24 11:57	457216	----a-w-	c:\windows\system32\drivers\_000006_.tmp.dll
2011-04-15 14:04 . 2011-04-14 19:00	23040	----a-w-	c:\windows\system32\bddel.exe
2011-04-15 14:04 . 2011-02-18 12:03	8158	----a-w-	c:\windows\_000006_.tmp.dll
2011-04-15 14:04 . 2010-12-21 19:44	7860	----a-w-	c:\windows\_000005_.tmp.dll
2011-04-15 14:04 . 2011-03-15 12:59	7154	----a-w-	c:\windows\_000018_.tmp.dll
2011-04-15 14:04 . 2011-03-15 12:59	7154	----a-w-	c:\windows\_000019_.tmp.dll
2011-04-15 14:04 . 2011-03-04 06:40	8566	----a-w-	c:\windows\_000020_.tmp.dll
2011-04-15 11:31 . 2011-04-15 11:46	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2011-04-15 11:31 . 2011-04-15 11:31	60808	----a-w-	c:\windows\system32\S32EVNT1.DLL
2011-04-15 11:31 . 2011-04-15 11:31	126512	----a-w-	c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-15 11:31 . 2011-04-15 11:31	--------	d-----w-	c:\program files\Symantec
2011-04-15 11:30 . 2011-04-15 11:30	--------	d-----w-	c:\windows\system32\drivers\N360
2011-04-15 11:30 . 2011-04-15 11:43	--------	d-----w-	c:\program files\Norton 360
2011-04-15 11:30 . 2011-04-15 11:36	--------	d-----w-	c:\users\All Users\Application Data\Norton
2011-04-15 11:30 . 2011-04-15 11:30	--------	d-----w-	c:\program files\NortonInstaller
2011-04-15 11:29 . 2011-04-15 11:29	--------	d-----w-	C:\Norton.360.v5.0.0.125.Final.Crack.by.S.P.180.days
2011-04-15 10:44 . 2011-04-15 14:04	--------	d-----w-	c:\users\Administrator\Application Data\Runscanner.net
2011-04-15 10:43 . 2011-04-15 10:42	1659192	----a-w-	C:\runscanner.exe
2011-04-15 10:42 . 2011-04-15 10:43	11994856	----a-w-	C:\is360setup.exe
2011-04-15 10:38 . 2011-04-15 10:38	5689296	----a-w-	C:\ARO2011_bt.exe
2011-04-15 09:57 . 2011-04-15 10:40	--------	d-----w-	C:\IS360 Portable
2011-04-15 06:59 . 2011-04-15 11:17	6642	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2011-04-15 06:18 . 2011-04-17 06:45	--------	d-----w-	C:\ErdUndoCache
2011-04-15 05:59 . 2011-04-15 06:01	--------	d-----w-	c:\windows\system32\NtmsData
2011-04-15 05:40 . 2011-04-15 05:40	--------	d-----w-	c:\users\Administrator\Application Data\IObit
2011-04-15 05:40 . 2011-04-15 05:40	--------	d-----w-	c:\users\All Users\Application Data\IObit
2011-04-15 05:38 . 2011-04-15 05:38	--------	d-----w-	c:\program files\IObit
2011-04-14 21:12 . 2011-04-17 07:09	--------	d-----w-	c:\users\All Users\Application Data\Spybot - Search & Destroy
2011-04-14 21:12 . 2011-04-17 07:09	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2011-04-14 19:41 . 2011-04-14 19:41	--------	d-----w-	C:\$AVG
2011-04-14 19:27 . 2011-04-14 19:27	--------	d--h--w-	c:\users\All Users\Application Data\Common Files
2011-04-14 19:24 . 2011-04-16 18:52	--------	d-----w-	c:\users\All Users\Application Data\AVG10
2011-04-14 19:23 . 2011-04-14 19:23	--------	d-----w-	c:\program files\AVG
2011-04-14 19:11 . 2011-04-14 19:23	--------	d-----w-	c:\users\All Users\Application Data\MFAData
2011-04-14 17:58 . 2011-04-14 17:58	--------	d-----w-	c:\users\LocalService\Application Data\QuickScan
2011-04-14 17:54 . 2011-04-14 17:54	--------	d-----w-	c:\users\All Users\Application Data\aaf20000-6cbc-4226-be64-73e9640111a8
2011-04-14 17:36 . 2011-04-14 17:36	--------	d-----w-	c:\users\All Users\Application Data\47d60000-1f7e-499e-44eb-508d3555f99e
2011-04-14 17:23 . 2011-04-14 17:23	--------	d-----w-	c:\users\Administrator\Application Data\QuickScan
2011-04-14 17:22 . 2011-04-15 13:48	--------	d-----w-	c:\program files\Common Files\BitDefender
2011-04-14 17:22 . 2011-04-15 06:35	822632	----a-w-	c:\users\All Users\Application Data\bdinstall.bin
2011-04-14 14:30 . 2011-04-14 14:30	--------	d-----w-	c:\users\Administrator\Application Data\ComodoGroup
2011-04-14 06:45 . 2011-04-14 06:45	--------	d-----w-	c:\users\Administrator\Application Data\Virtual Prophecy
2011-04-14 06:11 . 2011-04-15 13:46	--------	d-sh--w-	c:\users\Administrator\Application Data\Desktop
2011-03-27 08:17 . 2011-03-27 08:17	--------	d-----w-	c:\windows\Drawn 2 Dark Flight Collector's Edition [Updated]
