Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » [Active] Please help..parasite on my pc

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

[Active] Please help..parasite on my pc

Reply
Page 2 of 5 1 2 345
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #11 (permalink)  
Old 10-08-2009, 08:38 PM
Junior Member
New Recruit
  
Join Date: Mar 2009
Posts: 29
babotzkie Is a beginner here at D-A-L
Re: [Active] Please help..parasite on my pc
i forgot to post that, during scan, combofix said that i need to note this because combofix detects that rootkit didn't finish his task?

C:\WINDOWS\system32\Drivers\geyekrorjvpvvm.sys
C:\WINDOWS\system32\Drivers\geyekrybwruwqi.dll
C:\WINDOWS\system32\Drivers\geyekrpxjotehr.dat
C:\WINDOWS\system32\Drivers\geyekrrroypyko.dll
C:\WINDOWS\system32\Drivers\geyekryebaqpil.dat

but it seems that i didn't use it after i scan?.. what can i do for this item?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 10-08-2009, 08:41 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 3,146
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Please help..parasite on my pc
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.


2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\drivers\kgpcpy.cfg


Folder::

Driver::
biogxas
qgwxzb
Hdrfrsmg


Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\biogxas]
"ServiceDll"=-
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qgwxzb]
"ServiceDll"=-

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 10-08-2009, 09:07 PM
Junior Member
New Recruit
  
Join Date: Mar 2009
Posts: 29
babotzkie Is a beginner here at D-A-L
Re: [Active] Please help..parasite on my pc
ComboFix 09-08-10.01 - babotz 08/11/2009 3:51.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1500 [GMT 8:00]
Running from: c:\documents and settings\babotz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\babotz\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: F-Secure Anti-Virus 2008 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\windows\system32\drivers\kgpcpy.cfg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BIOGXAS
-------\Legacy_QGWXZB
-------\Service_biogxas
-------\Service_Hdrfrsmg
-------\Service_qgwxzb


