Help MUCH Appreciated.

Injigo · #11 (**permalink**) 02-06-2009, 09:35 AM

Alright, renaming the exe worked. Yep, I'm the administrator and the time zone is correct. I just noticed that the CMOS time and date was reset. I don't remember pulling the battery from the motherboard. Could be a fluke or maybe a nasty virus. Just thought I'd mention it. Ya never know aye? Here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:14 AM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TightVNC\WinVNC.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\foolyou.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TightVNC] C:\\Program Files\\TightVNC\\WinVNC.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1241051856718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1241182120609
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE506480-AA4A-4CC5-A097-62A75B89A399}: NameServer = 85.255.112.25,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.25,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.25,85.255.112.165
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5117 bytes

Neal · #12 (**permalink**) 02-06-2009, 09:04 PM

Congratulations, you now have the Wareout Trojan.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Run hijackthis and click on "scan system only" button and put checks next to these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{DE506480-AA4A-4CC5-A097-62A75B89A399}: NameServer = 85.255.112.25,85.255.112.165
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.25,85.255.112.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.25,85.255.112.165

Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"

Reboot your PC.

Now update MBAM and run that tool again, it should finish getting rid of the rest of the infection, hopefully.

I just noticed something, do you have a anti-virus program running?

If not go to the top of this page and under Read this first section and get a free anti-virus program immediately for safetys sake.

Injigo · #13 (**permalink**) 04-06-2009, 12:31 AM

First off, SpyBot wouldn't open. So I just ended the TeaTimer Process. HijackThis removed those entries with no problem. After rebooting, MBAM wouldn't open. I even tried a reinstall and nothing. And I did make sure TeaTimer was not running when I tried to open MBAM. Also tried in Safe Mode and notta. CMOS reset it's Date and Time again. Is that a symptom of the Wareout Trojan?

Also, when I try to do Microsoft Updates, and I click on 'Install Updates' after I've selected all the updates, it resets back to the screen where it asks if I want 'Custom' or 'Express' and it says "This tab has been recovered". I'm trying to update with IE V8.

Neal · #14 (**permalink**) 04-06-2009, 09:50 PM

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

Injigo · #15 (**permalink**) 05-06-2009, 02:40 AM

ComboFix 09-06-04.06 - Administrator 06/04/2009 18:00.1 - NTFSx86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\docume~1\ADMINI~1\LOCALS~1\Temp\server.exe
c:\documents and settings\Administrator\Application Data\wiaserva.log
c:\windows\system32\23503593.dll
c:\windows\system32\drivers\gxvxcmjemayehewvsvumnk ljujroclkdjwqio.sys
c:\windows\system32\msconfig.exe
c:\windows\system32\msssc.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Autorun.inf
D:\Desktop.ini

c:\windows\system32\grpconv.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys

((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-21 11:38 . 2002-01-01 11:15 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-21 11:12 . 2009-06-21 11:12 -------- d-----w- c:\program files\Trend Micro
2009-06-21 10:24 . 2009-03-09 18:34 971776 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\moveplayer@movenetworks.com\platform\WINNT _x86-msvc\plugins\npmnqmp071303000006.dll
2009-06-21 10:15 . 2009-06-02 06:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
2009-06-21 10:14 . 2009-06-21 10:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-21 08:45 . 2002-01-01 11:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Meebo
2009-06-20 09:31 . 2009-06-20 09:31 -------- d-----w- c:\program files\TightVNC
2009-06-20 09:10 . 2009-06-20 09:10 -------- d-----w- c:\windows\system32\logs
2009-06-20 09:10 . 2009-06-20 09:10 -------- d-----w- C:\Binaries
2009-06-20 09:10 . 2009-06-20 09:10 -------- d-----w- c:\program files\BitDefender
2009-06-20 09:08 . 2009-06-20 09:08 -------- d-----w- c:\windows\system32\URTTEMP
2009-06-20 08:45 . 2009-06-04 00:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent
2009-06-20 08:45 . 2009-06-20 08:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\DNA
2009-06-20 08:45 . 2009-06-20 09:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-06-20 08:45 . 2009-06-20 09:13 -------- d-----w- c:\program files\DNA
2009-06-20 08:45 . 2009-06-20 08:45 -------- d-----w- c:\program files\BitTorrent
2009-06-20 08:39 . 2009-05-28 09:41 -------- d-----w- c:\program files\Vuze
2009-06-05 01:10 . 2009-06-05 01:10 -------- d-----w- c:\windows\system32\xircom
2009-06-05 01:10 . 2009-06-05 01:10 -------- d-----w- c:\windows\system32\wbem\snmp
2009-06-05 01:10 . 2009-06-05 01:10 -------- d-----w- c:\windows\system32\oobe
2009-06-05 01:10 . 2009-06-05 01:10 -------- d-----w- c:\windows\srchasst
2009-06-05 01:10 . 2009-06-05 01:10 -------- d-----w- c:\windows\msagent
2009-06-05 01:10 . 2009-06-05 01:10 -------- d-----w- c:\program files\microsoft frontpage
2009-06-04 13:17 . 2009-01-13 01:07 2633728 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\LogMeInClient@logmein.com\plugins\npRACtrl .dll
2009-06-04 13:17 . 2007-08-06 19:07 8784 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\LogMeInClient@logmein.com\plugins\ractrlke yhook.dll
2009-06-04 13:17 . 2007-08-06 19:07 71248 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\LogMeInClient@logmein.com\plugins\LMIProxy Helper.exe
2009-06-04 13:17 . 2007-07-18 21:54 245408 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\LogMeInClient@logmein.com\plugins\unicows. dll
2009-06-04 12:52 . 2009-06-04 12:53 -------- d-----w- c:\program files\CrossLoop
2009-06-04 06:43 . 2008-10-31 14:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2009-06-04 06:43 . 2008-06-21 11:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2009-06-04 06:38 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-04 06:38 . 2009-03-24 23:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-04 06:38 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-04 06:38 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-04 06:35 . 2009-06-04 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-04 06:33 . 2009-06-04 06:36 -------- d-----w- c:\program files\SpywareBlaster
2009-06-04 06:33 . 2005-08-26 02:18 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-06-04 06:14 . 2008-07-18 08:26 68912 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2009-06-04 06:14 . 2008-07-18 08:26 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2009-06-04 06:13 . 2009-06-04 06:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt
2009-06-04 06:13 . 2009-06-04 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-06-04 06:13 . 2009-06-04 06:43 -------- d-----w- c:\program files\Sunbelt Software
2009-06-04 03:43 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-06-04 00:05 . 2009-06-04 00:05 -------- d-----w- c:\program files\Avira
2009-06-04 00:05 . 2009-06-04 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-03 23:22 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 23:22 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 13:22 . 2009-06-02 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-06-02 13:22 . 2009-06-02 13:22 -------- d-----w- c:\program files\IObit
2009-06-02 09:05 . 2009-06-02 09:05 4846 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FD3EFE2-C856-4C55-AF0F-B29C1E2D6A24}\_4ae13d6c.exe
2009-06-02 09:05 . 2009-06-02 09:05 25214 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FD3EFE2-C856-4C55-AF0F-B29C1E2D6A24}\_2cd672ae.exe
2009-06-02 09:05 . 2009-06-02 09:05 25214 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FD3EFE2-C856-4C55-AF0F-B29C1E2D6A24}\_18be6784.exe
2009-06-02 09:05 . 2009-06-02 09:05 23558 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FD3EFE2-C856-4C55-AF0F-B29C1E2D6A24}\_69525f90.exe
2009-06-02 09:05 . 2009-06-02 09:05 23558 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{4FD3EFE2-C856-4C55-AF0F-B29C1E2D6A24}\_294823.exe
2009-06-02 08:45 . 2009-06-02 08:45 -------- d-----w- c:\program files\AdventNet
2009-06-01 06:38 . 2009-06-01 06:53 -------- d-----w- c:\program files\Hero Designer
2009-06-01 00:29 . 2009-06-01 00:32 -------- d-----w- C:\DeusEx
2009-05-29 11:09 . 2009-06-03 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-28 23:38 . 2009-05-28 23:59 -------- d-----w- C:\OUTPUT.tmp
2009-05-25 00:26 . 2009-05-26 12:59 -------- d-----w- C:\DOS
2009-05-24 00:11 . 2009-05-24 00:11 -------- d-----w- C:\MBAUTIL