2011-03-24 16:00 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 16:00 . 2011-03-18 17:53	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 16:00 . 2011-03-18 17:53	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 16:00 . 2011-03-18 17:53	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 16:00 . 2011-03-18 17:53	728024	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 16:00 . 2011-03-18 17:53	142296	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 16:00 . 2011-03-18 17:53	1893336	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 16:00 . 2011-03-18 17:53	1975768	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-17 07:18 . 2010-11-30 10:58	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
2011-04-15 06:04 . 2011-04-15 06:03	13146815	----a-w-	C:\IS360 Portable.zip
2011-04-14 18:40 . 2011-04-14 18:40	353096	----a-w-	c:\windows\system32\drivers\bdfsfltr.sys.upd
2011-03-07 05:31 . 2010-04-19 03:20	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2009-03-08 09:02	420864	----a-w-	c:\windows\system32\vbscript.dll
2011-03-03 13:27 . 2009-03-08 09:02	1866880	----a-w-	c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2009-03-08 09:12	916480	----a-w-	c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2009-03-08 09:10	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2009-03-08 09:03	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2009-03-08 09:03	385024	----a-w-	c:\windows\system32\html.iec
2011-02-18 08:36 . 2010-04-19 14:50	41984	------w-	c:\windows\system32\drivers\usbaapl.sys
2011-02-18 08:36 . 2010-04-19 14:50	4184352	----a-w-	c:\windows\system32\usbaaplrc.dll
2011-02-17 13:19 . 2009-03-08 09:01	457472	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:19 . 2009-03-08 09:02	357888	----a-w-	c:\windows\system32\drivers\srv.sys
2011-02-15 12:56 . 2008-04-14 03:39	290432	----a-w-	c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-04-14 03:42	270848	----a-w-	c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 03:41	186880	----a-w-	c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-14 03:41	978944	----a-w-	c:\windows\system32\mfc42.dll
2011-02-08 11:03 . 2007-04-03 06:44	974848	----a-w-	c:\windows\system32\mfc42u.dll
2011-02-02 13:40 . 2010-05-11 07:13	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-02-02 11:19 . 2010-05-11 07:13	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2009-03-08 09:12	439296	------w-	c:\windows\system32\shimgvw.dll
2011-03-18 17:53 . 2011-03-24 16:00	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
2010-12-26 14:42	15872	--sha-w-	c:\windows\system32\EAF1E0\9C-P9.EXE
.
.
------- Sigcheck -------
.
[-] 2009-03-08 . FF267FF1D773BEA5522295E3A79701E9 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys
.
[-] 2009-03-08 09:09 . 403EBA8EE2967BA93E07138400972EE3 . 1443840 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[-] 2009-03-08 . 0390E37DAA7F30913680CD3A0A0DA21C . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2009-03-08 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 6A3909CA6BBCC2E6E496EF20CFA767E6 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
.
[-] 2009-03-08 . E1E95D0BADCC1C7FF47694BF7EF489E1 . 1723904 . . [6.00.2900.5634] . . c:\windows\explorer.exe
.
[-] 2009-03-08 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
(((((((((((((((((((((((((((((   SnapShot@2011-04-17_12.00.54   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-17 12:52 . 2011-04-17 12:52	16384              c:\windows\temp\Perflib_Perfdata_43c.dat
- 2011-04-17 12:01 . 2011-04-17 12:01	53248              c:\windows\temp\catchme.dll
+ 2011-04-17 13:31 . 2011-04-17 13:31	53248              c:\windows\temp\catchme.dll
+ 2011-04-17 12:52 . 2011-02-02 13:40	157472              c:\windows\system32\javaws.exe
+ 2011-04-17 12:52 . 2011-02-02 13:40	145184              c:\windows\system32\javaw.exe
- 2010-05-11 07:13 . 2010-05-11 07:13	145184              c:\windows\system32\javaw.exe
- 2010-05-11 07:13 . 2010-05-11 07:13	145184              c:\windows\system32\java.exe