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 14:11 . 2009-08-10 14:11 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Google
2009-08-10 09:28 . 2009-08-10 09:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-10 09:27 . 2009-08-10 09:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 09:27 . 2009-08-10 09:27 -------- d-----w- c:\documents and settings\babotz\Application Data\SUPERAntiSpyware.com
2009-08-09 12:11 . 2009-08-09 12:12 -------- d-----w- C:\Program FilesFreezeTag Games%Mystery masterpiece-The Moonstone
2009-08-09 12:02 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-09 12:02 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-09 12:02 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-09 12:02 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-09 12:02 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-09 12:02 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-09 12:02 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-09 12:02 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-09 12:02 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-06 14:44 . 2007-03-18 12:37 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-08-06 14:44 . 2006-09-29 04:26 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-08-06 14:44 . 2006-09-29 04:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-08-06 14:44 . 2006-09-29 04:24 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-07-26 06:40 . 2009-07-26 06:45 -------- d-----w- c:\documents and settings\Kids\Application Data\Mysteryville2
2009-07-25 04:42 . 2009-07-25 04:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Astar Games
2009-07-24 02:18 . 2009-07-24 02:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-07-24 02:15 . 2009-07-24 02:15 -------- d-----w- c:\program files\Bonjour
2009-07-24 02:09 . 2009-07-24 02:09 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-23 20:12 . 2009-07-23 20:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-23 10:49 . 2009-08-02 10:57 -------- d-----w- c:\documents and settings\babotz\Application Data\iWin
2009-07-21 03:38 . 2009-07-21 03:38 -------- d-----w- c:\documents and settings\babotz\Application Data\Uniblue
2009-07-21 03:12 . 2009-07-21 15:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SITEguard
2009-07-21 03:11 . 2009-07-23 06:29 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla!
2009-07-21 03:11 . 2009-07-21 03:11 -------- d-----w- c:\program files\Common Files\iS3
2009-07-19 15:32 . 2009-07-19 15:32 -------- d--h--w- c:\windows\PIF
2009-07-19 15:05 . 2009-07-19 15:05 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Oberon Games
2009-07-19 09:45 . 2009-08-02 11:01 -------- d-----w- c:\documents and settings\babotz\Saved Games
2009-07-18 17:40 . 2009-07-18 17:40 -------- d-----w- c:\program files\Laura Jones and the Gates of Good and Evil
2009-07-18 17:40 . 2009-07-18 17:40 -------- d-----w- c:\windows\Laura Jones and the Gates of Good and Evil
2009-07-18 16:04 . 2009-07-18 16:04 -------- d-----w- c:\program files\Dream Chronicles The Chosen Child
2009-07-18 16:04 . 2009-07-18 16:04 -------- d-----w- c:\windows\Dream Chronicles The Chosen Child
2009-07-18 11:48 . 2009-07-18 12:05 -------- d-----w- c:\documents and settings\babotz\Application Data\Mysteryville2
2009-07-18 11:48 . 2009-07-18 11:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Trymedia
2009-07-18 11:47 . 2009-08-01 06:04 -------- d-----w- c:\program files\Yahoo! Games
2009-07-18 09:58 . 2009-07-18 09:58 -------- d-----w- c:\program files\Web Publish
2009-07-18 03:35 . 2009-07-20 05:21 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Ashampoo Movie Shrink & Burn 3
2009-07-18 03:35 . 2009-07-18 03:35 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\ashampoo
2009-07-18 03:35 . 2009-07-18 03:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ashampoo
2009-07-18 03:35 . 2009-07-18 03:35 -------- d-----w- c:\program files\Ashampoo
2009-07-17 07:56 . 2009-07-17 07:56 -------- d-----w- c:\documents and settings\babotz\Application Data\AdobeUM
2009-07-13 06:54 . 2009-07-17 07:56 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Adobe
2009-07-12 19:33 . 2009-08-09 16:41 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-12 19:32 . 2009-07-12 19:32 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-07-12 19:32 . 2009-07-12 19:32 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2009-07-12 19:31 . 2009-07-12 19:31 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-07-12 19:31 . 2009-07-12 19:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-07-12 19:18 . 2009-07-12 19:18 -------- d-----w- c:\program files\Microsoft SDKs