2009-05-23 22:14 . 2009-05-23 22:14 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-05-23 21:58 . 2009-05-23 21:58 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-05-23 21:58 . 2009-05-23 21:58 -------- d-----w- c:\windows\ie8updates
2009-05-23 21:57 . 2009-05-23 21:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-23 21:57 . 2009-05-23 21:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-05-23 21:57 . 2009-05-23 21:57 -------- d-----w- c:\program files\Windows Desktop Search
2009-05-23 21:56 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-05-23 21:56 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-05-23 21:56 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-05-23 21:56 . 2009-04-25 05:30 102400 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-05-23 10:40 . 2009-05-23 10:40 766 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D48511FA-71C5-4059-88D0-B99AA08AA798}\NewIcon1.exe
2009-05-23 10:40 . 2009-05-23 10:40 65536 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D48511FA-71C5-4059-88D0-B99AA08AA798}\NewIcon2.exe
2009-05-23 10:40 . 2009-05-23 10:40 25214 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D48511FA-71C5-4059-88D0-B99AA08AA798}\NewIcon.exe
2009-05-23 10:40 . 2009-05-23 10:40 -------- d-----w- c:\program files\DVD_Generator
2009-05-23 08:30 . 2009-05-23 08:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-23 08:30 . 2009-05-23 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-22 08:31 . 2008-04-14 04:42 146432 ----a-w- c:\windows\regedit1.exe
2009-05-22 07:29 . 2009-05-22 07:40 -------- d-----w- C:\UBCD4Win
2009-05-22 06:55 . 2009-05-22 06:55 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-05-22 06:00 . 2009-05-22 06:00 167376 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\Fla shGot.exe
2009-05-22 00:32 . 2005-10-16 15:00 12928 ----a-w- c:\windows\system32\drivers\filedisk.sys
2009-05-22 00:31 . 2009-05-22 00:31 -------- d-----w- c:\program files\WinImage
2009-05-21 22:44 . 2009-05-21 22:44 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-05-18 04:18 . 2009-06-21 10:27 -------- d-----w- c:\program files\Unlocker
2009-05-18 04:18 . 2009-05-18 04:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-05-16 16:38 . 2009-05-16 16:38 -------- d-----w- c:\program files\7-Zip
2009-05-16 14:05 . 2009-05-16 14:05 118784 ----a-w- c:\windows\system32\sgcncaj0e373.dll
2009-05-16 14:05 . 2009-05-16 14:05 33280 ----a-w- c:\windows\system32\emsbqij.exe
2009-05-16 12:39 . 2009-05-16 12:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL OCP
2009-05-16 12:39 . 2009-05-16 12:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AOL
2009-05-16 12:39 . 2009-05-18 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-16 12:39 . 2009-05-16 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-05-16 12:38 . 2009-05-16 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-05-16 12:38 . 2009-05-16 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-16 12:36 . 2009-05-16 12:36 -------- d-----w- c:\program files\Common Files\AOL
2009-05-16 12:35 . 2009-05-16 12:39 -------- d-----w- c:\program files\AIM6
2009-05-16 12:27 . 2009-05-16 12:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\acccore
2009-05-16 12:26 . 2009-05-16 12:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\LAIM
2009-05-16 12:26 . 2009-05-16 12:26 -------- d-----w- c:\program files\AIM Lite
2009-05-16 12:13 . 2009-05-16 12:13 15086 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D21B65C4-F7ED-4805-8781-BB835AC85D14}\_AF6EF1E1D61E94F138937B.exe
2009-05-16 12:13 . 2009-05-16 12:13 15086 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{D21B65C4-F7ED-4805-8781-BB835AC85D14}\_AC451EB93647F071F44C3B.exe
2009-05-16 12:13 . 2009-05-16 12:13 -------- d-----w- c:\program files\Thoosje
2009-05-15 17:08 . 2009-05-15 17:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-05-15 16:25 . 2009-05-28 10:09 -------- d-----w- C:\pxe backup
2009-05-15 10:34 . 2009-05-15 10:38 -------- d-----w- C:\pebuilder3110a
2009-05-15 10:22 . 2009-05-15 10:22 -------- d-----w- c:\program files\Tftpd32
2009-05-15 10:20 . 2009-05-28 23:59 -------- d-----w- C:\OUTPUT
2009-05-15 10:18 . 2009-05-26 04:58 -------- d-----w- C:\WINSTALL
2009-05-14 12:53 . 2009-05-14 12:55 4506256 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
2009-05-14 07:35 . 2009-06-21 13:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-05-12 21:51 . 2009-05-12 21:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-05-12 21:51 . 2009-05-12 21:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-05-12 00:46 . 2009-05-12 00:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-05-12 00:41 . 2009-05-12 00:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-05-12 00:41 . 2009-01-15 19:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-12 00:41 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-12 00:41 . 2009-05-12 00:41 -------- d-----w- c:\program files\iPod
2009-05-12 00:41 . 2009-05-12 00:41 -------- d-----w- c:\program files\iTunes
2009-05-12 00:41 . 2009-05-12 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-05-12 00:41 . 2009-05-12 00:41 -------- d-----w- c:\program files\Bonjour
2009-05-12 00:41 . 2009-05-29 11:29 -------- dc----w- c:\windows\system32\DRVSTORE
2009-05-12 00:41 . 2009-05-12 00:41 -------- d-----w- c:\program files\Common Files\Apple
2009-05-12 00:32 . 2009-05-12 00:32 -------- d-----w- c:\program files\Secunia
2009-05-10 02:41 . 2009-05-10 02:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-21 10:58 . 2008-04-24 01:34 192512 ----a-w- c:\windows\system32\txmlutil.dll