+ 2011-04-17 12:52 . 2011-02-02 13:40	145184              c:\windows\system32\java.exe
+ 2011-04-17 12:52 . 2011-04-17 12:52	180224              c:\windows\Installer\67128.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54	175912	----a-w-	c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 14:54	175912	----a-w-	c:\program files\Vuze_Remote\prxtbVuz2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-06 1867888]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-05-14 344064]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2009-03-08 37376]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
"NewUser"="c:\windows\LastXP\NewUser.cmd" [2009-02-18 2375]
.
c:\users\Administrator\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [2010-9-3 142336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"NoDevMgrUpdate"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^ViiKiiDesktopPlugin.lnk]
backup=c:\windows\pss\ViiKiiDesktopPlugin.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 15:07	932288	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 07:33	421160	------w-	c:\program files\iTunes\iTunesHelper.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KRU\\Dark Ages\\Darkages.exe"=
"c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/29/2010 4:15 PM 691696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2011 8:53 PM 363344]
R2 NGRegClnSrv;NETGATE Registry Cleaner Service;c:\program files\NETGATE\Registry Cleaner\RegistryCleanerSrv.exe [8/31/2010 3:21 PM 440912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2011 8:53 PM 20952]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [4/19/2010 11:04 PM 19056]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 7:16 PM 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [12/7/2010 5:48 PM 8192]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [3/10/2010 8:18 AM 24216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/21/2010 1:55 PM 18432]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 7:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
*NewlyCreated* - MBAMSERVICE
*NewlyCreated* - NORMANDY
*NewlyCreated* - PBFILTER
*Deregistered* - Normandy
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-16 c:\windows\Tasks\AdobeAAMUpdater-1.0-Acer4100-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-23 19:44]
.
2011-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 01:50]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-838170752-2147189981-500Core.job
- c:\users\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-21 06:35]
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-838170752-2147189981-500UA.job
- c:\users\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-21 06:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all by FlashGet3 - c:\users\Administrator\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\Administrator\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\l4ewztsx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.bigbangupdates.com/|http://www.allkpop.com/|http://koreanentertainmentportal.blogspot.com/|http://www.dailymotion.com/user/isubs/1|http://hackstor.blogspot.com/2011/04/how-to-jailbreak-ios-431-on-iphone-4.html|http://entertainments10.blogspot.com/2010/11/family-outing-season-1-eng-sub.html
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-17 21:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1177238915-838170752-2147189981-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,9a,a9,75,a2,21,9b,45,ac,54,69,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,9a,a9,75,a2,21,9b,45,ac,54,69,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1092)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
.
- - - - - - - > 'lsass.exe'(1160)
c:\windows\system32\setupapi.dll
.
Completion time: 2011-04-17  21:33:26
ComboFix-quarantined-files.txt  2011-04-17 13:33
.
Pre-Run: 124,612,685,824 bytes free
Post-Run: 124,604,981,248 bytes free
.
- - End Of File - - FBCC4D87A87A40D1FA525227AC7C4E70