2009-07-12 19:18 . 2009-08-10 14:05 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-07-12 19:18 . 2009-07-12 19:18 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2009-07-12 19:16 . 2009-07-12 21:06 321632 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-12 19:15 . 2009-08-09 16:55 -------- d-----w- c:\program files\MSBuild
2009-07-12 19:15 . 2009-07-12 19:15 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-12 19:15 . 2009-07-12 19:15 -------- d-----w- c:\program files\Reference Assemblies
2009-07-12 19:15 . 2006-06-29 05:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-12 19:12 . 2006-10-16 08:10 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-12 01:47 . 2009-07-12 01:51 -------- d-----w- c:\program files\TC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-10 14:06 . 2009-05-09 00:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-08-10 09:25 . 2009-04-09 11:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 09:18 . 2009-06-25 01:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 05:17 . 2009-04-22 11:49 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-09 17:43 . 2009-04-09 09:41 70768 ----a-w- c:\documents and settings\babotz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 17:39 . 2009-06-28 04:51 -------- d-----w- c:\documents and settings\babotz\Application Data\BitTorrent
2009-08-09 16:42 . 2009-05-09 00:22 -------- d-----w- c:\program files\Microsoft.NET
2009-08-09 12:16 . 2009-05-12 13:49 -------- d-----w- c:\program files\Games
2009-08-09 09:57 . 2009-05-08 06:45 -------- d-----w- c:\program files\Winamp
2009-08-09 08:56 . 2009-06-02 01:29 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-08 07:15 . 2009-08-01 14:21 -------- d-----w- c:\documents and settings\babotz\Application Data\Vso
2009-08-07 15:19 . 2009-08-06 11:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2009-08-06 14:44 . 2009-08-01 14:21 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-06 14:44 . 2009-08-01 14:21 47360 ----a-w- c:\documents and settings\babotz\Application Data\pcouffin.sys
2009-08-06 14:44 . 2009-08-06 14:44 -------- d-----w- c:\program files\VSO
2009-08-06 11:57 . 2009-08-06 11:57 -------- d-----w- c:\program files\bfgclient
2009-08-05 11:33 . 2009-06-26 11:45 -------- d-----w- c:\program files\Garena
2009-08-04 09:14 . 2009-08-04 09:13 21842 ----a-w- c:\windows\scunin.dat
2009-08-04 09:14 . 2009-08-04 09:13 967 ----a-w- c:\windows\ScUnin.pif
2009-08-04 09:14 . 2009-08-04 09:13 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-04 04:48 . 2009-06-28 04:42 -------- d-----w- c:\program files\AskBarDis
2009-08-03 05:36 . 2009-06-25 01:45 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 05:36 . 2009-06-25 01:45 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 06:51 . 2009-04-21 01:11 71208 ----a-w- c:\documents and settings\Kids\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-30 18:04 . 2009-05-10 17:09 -------- d-----w- c:\program files\Warcraft III
2009-07-30 14:12 . 2009-05-08 06:45 -------- d-----w- c:\documents and settings\babotz\Application Data\Winamp
2009-07-24 08:20 . 2009-04-20 03:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-23 06:26 . 2009-07-23 06:25 1024 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-18 16:04 . 2009-05-12 19:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PlayFirst
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\XFNTRPB7.DAT
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\E9RVPJ13.DAT
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\63VHR3HV.DAT
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\HRF73D35.DAT
2009-07-11 07:37 . 2009-07-01 05:41 -------- d-----w- c:\documents and settings\babotz\Application Data\Skype
2009-07-11 06:04 . 2009-07-09 11:23 -------- d-----w- c:\documents and settings\babotz\Application Data\FileZilla
2009-07-11 04:30 . 2009-05-10 06:09 -------- d-----w- c:\program files\Avira
2009-07-10 06:21 . 2009-06-27 08:21 -------- d-----w- c:\program files\Winferno
2009-07-10 06:20 . 2009-05-12 09:53 -------- d-----w- c:\program files\Left 4 Dead
2009-07-09 11:23 . 2009-07-09 11:23 -------- d-----w- c:\program files\FileZilla FTP Client
2009-07-09 10:17 . 2009-05-09 00:29 -------- d-----w- c:\program files\Autorun Eater
2009-07-09 10:17 . 2009-07-09 10:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Autorun Eater
2009-07-05 19:52 . 2009-05-25 13:43 -------- d-----w- c:\documents and settings\babotz\Application Data\DMCache
