Jump to content

Log, please help me


Recommended Posts

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:51:41 PM, on 12/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\locator.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

C:\Program Files\Xfire\xfire.exe

C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

C:\Documents and Settings\AJ\Desktop\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe

O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

--

End of file - 7590 bytes

 

second log from malwarebytes

 

Malwarebytes' Anti-Malware 1.31

Database version: 1500

Windows 5.1.2600 Service Pack 2

 

12/14/2008 12:47:40 PM

mbam-log-2008-12-14 (12-47-40).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 160148

Time elapsed: 34 minute(s), 34 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 15

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

 

Files Infected:

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP479\A0153106.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP480\A0153117.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP480\A0154052.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP480\A0154053.dll (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP481\A0154056.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP481\A0155052.dll (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP529\A0162053.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\KFUeevI8.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Wh33B63f.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\LDPackage.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\silc.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.

Edited by Loothawk
Link to post
Share on other sites

Hi Loothawk,

 

A bit more information would be helpful here. Log, please help me doesn't tell us much. ;)

 

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the contents of the following in your next reply:

 

DDS.txt

 

I may ask for the Attach.txt log later, so keep it handy.

Link to post
Share on other sites

Done...

 

 

DDS (Version 1.0.1) - NTFSx86

Run by AJ at 21:26:33.04 on Sun 12/14/2008

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1273 [GMT -5:00]

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\locator.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

C:\Program Files\Xfire\xfire.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe

C:\DOCUME~1\AJ\LOCALS~1\Temp\acbtvh.exe

C:\DOCUME~1\AJ\LOCALS~1\Temp\phineh.exe

C:\DOCUME~1\AJ\LOCALS~1\Temp\winsyqe.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe

C:\Documents and Settings\AJ\Desktop\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

mWinlogon: UIHost=c:\program files\tgtsoft\stylexp\logon\CurrentLogon.EXE

BHO: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - c:\progra~1\crawler\toolbar\ctbr.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\progra~1\crawler\toolbar\ctbr.dll

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - c:\progra~1\crawler\toolbar\ctbr.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe

StartupFolder: c:\docume~1\aj\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dualco~1.lnk - c:\program files\msi\dualcorecenter\StartUpDualCoreCenter.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe

uPolicies-system: DisableRegistryTools = 1 (0x1)

uPolicies-system: DisableTaskMgr = 1 (0x1)

mPolicies-system: EnableLUA = 0 (0x0)

dPolicies-system: DisableTaskMgr = 1 (0x1)

dPolicies-system: DisableRegistryTools = 1 (0x1)

IE: Crawler Search - tbr:iemenu

IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli scecli

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\aj\applic~1\mozilla\firefox\profiles\5lzvsy7g.default\

 

============= SERVICES / DRIVERS ===============

 

R IKFileSec;IKFileSec; []

R IKSysFlt;IKSysFlt; []

R IKSysSec;IKSysSec; []

R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2007-2-27 55024]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-9-21 24652]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hjnmkn.sys []

R3 DigiCellDriver;DigiCellDriver;\??\c:\program files\msi\dualcorecenter\NTGLM7X.sys [2007-11-10 27648]

R3 RushTopDevice2;RushTopDevice2;\??\c:\program files\msi\dualcorecenter\RushTop.sys [2007-11-10 39424]

R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\drivers\superwebcam.sys [2008-8-21 31872]

R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\drivers\whfltr2k.sys [2007-1-25 6784]

R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\drivers\whmice2k.sys [2004-4-25 6885]

S1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys []

S3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys []

S3 CEDRIVER53;CEDRIVER53;\??\c:\program files\cheat engine\dbk32.sys [2008-6-22 35840]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sSONY_MEDIAMGR2 [2007-2-10 29247856]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\aj\desktop\rohanboten1.0.2\NtProcDrv.sys []

S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []

S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys []

S4 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler; []

S4 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard; []

 

=============== Created Last 30 ================

 

2008-12-14 19:59 54,156 a---h--- c:\windows\QTFont.qfn

2008-12-14 19:59 1,409 a------- c:\windows\QTFont.for

2008-12-14 17:42 <DIR> --d----- c:\program files\Spyware Doctor

2008-12-14 12:11 <DIR> --d----- c:\docume~1\aj\applic~1\Malwarebytes

2008-12-14 12:11 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-12-14 12:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-14 12:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2008-12-14 12:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2008-12-13 21:27 <DIR> --d----- c:\program files\WinClamAVShield