.
DDS (Ver_11-03-05.01) - NTFSx86  
Run by Administrator at 21:44:14.53 on Sun 04/17/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional  5.1.2600.3.1252.61.1033.18.2046.1454 [GMT 8:00]
.
AV: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}
SP: Spy Emergency *Disabled/Updated* {82117492-906E-4b02-A33A-84D42A2DD907}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\NETGATE\Registry Cleaner\RegistryCleanerSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Users\Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz2.dll
mWinlogon: Userinit=c:\windows\explorer.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\users\administrator\application data\flashgetbho\FlashGetBHO3.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuz2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [NewUser] c:\windows\lastxp\NewUser.cmd
StartupFolder: c:\users\admini~1\startm~1\programs\startup\viikii~1.lnk - c:\program files\viikiidesktopplugin\ViiKiiDesktopPlugin.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Download all by FlashGet3 - c:\users\administrator\application data\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\administrator\application data\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admini~1\applic~1\mozilla\firefox\profiles\l4ewztsx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.bigbangupdates.com/|http://www.allkpop.com/|http://koreanentertainmentportal.blogspot.com/|http://www.dailymotion.com/user/isubs/1|http://hackstor.blogspot.com/2011/04/how-to-jailbreak-ios-431-on-iphone-4.html|http://entertainments10.blogspot.com/2010/11/family-outing-season-1-eng-sub.html
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\administrator\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-17 363344]
R2 NGRegClnSrv;NETGATE Registry Cleaner Service;c:\program files\netgate\registry cleaner\RegistryCleanerSrv.exe [2010-8-31 440912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-17 20952]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-12-7 8192]
S2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-24 370688]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-3-10 24216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-6-21 18432]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-17 13:22:45	--------	d-----w-	C:\ComboFix
2011-04-17 12:53:35	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-17 12:53:32	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-04-17 12:20:29	--------	d-----w-	C:\Autoruns
2011-04-17 11:51:59	--------	d-sha-r-	C:\cmdcons
2011-04-17 06:44:52	7797	----a-w-	c:\windows\_000009_.tmp.dll
2011-04-17 06:44:52	7797	----a-w-	c:\windows\_000008_.tmp.dll
2011-04-17 06:44:52	7154	----a-w-	c:\windows\_000032_.tmp.dll
2011-04-17 06:44:51	7860	----a-w-	c:\windows\_000022_.tmp.dll
2011-04-17 06:44:51	7154	----a-w-	c:\windows\_000031_.tmp.dll
2011-04-17 06:44:50	7860	----a-w-	c:\windows\_000021_.tmp.dll
2011-04-17 06:44:42	8566	----a-w-	c:\windows\_000034_.tmp.dll
2011-04-17 06:44:42	8566	----a-w-	c:\windows\_000033_.tmp.dll
2011-04-17 04:57:40	--------	d-----w-	c:\windows\$$$Temp_&&&_Hives
2011-04-17 04:57:38	--------	d-----w-	c:\users\admini~1\locals~1\applic~1\ExpertScan
2011-04-17 04:57:14	--------	d-----w-	c:\program files\Ascensio System
2011-04-16 18:53:24	98816	----a-w-	c:\windows\sed.exe
2011-04-16 18:53:24	89088	----a-w-	c:\windows\MBR.exe
2011-04-16 18:53:24	256512	----a-w-	c:\windows\PEV.exe
2011-04-16 18:53:24	161792	----a-w-	c:\windows\SWREG.exe
2011-04-16 16:37:21	--------	d-----w-	c:\program files\Nightly
2011-04-16 16:12:14	--------	d-----w-	c:\users\admini~1\locals~1\applic~1\Identities
2011-04-15 14:06:02	327368	----a-w-	c:\windows\system32\drivers\bdfsfltr.sys