2009-06-04 23:31 . 2009-04-30 03:36 -------- d-----w- c:\program files\City of Heroes
2009-06-04 13:07 . 2009-04-30 01:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\GetRight
2009-06-02 08:45 . 2009-04-29 23:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 09:41 . 2009-05-05 06:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus
2009-05-26 04:53 . 2009-04-29 23:21 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-23 10:31 . 2009-04-29 23:02 8224 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-22 08:33 . 2008-04-14 04:42 146432 ----a-w- c:\windows\regedit.exe
2009-05-18 10:29 . 2009-05-02 11:48 -------- d-----w- c:\program files\Steam
2009-05-18 05:23 . 2009-04-29 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-14 13:03 . 2009-05-05 09:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-05-12 00:39 . 2009-04-29 23:23 -------- d-----w- c:\program files\QuickTime
2009-05-12 00:39 . 2009-05-01 15:27 -------- d-----w- c:\program files\DivX
2009-05-12 00:38 . 2009-05-01 15:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-12 00:37 . 2009-05-01 15:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-05 09:03 . 2009-05-05 09:03 -------- d-----w- c:\program files\Windows Media Connect 2
2009-05-05 06:34 . 2009-05-05 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-05-03 16:58 . 2009-04-29 22:56 -------- d-----w- c:\program files\Firefox Downloads
2009-05-03 04:02 . 2009-05-03 03:59 102262 ----a-w- c:\windows\hpoins05.dat
2009-05-03 04:01 . 2009-05-03 04:01 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-05-03 04:00 . 2009-05-03 04:00 -------- d-----w- c:\program files\HP
2009-05-01 23:48 . 2009-05-01 23:48 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-01 23:37 . 2009-04-29 23:17 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-01 15:51 . 2009-04-29 23:27 -------- d-----w- c:\program files\NOS
2009-05-01 15:51 . 2009-04-29 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-01 15:39 . 2009-05-01 15:39 -------- d-----w- c:\program files\MSBuild
2009-05-01 15:38 . 2009-05-01 15:38 -------- d-----w- c:\program files\Reference Assemblies
2009-05-01 15:31 . 2009-05-01 15:31 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-01 15:29 . 2009-05-01 15:27 -------- d-----w- c:\program files\Google
2009-05-01 12:54 . 2009-05-01 12:54 -------- d-----w- c:\program files\Realtek
2009-04-30 07:21 . 2009-04-30 07:21 -------- d-----w- c:\program files\Microsoft
2009-04-30 07:21 . 2009-04-30 07:21 -------- d-----w- c:\program files\Windows Live
2009-04-30 07:21 . 2009-04-30 07:21 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-04-30 07:17 . 2009-04-30 07:17 -------- d-----w- c:\program files\Common Files\Windows Live
2009-04-30 02:38 . 2009-04-30 02:38 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-04-30 02:19 . 2009-04-30 02:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp
2009-04-30 01:55 . 2009-04-30 01:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\atitray
2009-04-30 01:48 . 2009-04-29 23:16 -------- d-----w- c:\program files\MultiRes
2009-04-30 01:37 . 2009-04-30 01:37 -------- d-----w- c:\program files\Intel
2009-04-30 01:26 . 2009-04-30 01:26 -------- d-----w- c:\program files\GetRight
2009-04-29 23:45 . 2009-04-29 23:45 -------- d-----w- c:\program files\Analog Devices
2009-04-29 23:23 . 2009-04-29 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-29 23:23 . 2009-04-29 23:23 -------- d-----w- c:\program files\Apple Software Update
2009-04-29 23:23 . 2009-04-29 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-04-29 23:20 . 2009-04-29 23:20 -------- d-----w- c:\program files\Java
2009-04-29 23:16 . 2009-04-29 23:16 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2009-04-29 23:16 . 2009-04-29 23:16 -------- d-----w- c:\program files\Radeon Omega Drivers
2009-04-29 23:01 . 2009-04-29 23:01 1887 ----a-w- c:\documents and settings\All Users\Application Data\xml2C.tmp
2009-04-29 23:01 . 2009-04-29 23:01 13252 ----a-w- c:\documents and settings\All Users\Application Data\xml2B.tmp
2009-04-29 23:01 . 2009-04-29 23:01 7136 ----a-w- c:\documents and settings\All Users\Application Data\xml2A.tmp
2009-04-29 22:52 . 2009-04-29 22:52 0 ----a-w- c:\windows\nsreg.dat
2009-04-29 22:36 . 2009-04-29 22:36 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-04-15 20:25 . 2009-05-01 15:28 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-05-01 15:28 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w- c:\windows\system32\DivX.dll
2009-04-09 11:32 . 2009-04-09 11:32 89088 ----a-w- c:\documents and settings\Administrator\Application Data\Desktopicon\eBayShortcuts.exe
2009-03-29 15:00 . 2009-03-29 15:00 27520 ----a-w- c:\windows\system32\TCBaseAPI.dll
2009-03-25 21:29 . 2009-05-01 12:54 130432 ----a-w- c:\windows\system32\drivers\Rtnicxp.sys
2009-03-24 11:03 . 2009-03-24 11:03 7808 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-03-13 04:18 . 2009-03-13 04:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-03-08 11:34 . 2009-03-03 00:35 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2008-04-14 04:41 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2008-04-14 04:41 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 11:32 . 2008-04-14 04:41 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2008-04-14 04:41 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2008-04-14 04:41 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2008-04-13 20:56 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2008-04-14 04:42 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2001-08-23 13:00 156160 ----a-w- c:\windows\system32\msls31.dll
.