2009-07-05 17:49 . 2009-07-05 08:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2009-07-05 08:38 . 2009-06-26 08:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo!
2009-07-05 08:38 . 2009-06-01 14:35 -------- d-----w- c:\program files\Yahoo!
2009-07-04 23:53 . 2009-04-14 05:44 261 ----a-w- c:\windows\popcinfo.dat
2009-07-03 02:27 . 2009-07-03 02:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DVD Shrink
2009-07-02 18:12 . 2009-06-26 17:05 -------- d-----w- c:\documents and settings\babotz\Application Data\Camfrog
2009-07-01 05:41 . 2009-07-01 05:41 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-01 05:41 . 2009-07-01 05:41 -------- d-----w- c:\documents and settings\babotz\Application Data\skypePM
2009-07-01 05:41 . 2009-07-01 05:41 -------- d-----w- c:\program files\Common Files\Skype
2009-07-01 05:41 . 2009-07-01 05:40 -------- d-----r- c:\program files\Skype
2009-07-01 05:41 . 2009-07-01 05:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Skype
2009-06-30 20:41 . 2009-06-28 04:42 -------- d-----w- c:\documents and settings\babotz\Application Data\DNA
2009-06-30 07:32 . 2009-06-28 04:42 -------- d-----w- c:\program files\DNA
2009-06-30 06:09 . 2009-06-30 06:09 -------- d-----w- c:\documents and settings\babotz\Application Data\cerasus.media
2009-06-30 06:09 . 2009-06-30 06:09 -------- d-----w- c:\documents and settings\babotz\Application Data\cerasus
2009-06-28 21:01 . 2009-04-24 10:42 -------- d-----w- c:\program files\Jewel Quest
2009-06-28 05:20 . 2009-06-01 14:35 -------- d-----w- c:\program files\IObit
2009-06-28 04:42 . 2009-06-28 04:42 -------- d-----w- c:\program files\BitTorrent
2009-06-27 08:47 . 2009-06-27 08:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-06-27 08:47 . 2009-06-27 08:43 -------- d-----w- c:\documents and settings\babotz\Application Data\Digsby
2009-06-27 08:43 . 2009-06-27 08:43 -------- d-----w- c:\program files\Digsby
2009-06-27 08:26 . 2009-06-27 08:26 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Winferno
2009-06-27 05:12 . 2009-06-27 05:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 05:12 . 2009-06-27 05:12 -------- d-----w- c:\program files\Java
2009-06-26 22:15 . 2009-06-26 22:15 -------- d-----w- c:\program files\Chikka Messenger
2009-06-26 10:09 . 2009-05-25 13:43 -------- d-----w- c:\documents and settings\babotz\Application Data\IDM
2009-06-26 08:36 . 2009-04-28 17:26 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 08:26 . 2009-06-26 08:26 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 10:10 . 2009-06-22 03:32 -------- d-----w- c:\program files\Common Files\SourceTec
2009-06-25 10:09 . 2009-06-25 10:09 -------- d-----w- c:\documents and settings\babotz\Application Data\MSNInstaller
2009-06-25 09:55 . 2009-04-25 02:57 -------- d-----w- c:\program files\Truffle Tray
2009-06-25 09:55 . 2009-04-09 11:47 -------- d-----w- c:\documents and settings\babotz\Application Data\My Battle for Middle-earth(tm) II Files
2009-06-25 01:39 . 2009-06-05 02:40 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-25 01:36 . 2009-06-25 01:36 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Nero
2009-06-24 14:56 . 2009-06-24 14:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\LightScribe
2009-06-24 14:47 . 2009-06-24 14:47 -------- d-----w- c:\program files\Common Files\LightScribe
2009-06-24 12:25 . 2009-06-24 12:25 -------- d-----w- c:\program files\BitDefender
2009-06-23 01:19 . 2009-06-23 01:19 -------- d-----w- c:\documents and settings\babotz\Application Data\Corel
2009-06-23 01:15 . 2009-06-23 01:15 -------- d-----w- c:\program files\Common Files\Corel
2009-06-23 01:15 . 2009-04-09 12:04 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-23 01:15 . 2009-06-23 01:15 -------- d-----w- c:\program files\Corel
2009-06-20 07:30 . 2009-06-20 07:30 -------- d-----w- c:\documents and settings\Kids\Application Data\Yahoo!
2009-06-18 08:38 . 2009-06-01 14:35 -------- d-----w- c:\documents and settings\babotz\Application Data\IObit
2009-06-18 08:36 . 2009-05-12 18:26 -------- d-----w- c:\program files\VirtualDJ
2009-06-16 15:12 . 2009-05-12 19:12 -------- d-----w- c:\program files\Oberon Media
2009-06-14 10:09 . 2009-06-14 10:09 -------- d-----w- c:\program files\TryMedia
2009-06-12 07:52 . 2009-06-12 07:52 -------- d-----w- c:\program files\Xinox Software
2009-06-12 07:52 . 2009-06-12 07:52 -------- d-----w- c:\program files\JavaSoft
2009-06-12 07:52 . 2009-04-09 12:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 07:07 . 2009-05-12 19:12 -------- d-----w- c:\program files\GamesBar
2009-05-25 13:27 . 2009-05-25 13:27 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
.