2011-04-15 14:05:46	970320	----a-w-	c:\windows\system32\drivers\avckf.sys
2011-04-15 14:05:46	633424	----a-w-	c:\windows\system32\drivers\avc3.sys
2011-04-15 14:05:46	253072	----a-w-	c:\windows\system32\drivers\Trufos.sys
2011-04-15 14:05:46	149520	----a-w-	c:\windows\system32\drivers\bdfm.sys
2011-04-15 14:05:46	111696	----a-w-	c:\windows\system32\drivers\bdfndisf.sys
2011-04-15 14:05:45	12960	----a-w-	c:\windows\system32\drivers\bdrawpr.sys
2011-04-15 14:05:07	110592	----a-w-	c:\program files\internet explorer\connection wizard\icwconn2.exe
2011-04-15 14:05:00	7797	----a-w-	c:\windows\_000004_.tmp.dll
2011-04-15 14:04:54	457216	----a-w-	c:\windows\system32\drivers\_000006_.tmp.dll
2011-04-15 14:04:54	357248	----a-w-	c:\windows\system32\drivers\_000007_.tmp.dll
2011-04-15 14:04:46	23040	----a-w-	c:\windows\system32\bddel.exe
2011-04-15 14:04:39	8158	----a-w-	c:\windows\_000006_.tmp.dll
2011-04-15 14:04:39	7860	----a-w-	c:\windows\_000005_.tmp.dll
2011-04-15 14:04:38	7154	----a-w-	c:\windows\_000018_.tmp.dll
2011-04-15 14:04:35	8566	----a-w-	c:\windows\_000020_.tmp.dll
2011-04-15 14:04:35	7154	----a-w-	c:\windows\_000019_.tmp.dll
2011-04-15 11:31:58	60808	----a-w-	c:\windows\system32\S32EVNT1.DLL
2011-04-15 11:31:58	126512	----a-w-	c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-15 11:31:58	--------	d-----w-	c:\program files\Symantec
2011-04-15 11:31:58	--------	d-----w-	c:\program files\common files\Symantec Shared
2011-04-15 11:31:39	652336	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\SymEFA.sys
2011-04-15 11:31:39	509560	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\srtsp.sys
2011-04-15 11:31:39	50168	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\srtspx.sys
2011-04-15 11:31:39	368248	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\symtdi.sys
2011-04-15 11:31:39	340016	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\SymDS.sys
2011-04-15 11:31:39	330360	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\symtdiv.sys
2011-04-15 11:31:39	295032	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\symnets.sys
2011-04-15 11:31:39	136312	----a-r-	c:\windows\system32\drivers\n360\0500000.07d\Ironx86.sys
2011-04-15 11:30:52	--------	d-----w-	c:\windows\system32\drivers\n360\0500000.07D
2011-04-15 11:30:52	--------	d-----w-	c:\windows\system32\drivers\N360
2011-04-15 11:30:43	--------	d-----w-	c:\program files\Norton 360
2011-04-15 11:30:42	--------	d-----w-	c:\users\alluse~1\applic~1\Norton
2011-04-15 11:30:25	--------	d-----w-	c:\users\alluse~1\applic~1\NortonInstaller
2011-04-15 11:30:25	--------	d-----w-	c:\program files\NortonInstaller
2011-04-15 11:29:04	--------	d-----w-	C:\Norton.360.v5.0.0.125.Final.Crack.by.S.P.180.days
2011-04-15 10:44:52	--------	d-----w-	c:\users\admini~1\applic~1\Runscanner.net
2011-04-15 10:43:51	1659192	----a-w-	C:\runscanner.exe
2011-04-15 10:42:49	11994856	----a-w-	C:\is360setup.exe
2011-04-15 10:38:32	5689296	----a-w-	C:\ARO2011_bt.exe
2011-04-15 09:57:41	--------	d-----w-	C:\IS360 Portable
2011-04-15 06:59:24	6642	----a-w-	c:\windows\system32\PerfStringBackup.TMP
2011-04-15 06:18:21	--------	d-----w-	C:\ErdUndoCache
2011-04-15 05:59:50	--------	d-----w-	c:\windows\system32\NtmsData
2011-04-15 05:40:03	--------	d-----w-	c:\users\admini~1\applic~1\IObit
2011-04-15 05:40:00	--------	d-----w-	c:\users\alluse~1\applic~1\IObit
2011-04-15 05:38:29	--------	d-----w-	c:\program files\IObit
2011-04-14 21:12:45	--------	d-----w-	c:\users\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-14 21:12:45	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2011-04-14 19:41:52	--------	d-----w-	C:\$AVG