2008-12-12 16:53 <DIR> --d----- c:\program files\Crawler

2008-12-12 16:53 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-12 16:53 <DIR> --d----- c:\docume~1\aj\applic~1\Spyware Terminator

2008-12-12 16:53 <DIR> --d----- c:\program files\Spyware Terminator

2008-12-12 16:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator

2008-12-12 16:25 <DIR> --d-h--- C:\$AVG8.VAULT$

2008-12-12 15:10 397,824 a------- c:\windows\system32\drivers\EagleNt.sys

2008-12-12 15:10 1,689,088 ----h--t c:\windows\system32\f12da82.dll

2008-12-12 15:10 1,689,088 ----h--t c:\windows\system32\1dcf9f62.dll

2008-12-12 15:10 82,944 ----h--t c:\windows\system32\2bf2a34a.dll

2008-12-12 15:10 82,944 ----h--t c:\windows\system32\15d14f90.dll

2008-12-12 15:10 17,876 a---h--- c:\windows\system32\wcdrtc32.dl_

2008-12-07 18:34 <DIR> --d----- C:\Nexon

2008-12-06 21:41 410,984 a------- c:\windows\system32\deploytk.dll

2008-12-06 18:14 135 a------- c:\windows\WAVCutjoin.ini

2008-12-06 18:01 5 a------- c:\windows\system32\SySWAVCJ.dat

2008-12-06 18:01 1,843,200 a------- c:\windows\system32\NCTAudioFile2.dll

2008-12-06 18:01 450,560 a------- c:\windows\system32\NCTAudioTransform2.dll

2008-12-06 18:01 315,392 a------- c:\windows\system32\NCTAudioPlayer2.dll

2008-12-06 18:01 237,568 a------- c:\windows\system32\lame_enc.dll

2008-12-06 18:01 <DIR> --d----- c:\program files\HiFisoftware

2008-12-06 18:01 3,082 a------- c:\windows\system32\affv14575p26now.sys

2008-12-06 14:47 244 a---h--- C:\sqmnoopt00.sqm

2008-12-06 14:47 232 a---h--- C:\sqmdata00.sqm

2008-12-06 13:50 <DIR> --d----- c:\documents and settings\all users\CyberLink

2008-12-06 10:04 <DIR> --d----- C:\Ntreev

2008-12-01 18:43 <DIR> --d----- c:\program files\Hamachi

2008-11-30 15:29 57,436 a------- c:\windows\DASShp.dll

2008-11-30 15:29 <DIR> --d----- c:\program files\Microsoft Reader

2008-11-20 15:44 42,320 a------- c:\windows\system32\xfcodec.dll

2008-11-15 14:21 <DIR> --d----- c:\program files\Pinnacle

2008-11-15 10:02 <DIR> --d----- c:\program files\Defraggler

 

==================== Find3M ====================

 

2008-12-01 18:43 25,280 a------- c:\windows\system32\drivers\hamachi.sys

2008-11-01 16:49 31,744 a------- c:\windows\system32\Wh33B63f.exe

2008-05-18 12:24 116,726,478 ac------ c:\program files\Mount&Blade.rar

 

============= FINISH: 21:26:48.29 ===============

Link to post
Share on other sites

Thank you.

 

First, please open MBAM and select the Logs tab.

Select the most recent scan and click View, then copy and post that log here.

If there are several recent logs, post them all.

 

Next, visit the following webpage for instructions for downloading and running ComboFix

 

How to use ComboFix

 

 

Download ComboFix by sUBs from here, saving the file to your desktop.

 

 

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

  • Close all open programs and windows
  • Double click ComboFix.exe and follow the prompts.
  • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

**NOTE - I recommend you allow the Recovery Console to be downloaded and installed if or when prompted.

Link to post
Share on other sites

MAMB LOGS

 

Malwarebytes' Anti-Malware 1.31

Database version: 1500

Windows 5.1.2600 Service Pack 2

 

12/14/2008 12:47:40 PM

mbam-log-2008-12-14 (12-47-40).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 160148

Time elapsed: 34 minute(s), 34 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 15

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge (Spyware.Marketscore) -> Quarantined and deleted successfully.

 

Files Infected:

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP479\A0153106.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP480\A0153117.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP480\A0154052.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP480\A0154053.dll (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP481\A0154056.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP481\A0155052.dll (Adware.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{CCF8B313-9552-471B-A47A-C30B6FCF0004}\RP529\A0162053.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk (Spyware.Marketscore) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\KFUeevI8.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Wh33B63f.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\LDPackage.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\silc.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.