------- Sigcheck -------

[-] 2009-03-03 00:36 361600 A29E1209F925A0E9B330E11DA5FC7BAB c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TightVNC"="c:\\Program Files\\TightVNC\\WinVNC.exe" [2009-03-05 585728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-08-17 660776]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP2\\RpcAgentSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business 2009.SP2\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\emsbqij.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 atitray;atitray;c:\program files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [4/29/2009 4:16 PM 17952]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.s ys [6/3/2009 11:14 PM 13360]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [6/3/2009 11:43 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/3/2009 11:38 PM 108289]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapif s.sys [6/3/2009 11:14 PM 68912]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [6/3/2009 11:43 PM 65576]
S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [8/17/2008 8:50 AM 849192]
S3 DbusAudio;DbusAudio;c:\windows\system32\drivers\Db usAudio.sys [5/5/2009 1:52 AM 23096]
S3 DbusVideo;DbusVideo;c:\windows\system32\drivers\Db usVideo.sys [5/5/2009 1:52 AM 3768]
S3 OpUtils Service;ManageEngine OpUtils 5;c:\program files\AdventNet\ME\OpUtils\bin\wrapper.exe [6/2/2009 1:45 AM 126976]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 4:03 AM 7808]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\program files\SiSoftware\SiSoftware Sandra Professional Business 2009.SP2\RpcAgentSrv.exe [4/29/2009 4:00 PM 98488]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V023 0Vfx.sys [5/4/2009 2:07 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [5/4/2009 2:07 AM 500608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HELPSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\LogMeInClient@logmein.com\plugins\npRACtrl .dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajfzlr43.default\ext ensions\moveplayer@movenetworks.com\platform\WINNT _x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-04 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-602162358-1965331169-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,7d,d2 ,50,63,2b,af,40,b3,38,16,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,37,7d,d2 ,50,63,2b,af,40,b3,38,16,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\windows\system32\taskmgr.exe
.
************************************************** ************************
.
Completion time: 2009-06-05 18:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-05 01:21