2011-04-14 19:27:57	--------	d--h--w-	c:\users\alluse~1\applic~1\Common Files
2011-04-14 19:24:40	--------	d-----w-	c:\users\alluse~1\applic~1\AVG10
2011-04-14 19:23:29	--------	d-----w-	c:\program files\AVG
2011-04-14 19:11:52	--------	d-----w-	c:\users\alluse~1\applic~1\MFAData
2011-04-14 17:54:08	--------	d-----w-	c:\users\alluse~1\applic~1\aaf20000-6cbc-4226-be64-73e9640111a8
2011-04-14 17:36:46	--------	d-----w-	c:\users\alluse~1\applic~1\47d60000-1f7e-499e-44eb-508d3555f99e
2011-04-14 17:23:22	--------	d-----w-	c:\users\admini~1\applic~1\QuickScan
2011-04-14 17:22:41	--------	d-----w-	c:\program files\common files\BitDefender
2011-04-14 17:22:27	822632	----a-w-	c:\users\alluse~1\applic~1\bdinstall.bin
2011-04-14 14:30:27	--------	d-----w-	c:\users\admini~1\applic~1\ComodoGroup
2011-04-14 06:45:16	--------	d-----w-	c:\users\admini~1\applic~1\Virtual Prophecy
2011-04-14 06:11:31	--------	d-sh--w-	c:\users\admini~1\applic~1\Desktop
2011-03-27 08:17:45	--------	d-----w-	c:\windows\Drawn 2 Dark Flight Collector's Edition [Updated]
2011-03-24 16:00:22	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-24 16:00:19	781272	----a-w-	c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-24 16:00:19	728024	----a-w-	c:\program files\mozilla firefox\libGLESv2.dll
2011-03-24 16:00:19	1975768	----a-w-	c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-24 16:00:19	1893336	----a-w-	c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-24 16:00:19	1874904	----a-w-	c:\program files\mozilla firefox\mozjs.dll
2011-03-24 16:00:19	15832	----a-w-	c:\program files\mozilla firefox\mozalloc.dll
2011-03-24 16:00:19	142296	----a-w-	c:\program files\mozilla firefox\libEGL.dll
.
==================== Find3M  ====================
.
2011-04-17 07:18:34	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
2011-03-07 05:31:47	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06	726528	----a-w-	c:\windows\system32\SET6.tmp
2011-03-04 06:37:06	420864	----a-w-	c:\windows\system32\vbscript.dll
2011-03-03 13:27:43	1866880	----a-w-	c:\windows\system32\win32k.sys
2011-03-03 06:53:49	149504	----a-w-	c:\windows\system32\SETD.tmp
2011-02-22 23:06:29	916480	----a-w-	c:\windows\system32\wininet.dll
2011-02-22 23:06:29	916480	----a-w-	c:\windows\system32\SET253.tmp
2011-02-22 23:06:29	602112	------w-	c:\windows\system32\SET25A.tmp
2011-02-22 23:06:29	5962240	----a-w-	c:\windows\system32\SET258.tmp
2011-02-22 23:06:29	55296	----a-w-	c:\windows\system32\SET259.tmp
2011-02-22 23:06:29	43520	----a-w-	c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
2011-02-22 23:06:29	1210880	----a-w-	c:\windows\system32\SET254.tmp
2011-02-22 23:06:28	1991680	----a-w-	c:\windows\system32\SET25E.tmp
2011-02-22 23:06:28	11080704	------w-	c:\windows\system32\SET260.tmp
2011-02-22 11:41:59	385024	----a-w-	c:\windows\system32\html.iec
2011-02-18 08:36:58	4184352	----a-w-	c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12	5120	----a-w-	c:\windows\system32\SET29.tmp
2011-02-15 12:56:39	290432	----a-w-	c:\windows\system32\SET2C.tmp
2011-02-15 12:56:39	290432	----a-w-	c:\windows\system32\atmfd.dll
2011-02-09 13:53:52	270848	----a-w-	c:\windows\system32\sbe.dll
2011-02-09 13:53:52	186880	----a-w-	c:\windows\system32\encdec.dll
2011-02-08 13:33:55	978944	----a-w-	c:\windows\system32\mfc42.dll
2011-02-08 11:03:56	974848	----a-w-	c:\windows\system32\mfc42u.dll
2011-02-02 13:40:23	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-02-02 11:19:39	73728	----a-w-	c:\windows\system32\javacpl.cpl
2011-01-21 14:44:37	439296	------w-	c:\windows\system32\shimgvw.dll
2010-12-26 14:42:31	15872	--sha-w-	c:\windows\system32\eaf1e0\9C-P9.EXE
.
============= FINISH: 21:45:08.79 ===============