------------------------------------------------------------

Malwarebytes' Anti-Malware 1.31

Database version: 1500

Windows 5.1.2600 Service Pack 2

 

12/14/2008 7:26:16 PM

mbam-log-2008-12-14 (19-26-16).txt

 

Scan type: Full Scan (C:\|)

Objects scanned: 148255

Time elapsed: 53 minute(s), 25 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

ComboFix 08-12-14.04 - AJ 2008-12-14 22:04:14.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1535 [GMT -5:00]

Running from: c:\documents and settings\AJ\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\bold.log

c:\documents and settings\AJ\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

c:\windows\IE4 Error Log.txt

c:\windows\system32\_000000_.tmp.dll

c:\windows\system32\config\SAM.SAV

 

.

((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))

.

 

2008-12-14 19:59 . 2008-12-14 19:59 54,156 --ah----- c:\windows\QTFont.qfn

2008-12-14 19:59 . 2008-12-14 19:59 1,409 --a------ c:\windows\QTFont.for

2008-12-14 17:42 . 2008-12-14 21:46 <DIR> d-------- c:\program files\Spyware Doctor

2008-12-14 12:11 . 2008-12-14 12:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-14 12:11 . 2008-12-14 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-14 12:11 . 2008-12-14 12:11 <DIR> d-------- c:\documents and settings\AJ\Application Data\Malwarebytes

2008-12-14 12:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-14 12:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-13 21:27 . 2008-12-14 17:42 <DIR> d-------- c:\program files\WinClamAVShield

2008-12-12 16:53 . 2008-12-14 19:31 <DIR> d-------- c:\program files\Spyware Terminator

2008-12-12 16:53 . 2008-12-12 16:53 <DIR> d-------- c:\program files\Crawler

2008-12-12 16:53 . 2008-12-14 19:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator

2008-12-12 16:53 . 2008-12-14 19:29 <DIR> d-------- c:\documents and settings\AJ\Application Data\Spyware Terminator

2008-12-12 16:53 . 2008-12-12 16:53 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-12 16:25 . 2008-12-12 16:35 <DIR> d--h----- C:\$AVG8.VAULT$

2008-12-12 15:10 . 2004-08-04 07:00 1,689,088 ---h---t- c:\windows\system32\f12da82.dll

2008-12-12 15:10 . 2004-08-04 07:00 1,689,088 ---h---t- c:\windows\system32\1dcf9f62.dll

2008-12-12 15:10 . 2008-12-12 15:10 397,824 --a------ c:\windows\system32\drivers\EagleNt.sys

2008-12-12 15:10 . 2004-08-04 07:00 82,944 ---h---t- c:\windows\system32\2bf2a34a.dll

2008-12-12 15:10 . 2004-08-04 07:00 82,944 ---h---t- c:\windows\system32\15d14f90.dll

2008-12-12 15:10 . 2008-12-12 15:13 17,876 --ah----- c:\windows\system32\wcdrtc32.dl_

2008-12-07 18:34 . 2008-12-07 18:34 <DIR> d-------- C:\Nexon

2008-12-06 21:41 . 2008-12-06 21:41 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-06 18:14 . 2008-12-06 18:14 135 --a------ c:\windows\WAVCutjoin.ini

2008-12-06 18:01 . 2008-12-06 18:01 <DIR> d-------- c:\program files\HiFisoftware

2008-12-06 18:01 . 2004-12-08 13:21 1,843,200 --a------ c:\windows\system32\NCTAudioFile2.dll

2008-12-06 18:01 . 2004-08-02 15:09 450,560 --a------ c:\windows\system32\NCTAudioTransform2.dll

2008-12-06 18:01 . 2004-12-01 14:43 315,392 --a------ c:\windows\system32\NCTAudioPlayer2.dll

2008-12-06 18:01 . 2003-08-07 14:01 237,568 --a------ c:\windows\system32\lame_enc.dll

2008-12-06 18:01 . 2008-12-06 18:01 3,082 --a------ c:\windows\system32\affv14575p26now.sys

2008-12-06 18:01 . 2008-12-06 18:14 5 --a------ c:\windows\system32\SySWAVCJ.dat

2008-12-06 14:47 . 2008-12-06 14:47 244 --ah----- C:\sqmnoopt00.sqm

2008-12-06 14:47 . 2008-12-06 14:47 232 --ah----- C:\sqmdata00.sqm

2008-12-06 13:50 . 2008-12-06 13:50 <DIR> d-------- c:\documents and settings\All Users\CyberLink