Pre-Run: 73,343,909,888 bytes free
Post-Run: 73,279,709,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /fastdetect /noexecute=optin

412

Neal · #16 (**permalink**) 05-06-2009, 09:41 PM

Ok now run this scanner please:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Injigo · #17 (**permalink**) 07-06-2009, 03:52 AM

ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\Administrator\Desktop\Firefox Downloads\ComboFix.exe/data002;Probably BATCH.Virus;;
data002;C:\Documents and Settings\Administrator\Desktop\Firefox Downloads;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Administrator\Desktop\Firefox Downloads;Container contains infected objects;Moved.;
RegUBP2b-Administrator.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
pskill.exe;C:\Program Files\DVD_Generator;Tool.ProcessKill.7;;
libc.a\alloca.o;C:\pxe backup\unattended\djdev203\lib\libc.a;Modification of Win32.GhostDog.2751;;
libc.a;C:\pxe backup\unattended\djdev203\lib;Archive contains infected objects;Moved.;
server.exe.vir\data002;C:\Qoobox\Quarantine\C\DOCU ME~1\ADMINI~1\LOCALS~1\Temp\server.exe.vir;BackDoo r.Tdss.119;;
server.exe.vir;C:\Qoobox\Quarantine\C\DOCUME~1\ADM INI~1\LOCALS~1\Temp;Archive contains infected objects;Moved.;
gxvxcmjemayehewvsvumnkljujroclkdjwqio.sys.vir;C:\Q oobox\Quarantine\C\WINDOWS\system32\drivers;BackDo or.Tdss.223;Deleted.;
emsbqij.exe;C:\WINDOWS\system32;Probably Trojan.Packed.154;;
UBCD4WinV350.exe/data605\32788R22FWJFW\c.bat;D:\backup\UBCD4WinV350 .exe/data605;Probably BATCH.Virus;;
data605;D:\backup;Archive contains infected objects;;
UBCD4WinV350.exe\data983;D:\backup\UBCD4WinV350.ex e;Trojan.MulDrop.origin;;
UBCD4WinV350.exe\data1052;D:\backup\UBCD4WinV350.e xe;Program.RemoteAdmin;;
UBCD4WinV350.exe;D:\backup;Archive contains infected objects;Moved.;
DVD_Generator-1.14-EN-NoDotnet.exe\Program Files/DVD_Generator/pskill.exe;D:\PXE\DVD_Generator-1.14-EN-NoDotnet.exe;Tool.ProcessKill.7;;
DVD_Generator-1.14-EN-NoDotnet.exe;D:\PXE;Archive contains infected objects;Moved.;
DVD_Generator-1.14-EN.exe\Program Files/DVD_Generator/pskill.exe;D:\Tigger\Tigger's C Drive\PXE Project\DVD_Generator-1.14-EN.exe;Tool.ProcessKill.7;;
DVD_Generator-1.14-EN.exe;D:\Tigger\Tigger's C Drive\PXE Project;Archive contains infected objects;Moved.;
DVD_Generator1.14ENNoDotnet.exe\Program Files/DVD_Generator/pskill.exe;D:\Tigger\Tigger's C Drive\PXE Project\DVD_Generator1.14ENNoDotnet.exe;Tool.Proce ssKill.7;;
DVD_Generator1.14ENNoDotnet.exe;D:\Tigger\Tigger's C Drive\PXE Project;Archive contains infected objects;Moved.;

Neal · #18 (**permalink**) 07-06-2009, 05:35 PM

Need feedback on what is going on.

Injigo · #19 (**permalink**) 11-06-2009, 09:20 AM

Oh wow. I didn't even see your last post. it was so small. My bad. Righto, it still seems to be slow. Especially games. frame rates are low.

Neal · #20 (**permalink**) 11-06-2009, 10:57 PM

To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner

Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.

Uncheck cookies

Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.

Then Reboot (Exit)

Any better?