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:02:21 PM, on 4/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe
C:\Program Files\NETGATE\Registry Cleaner\RegistryCleanerSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Users\Administrator\Desktop\HijackThis(1).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\Administrator\Application Data\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll
O3 - Toolbar: Conduit Engine  - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: lnk_disabled
O4 - Startup: ViiKiiDesktopPlugin.lnk = C:\Program Files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe
O4 - Global Startup: lnk_disabled
O8 - Extra context menu item: Download all by FlashGet3 - C:\Users\Administrator\Application Data\FlashGetBHO\GetAllUrl.htm
O8 - Extra context menu item: Download by FlashGet3 - C:\Users\Administrator\Application Data\FlashGetBHO\GetUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KMService - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NETGATE Registry Cleaner Service (NGRegClnSrv) - NETGATE Technologies s.r.o. - C:\Program Files\NETGATE\Registry Cleaner\RegistryCleanerSrv.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 9064 bytes
Attached File  Attach.txt   17.03KB   0 downloads

Edited by Kawaiikoneko, 17 April 2011 - 09:19 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:47 PM

Posted 26 April 2011 - 06:31 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Kawaiikoneko

Kawaiikoneko
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 27 April 2011 - 05:21 AM

Oh finally, glad to finally have someone here, nice to meet you, Mole!

Btw, i think i might be infected with Virtumonde.prx and my email was hacked and my friends reported my email sending out suspicious attachments.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:47 PM

Posted 27 April 2011 - 06:45 PM

Please rerun Combofix and agree any updates it requests to make.
Posted Image
m0le is a proud member of UNITE

#5 Kawaiikoneko

Kawaiikoneko
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 28 April 2011 - 04:14 AM

Dear Mole,

Good news that ComboFix was able to do something, however bad news that it triggered a BSOD which remains whenever i try to boot pass the loading screen and into my desktop. I feel severely crippled now, SOS!

Error message that appears in the BSOD:

STOP:c000021a {Fatal System Error}
The windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).
The system has been shut down.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:47 PM

Posted 28 April 2011 - 06:12 PM

We need to try and boot the machine with a recovery disk, in this case we will try Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
  • Do not install to a folder with spaces in it's name.
  • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output: (C:\ubcd4win\BartPE)
    • Keep the default BartPE
  • Media output
  • Choose Create ISO image
  • Do not choose Burn to CD/DVD


Please note: If your XP install disc is SP1 then please .....

  • Disable- DComLaunch Service
  • Enable- LargeIDE Fix

    This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here
http://www.ubcd4win.com/faq.htm#dell
[/list]
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit


4. Burn your ISO file to CD
  • Please see HERE on how to burn an ISO to CD.
[/list]
==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
  • Insert the UBCD4Win disc in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
    • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
  • You should now have a desktop that looks like this:

    Posted Image


==========

Single click My computer from your UBCD4W desktop to navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.bat.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to All

  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT
  • Push Posted Image
  • A report will open. Save that log to your flash drive. Copy and Paste that report in your next reply.

=========

With your next post please provide:

* OTLPE.txt
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:47 PM

Posted 02 May 2011 - 06:48 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:47 PM

Posted 03 May 2011 - 06:33 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users