2008-12-06 13:34 . 2008-12-06 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink

2008-12-06 13:28 . 2008-12-06 13:28 <DIR> d-------- c:\documents and settings\AJ\Application Data\CyberLink

2008-12-06 10:04 . 2008-12-06 10:04 <DIR> d-------- C:\Ntreev

2008-12-01 18:43 . 2008-12-06 14:49 <DIR> d-------- c:\program files\Hamachi

2008-11-30 15:29 . 2008-11-30 15:29 <DIR> d-------- c:\program files\Microsoft Reader

2008-11-30 15:29 . 2003-06-05 17:15 57,436 --a------ c:\windows\DASShp.dll

2008-11-20 15:44 . 2008-11-20 15:44 42,320 --a------ c:\windows\system32\xfcodec.dll

2008-11-15 14:21 . 2008-11-15 14:21 <DIR> d-------- c:\program files\Pinnacle

2008-11-15 10:02 . 2008-11-15 10:02 <DIR> d-------- c:\program files\Defraggler

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-15 02:52 --------- d-----w c:\documents and settings\AJ\Application Data\Xfire

2008-12-15 00:58 --------- d-----w c:\documents and settings\AJ\Application Data\Azureus

2008-12-15 00:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-14 17:50 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2008-12-14 15:09 --------- d--h--w c:\documents and settings\AJ\Application Data\ijjigame

2008-12-14 15:00 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-14 14:51 --------- d-----w c:\program files\Three Rings Design

2008-12-12 23:01 --------- d-----w c:\program files\CureROM

2008-12-12 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-12-12 20:11 --------- d-----w c:\program files\Steam

2008-12-12 01:50 --------- d-----w c:\program files\Xfire

2008-12-07 02:41 --------- d-----w c:\program files\Java

2008-12-06 23:02 --------- d-----w c:\program files\ImTOO

2008-12-02 23:02 --------- d-----w c:\documents and settings\AJ\Application Data\Hamachi

2008-12-01 23:43 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys

2008-12-01 23:43 --------- d-----w c:\program files\Hamachi59

2008-11-28 02:54 --------- d-----w c:\program files\SystemRequirementsLab

2008-11-28 02:54 --------- d-----w c:\documents and settings\AJ\Application Data\SystemRequirementsLab

2008-11-25 22:50 --------- d--h--w c:\program files\Ummmm

2008-11-21 23:49 --------- d-----w c:\program files\Azureus

2008-11-15 21:57 --------- d-----w c:\program files\World of Warcraft

2008-11-15 15:07 --------- d--h--w c:\program files\lol wut

2008-11-06 23:44 --------- d-----w c:\program files\Ashkon Technology

2008-11-02 12:59 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AdobeUM

2008-11-01 21:49 31,744 ----a-w c:\windows\system32\Wh33B63f.exe

2008-10-19 22:07 --------- d-----w c:\program files\Curse

2008-10-17 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard

2008-05-18 17:24 116,726,478 -c--a-w c:\program files\Mount&Blade.rar

.

 

((((((((((((((((((((((((((((( [email protected]_21.53.50.25 )))))))))))))))))))))))))))))))))))))))))

.

- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe

+ 2000-08-31 13:00:00 131,072 ----a-w c:\windows\NIRCMD.exe

+ 2008-12-15 03:02:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3c8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5802008]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

 

c:\documents and settings\AJ\Start Menu\Programs\Startup\

Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-11-20 3055952]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2007-11-10 262144]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-06 91440]

Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-01-13 1114209]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-08-29 10:17 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^AJ^Start Menu^Programs^Startup^hamachi.lnk]

backup=c:\windows\pss\hamachi.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^AJ^Start Menu^Programs^Startup^MagicDisc.lnk]

 

[HKLM\~\startupfolder\C:^Documents and Settings^AJ^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\AJ\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-01-17 11:51 486856 c:\program files\DAEMON Tools Lite\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBackSchedule]

--a--c--- 2005-10-06 10:22 245760 c:\program files\Maxtor\Maxtor Quick Start\MaxBackService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AntiVirService"=2 (0x2)

"AntiVirScheduler"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2

"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\Program Files\\MSI\\DualCoreCenter\\StartUpDualCoreCenter.exe"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

"c:\\Program Files\\Common Files\\LogiShrd\\LVCOMSER\\LVComSer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Nexon\\Audition\\Patcher.exe"=

"c:\\WINDOWS\\system32\\WISPTIS.EXE"=

"c:\\Program Files\\Common Files\\LogiShrd\\SrvLnch\\SrvLnch.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Program Files\\MSI\\DualCoreCenter\\DualCoreCenter.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\NETGEAR\\WG111 Configuration Utility\\WG111CFG.exe"=

"c:\\PROGRA~1\\Crawler\\Toolbar\\CToolbar.exe"=

"c:\\WINDOWS\\system32\\CF2350.exe"=

 

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 55024]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-21 24652]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hjnmkn.sys []

R3 DigiCellDriver;DigiCellDriver;\??\c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2007-11-10 27648]

R3 RushTopDevice2;RushTopDevice2;\??\c:\program files\MSI\DualCoreCenter\RushTop.sys [2007-11-10 39424]

R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\DRIVERS\superwebcam.sys [2008-08-21 31872]

R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]

R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\DRIVERS\whmice2k.sys [2004-04-25 6885]

S3 CEDRIVER53;CEDRIVER53;\??\c:\program files\Cheat Engine\dbk32.sys [2008-06-22 35840]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 [2007-02-10 29247856]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]

S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\AJ\Desktop\RohanBotEn1.0.2\NtProcDrv.sys []

S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []

S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6688565b-f946-11dc-9ac0-001617ea7e85}]

\Shell\Auto\command - recycled\SVCH0ST.EXE

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL recycled\SVCH0ST.EXE

 

*Newly Created Service* - PCANDIS5

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

 

2008-12-14 c:\windows\Tasks\At1.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At10.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At11.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At12.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At13.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At14.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At15.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At16.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At17.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At18.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At19.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At2.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-15 c:\windows\Tasks\At20.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-15 c:\windows\Tasks\At21.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-15 c:\windows\Tasks\At22.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-15 c:\windows\Tasks\At23.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At24.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At25.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At26.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At27.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At28.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At29.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At3.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At30.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At31.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At32.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At33.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At34.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At35.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At36.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At37.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At38.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At39.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At4.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At40.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At41.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At42.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At43.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-15 c:\windows\Tasks\At44.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-15 c:\windows\Tasks\At45.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-15 c:\windows\Tasks\At46.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-15 c:\windows\Tasks\At47.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At48.job

- c:\windows\system32\KFUeevI8.exe []

 

2008-12-14 c:\windows\Tasks\At5.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At6.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At7.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At8.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-14 c:\windows\Tasks\At9.job

- c:\windows\system32\Wh33B63f.exe [2008-11-01 16:49]

 

2008-12-15 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-06-12 16:23]

 

2008-12-11 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-06-12 16:23]

.

- - - - ORPHANS REMOVED - - - -

 

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

 

 

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE: Crawler Search - tbr:iemenu

IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\5lzvsy7g.default\

FF - plugin: c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\5lzvsy7g.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll

FF - plugin: c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\5lzvsy7g.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll

FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-14 22:05:46

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(792)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2008-12-14 22:07:27

ComboFix-quarantined-files.txt 2008-12-15 03:07:21

 

Pre-Run: 48,214,568,960 bytes free

Post-Run: 48,178,294,784 bytes free

 

361 --- E O F --- 2007-11-18 05:00:48

Edited by Loothawk
Link to post
Share on other sites

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

 

Filename: CFScript.txt

Save As Type: All Files (*.*)

 

File::
c:\documents and settings\AJ\Desktop\RohanBotEn1.0.2\NtProcDrv.sys
c:\windows\system32\f12da82.dll
c:\windows\system32\1dcf9f62.dll
c:\windows\system32\drivers\EagleNt.sys
c:\windows\system32\2bf2a34a.dll
c:\windows\system32\15d14f90.dll
c:\windows\system32\wcdrtc32.dl_
c:\windows\system32\KFUeevI8.exe
c:\windows\system32\Wh33B63f.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\RegCure Program Check.job
c:\windows\Tasks\RegCure.job
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6688565b-f946-11dc-9ac0-001617ea7e85}]
Driver::
NTProcDrv

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

 

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

**NOTE - Allow ComboFix to update if prompted.

Link to post
Share on other sites

comboFix 08-12-14.04 - AJ 2008-12-17 20:06:48.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1394 [GMT -5:00]

Running from: c:\documents and settings\AJ\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\AJ\Desktop\CFScript.txt

* Created a new restore point

 

FILE ::

c:\documents and settings\AJ\Desktop\RohanBotEn1.0.2\NtProcDrv.sys

c:\windows\system32\15d14f90.dll

c:\windows\system32\1dcf9f62.dll

c:\windows\system32\2bf2a34a.dll

c:\windows\system32\drivers\EagleNt.sys

c:\windows\system32\f12da82.dll

c:\windows\system32\KFUeevI8.exe

c:\windows\system32\wcdrtc32.dl_

c:\windows\system32\Wh33B63f.exe

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At25.job

c:\windows\Tasks\At26.job

c:\windows\Tasks\At27.job

c:\windows\Tasks\At28.job

c:\windows\Tasks\At29.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At30.job

c:\windows\Tasks\At31.job

c:\windows\Tasks\At32.job

c:\windows\Tasks\At33.job

c:\windows\Tasks\At34.job

c:\windows\Tasks\At35.job

c:\windows\Tasks\At36.job

c:\windows\Tasks\At37.job

c:\windows\Tasks\At38.job

c:\windows\Tasks\At39.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At40.job

c:\windows\Tasks\At41.job

c:\windows\Tasks\At42.job

c:\windows\Tasks\At43.job

c:\windows\Tasks\At44.job

c:\windows\Tasks\At45.job

c:\windows\Tasks\At46.job

c:\windows\Tasks\At47.job

c:\windows\Tasks\At48.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\Tasks\RegCure Program Check.job

c:\windows\Tasks\RegCure.job

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\15d14f90.dll

c:\windows\system32\1dcf9f62.dll

c:\windows\system32\2bf2a34a.dll

c:\windows\system32\drivers\EagleNt.sys

c:\windows\system32\f12da82.dll

c:\windows\system32\wcdrtc32.dl_

c:\windows\system32\Wh33B63f.exe

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At25.job

c:\windows\Tasks\At26.job

c:\windows\Tasks\At27.job

c:\windows\Tasks\At28.job

c:\windows\Tasks\At29.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At30.job

c:\windows\Tasks\At31.job

c:\windows\Tasks\At32.job

c:\windows\Tasks\At33.job

c:\windows\Tasks\At34.job

c:\windows\Tasks\At35.job

c:\windows\Tasks\At36.job

c:\windows\Tasks\At37.job

c:\windows\Tasks\At38.job

c:\windows\Tasks\At39.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At40.job

c:\windows\Tasks\At41.job

c:\windows\Tasks\At42.job

c:\windows\Tasks\At43.job

c:\windows\Tasks\At44.job

c:\windows\Tasks\At45.job

c:\windows\Tasks\At46.job

c:\windows\Tasks\At47.job

c:\windows\Tasks\At48.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\Tasks\RegCure Program Check.job

c:\windows\Tasks\RegCure.job

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_NTPROCDRV

-------\Service_NTProcDrv

 

 

((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))

.

 

2008-12-14 17:42 . 2008-12-14 21:46 <DIR> d-------- c:\program files\Spyware Doctor

2008-12-14 12:11 . 2008-12-14 12:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-14 12:11 . 2008-12-14 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-14 12:11 . 2008-12-14 12:11 <DIR> d-------- c:\documents and settings\AJ\Application Data\Malwarebytes

2008-12-14 12:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-14 12:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-13 21:27 . 2008-12-14 17:42 <DIR> d-------- c:\program files\WinClamAVShield

2008-12-12 16:53 . 2008-12-14 19:31 <DIR> d-------- c:\program files\Spyware Terminator

2008-12-12 16:53 . 2008-12-12 16:53 <DIR> d-------- c:\program files\Crawler

2008-12-12 16:53 . 2008-12-14 19:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spyware Terminator

2008-12-12 16:53 . 2008-12-14 19:29 <DIR> d-------- c:\documents and settings\AJ\Application Data\Spyware Terminator

2008-12-12 16:53 . 2008-12-12 16:53 142,592 --a------ c:\windows\system32\drivers\sp_rsdrv2.sys

2008-12-12 16:25 . 2008-12-12 16:35 <DIR> d--h----- C:\$AVG8.VAULT$

2008-12-11 15:37 . 2008-12-11 15:37 42,320 --a------ c:\windows\system32\xfcodec.dll

2008-12-07 18:34 . 2008-12-07 18:34 <DIR> d-------- C:\Nexon

2008-12-06 21:41 . 2008-12-06 21:41 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-06 18:14 . 2008-12-06 18:14 135 --a------ c:\windows\WAVCutjoin.ini

2008-12-06 18:01 . 2008-12-06 18:01 <DIR> d-------- c:\program files\HiFisoftware

2008-12-06 18:01 . 2004-12-08 13:21 1,843,200 --a------ c:\windows\system32\NCTAudioFile2.dll

2008-12-06 18:01 . 2004-08-02 15:09 450,560 --a------ c:\windows\system32\NCTAudioTransform2.dll

2008-12-06 18:01 . 2004-12-01 14:43 315,392 --a------ c:\windows\system32\NCTAudioPlayer2.dll

2008-12-06 18:01 . 2003-08-07 14:01 237,568 --a------ c:\windows\system32\lame_enc.dll

2008-12-06 18:01 . 2008-12-06 18:01 3,082 --a------ c:\windows\system32\affv14575p26now.sys

2008-12-06 18:01 . 2008-12-06 18:14 5 --a------ c:\windows\system32\SySWAVCJ.dat

2008-12-06 14:47 . 2008-12-06 14:47 244 --ah----- C:\sqmnoopt00.sqm

2008-12-06 14:47 . 2008-12-06 14:47 232 --ah----- C:\sqmdata00.sqm

2008-12-06 13:50 . 2008-12-06 13:50 <DIR> d-------- c:\documents and settings\All Users\CyberLink

2008-12-06 13:34 . 2008-12-06 13:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink

2008-12-06 13:28 . 2008-12-06 13:28 <DIR> d-------- c:\documents and settings\AJ\Application Data\CyberLink

2008-12-06 10:04 . 2008-12-06 10:04 <DIR> d-------- C:\Ntreev

2008-12-01 18:43 . 2008-12-06 14:49 <DIR> d-------- c:\program files\Hamachi

2008-11-30 15:29 . 2008-11-30 15:29 <DIR> d-------- c:\program files\Microsoft Reader

2008-11-30 15:29 . 2003-06-05 17:15 57,436 --a------ c:\windows\DASShp.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 20:53 --------- d-----w c:\program files\ImTOO

2008-12-16 20:45 --------- d-----w c:\documents and settings\AJ\Application Data\Xfire

2008-12-16 20:32 --------- d-----w c:\program files\Xfire

2008-12-15 00:58 --------- d-----w c:\documents and settings\AJ\Application Data\Azureus

2008-12-15 00:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-14 17:50 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2008-12-14 15:09 --------- d--h--w c:\documents and settings\AJ\Application Data\ijjigame

2008-12-14 15:00 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-14 14:51 --------- d-----w c:\program files\Three Rings Design

2008-12-12 23:01 --------- d-----w c:\program files\CureROM

2008-12-12 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-12-12 20:11 --------- d-----w c:\program files\Steam

2008-12-07 02:41 --------- d-----w c:\program files\Java

2008-12-02 23:02 --------- d-----w c:\documents and settings\AJ\Application Data\Hamachi

2008-12-01 23:43 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys

2008-12-01 23:43 --------- d-----w c:\program files\Hamachi59

2008-11-28 02:54 --------- d-----w c:\program files\SystemRequirementsLab

2008-11-28 02:54 --------- d-----w c:\documents and settings\AJ\Application Data\SystemRequirementsLab

2008-11-25 22:50 --------- d--h--w c:\program files\Ummmm

2008-11-21 23:49 --------- d-----w c:\program files\Azureus

2008-11-15 21:57 --------- d-----w c:\program files\World of Warcraft

2008-11-15 19:21 --------- d-----w c:\program files\Pinnacle

2008-11-15 15:07 --------- d--h--w c:\program files\lol wut

2008-11-15 15:02 --------- d-----w c:\program files\Defraggler

2008-11-06 23:44 --------- d-----w c:\program files\Ashkon Technology

2008-11-02 12:59 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AdobeUM

2008-10-19 22:07 --------- d-----w c:\program files\Curse

2008-05-18 17:24 116,726,478 -c--a-w c:\program files\Mount&Blade.rar

.

 

((((((((((((((((((((((((((((( [email protected]_21.53.50.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-18 01:06:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1280.dat

+ 2008-12-16 20:32:52 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_764.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5802008]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

 

c:\documents and settings\AJ\Start Menu\Programs\Startup\

Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-12-11 3072336]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2007-11-10 262144]

Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-08-06 91440]

Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-01-13 1114209]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"DisableTaskMgr"= 1 (0x1)

"DisableRegistryTools"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\\Program Files\\TGTSoft\\StyleXP\\Logon\\CurrentLogon.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-08-29 10:17 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^AJ^Start Menu^Programs^Startup^hamachi.lnk]

backup=c:\windows\pss\hamachi.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^AJ^Start Menu^Programs^Startup^MagicDisc.lnk]

 

[HKLM\~\startupfolder\C:^Documents and Settings^AJ^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\AJ\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

--a------ 2008-01-17 11:51 486856 c:\program files\DAEMON Tools Lite\daemon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBackSchedule]

--a--c--- 2005-10-06 10:22 245760 c:\program files\Maxtor\Maxtor Quick Start\MaxBackService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AntiVirService"=2 (0x2)

"AntiVirScheduler"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"FirewallDisableNotify"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"UacDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\program files\Gameforge4D\AirRivals\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2

"c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\PMSRegisterFile.exe"=

"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\Program Files\\MSI\\DualCoreCenter\\StartUpDualCoreCenter.exe"=

"c:\\WINDOWS\\system32\\userinit.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=

"c:\\Program Files\\Common Files\\LogiShrd\\LVCOMSER\\LVComSer.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Nexon\\Audition\\Patcher.exe"=

"c:\\WINDOWS\\system32\\WISPTIS.EXE"=

"c:\\Program Files\\Common Files\\LogiShrd\\SrvLnch\\SrvLnch.exe"=

"c:\\WINDOWS\\system32\\taskmgr.exe"=

"c:\\Program Files\\MSI\\DualCoreCenter\\DualCoreCenter.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\NETGEAR\\WG111 Configuration Utility\\WG111CFG.exe"=

"c:\\PROGRA~1\\Crawler\\Toolbar\\CToolbar.exe"=

"c:\\Program Files\\Common Files\\LogiShrd\\LVMVFM\\LVPrcSrv.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

 

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2007-02-27 55024]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-09-21 24652]

R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hjnmkn.sys []

R3 DigiCellDriver;DigiCellDriver;\??\c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2007-11-10 27648]

R3 RushTopDevice2;RushTopDevice2;\??\c:\program files\MSI\DualCoreCenter\RushTop.sys [2007-11-10 39424]

R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;c:\windows\system32\DRIVERS\superwebcam.sys [2008-08-21 31872]

R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]

R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\DRIVERS\whmice2k.sys [2004-04-25 6885]

S3 CEDRIVER53;CEDRIVER53;\??\c:\program files\Cheat Engine\dbk32.sys [2008-06-22 35840]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSONY_MEDIAMGR2 [2007-02-10 29247856]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]

S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys []

S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys []

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5746e66-8fed-11dc-9a5e-001617d89ef3}]

\sHell\AutoplaY\coMmand - G:\qrqyr.pif

\sHell\AutoRun\command - G:\qrqyr.pif

\sHell\exPlore\COmmand - G:\qrqyr.pif

\sHell\oPeN\ComMand - G:\qrqyr.pif

 

*Newly Created Service* - NVR0DEV

.

Contents of the 'Scheduled Tasks' folder

 

2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE: Crawler Search - tbr:iemenu

IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll

FF - ProfilePath - c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\5lzvsy7g.default\

FF - plugin: c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\5lzvsy7g.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll

FF - plugin: c:\documents and settings\AJ\Application Data\Mozilla\Firefox\Profiles\5lzvsy7g.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll

FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

FF - plugin: c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll

FF - plugin: c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-17 20:07:54

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(796)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

Completion time: 2008-12-17 20:09:18

ComboFix-quarantined-files.txt 2008-12-18 01:09:06

ComboFix2.txt 2008-12-15 03:07:28

 

Pre-Run: 47,461,163,008 bytes free

Post-Run: 47,399,358,464 bytes free

 

365 --- E O F --- 2007-11-18 05:00:48

Link to post
Share on other sites

Highlight and copy the contents of the code box below.

reg delete HKU\.default\software\microsoft\windows\currentversion\policies\system /v DisableTaskMgr /f
reg delete HKU\.default\software\microsoft\windows\currentversion\policies\system /v DisableRegistryTools /f
reg delete HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5746e66-8fed-11dc-9a5e-001617d89ef3} /f
exit
cls
Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

 

Now, lets get an online scan. Please do an online scan with Kaspersky Online Scanner

 

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

 

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Post the Kaspersky log here and let me know how the computer is performing.
Link to post
Share on other sites

on firefox it just loads and said page load error, basically the same with IE

 

a program called winbpfq.exe is downloading and running a bunch of programs which are taking up my speed and they are named all fgewfe.exe and vfdwfe.exe random letters D:

Edited by Loothawk
Link to post
Share on other sites
×
×
  • Create New...