------- Sigcheck -------

[-] 2009-04-29 04:52 659456 9D6E5AEB8F237E03D5892951EB3D6A7E c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2GDR\wininet.dll
[-] 2009-04-29 04:31 668160 9E36A148748C5DE4EA1F47B9B625F412 c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2QFE\wininet.dll
[-] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3GDR\wininet.dll
[-] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3QFE\wininet.dll
[-] 2006-10-15 15:39 698368 76E63E0D2EFE76EED958511CC724FE6B c:\windows\system32\wininet.dll
[-] 2006-10-15 15:39 698368 76E63E0D2EFE76EED958511CC724FE6B c:\windows\system32\dllcache\wininet.dll

[-] 2006-10-15 15:38 975360 42071C236B7E35271D40DB1D7C37D5BD c:\windows\explorer.exe
[-] 2006-10-15 15:38 975360 42071C236B7E35271D40DB1D7C37D5BD c:\windows\system32\dllcache\explorer.exe

[-] 2009-04-29 04:52 3060736 04AB92BFDDF275D50E3D42CDB4BF110E c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2GDR\mshtml.dll
[-] 2009-04-29 02:01 3068928 7BB862F4CBB8361551C34674291BA5EC c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2QFE\mshtml.dll
[-] 2009-04-29 04:46 3068928 ABD8093E43E53AEA5898D2214B92E9BA c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3GDR\mshtml.dll
[-] 2009-04-29 04:21 3069440 06CF679E3D24C3DF270556456A0F1EDA c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3QFE\mshtml.dll
[-] 2006-10-15 15:38 3498496 E59EC27FCA1F9BB5700CAAE80CABA406 c:\windows\system32\mshtml.dll
[-] 2006-10-15 15:38 3498496 E59EC27FCA1F9BB5700CAAE80CABA406 c:\windows\system32\dllcache\mshtml.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-08-09_08.37.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 19:31 . 2009-08-10 19:31 16384 c:\windows\Temp\Perflib_Perfdata_ee4.dat
+ 2009-08-10 19:26 . 2009-08-10 19:26 16384 c:\windows\Temp\Perflib_Perfdata_680.dat
+ 2009-08-10 19:58 . 2009-08-10 19:58 16384 c:\windows\Temp\Perflib_Perfdata_614.dat
+ 2009-08-10 19:58 . 2009-08-10 19:58 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
+ 2001-08-23 12:00 . 2009-08-09 16:40 73230 c:\windows\system32\perfc009.dat
+ 2009-04-09 09:11 . 2009-08-10 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-04-09 09:11 . 2009-08-09 08:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-09 09:11 . 2009-08-10 18:27 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2009-04-09 09:11 . 2009-08-09 08:35 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2009-08-10 09:27 . 2009-08-10 09:27 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-10 09:27 . 2009-08-10 09:27 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-08-09 08:33 . 2009-08-09 08:33 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 19:57 . 2009-08-10 19:57 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-09 08:33 . 2009-08-09 08:33 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 19:57 . 2009-08-10 19:57 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 219392 c:\windows\system32\qdtvpzxr.dat
+ 2001-08-23 12:00 . 2009-08-09 16:40 446492 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 175360 c:\windows\system32\ocuhyhzb.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 103936 c:\windows\system32\mvrjzak.dll
+ 2001-08-23 12:00 . 2001-08-23 12:00 143872 c:\windows\system32\dualnllc.dll
- 2009-08-09 08:33 . 2009-08-09 08:33 221184 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 19:57 . 2009-08-10 19:57 221184 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 19:57 . 2009-08-10 19:57 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-09 08:33 . 2009-08-09 08:33 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-10 19:57 . 2009-08-10 19:57 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-09 08:33 . 2009-08-09 08:33 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2001-08-23 12:00 . 2001-08-23 12:00 8122112 c:\windows\system32\zyqhnwfg.dat
+ 2009-02-03 02:15 . 2009-08-10 00:55 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-04-09 16:50 . 2009-08-09 17:42 1558160 c:\windows\system32\FNTCACHE.DAT
+ 2009-08-10 09:27 . 2009-08-10 09:27 1516544 c:\windows\Installer\500e5.msi
+ 2009-08-10 19:57 . 2009-08-10 19:57 8036352 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 09:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RocketDock"="c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 630784]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13672448]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]

c:\documents and settings\babotz\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^babotz^Start Menu^Programs^Startup^AutoClick.lnk]
path=c:\documents and settings\babotz\Start Menu\Programs\Startup\AutoClick.lnk
backup=c:\windows\pss\AutoClick.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^babotz^Start Menu^Programs^Startup^nero.bat.lnk]
path=c:\documents and settings\babotz\Start Menu\Programs\Startup\nero.bat.lnk
backup=c:\windows\pss\nero.bat.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^babotz^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\babotz\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"CorelDRAW Graphics Suite 11b"=c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=070809 serial=DR12WCP-4531862-WWB lang=EN
"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe
"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Wak poh\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/9/2009 8:02 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [12/10/2008 7:10 AM 24636]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [8/9/2009 8:02 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\babotz\LOCALS~1\Temp\AVSETUP_ 49f73b50\basic\avupgsvc.exe" /TEMPSTART:""c:\docume~1\babotz\LOCALS~1\Temp\AVSET UP_49f73b50\basic\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\docume~1\babotz\LOCALS~1\Temp\AVSETUP_49f73b50\ basic\avupgsvc.exe [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys --> c:\windows\system32\DRIVERS\avfwim.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\babotz \LOCALS~1\Temp\KRUA1.tmp --> c:\docume~1\babotz\LOCALS~1\Temp\KRUA1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fmtrblkv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo!
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\babotz\APPLIC~1\Mozilla\Firefox\Profil es\rqqr1q52.default\
FF - prefs.js: browser.search.defaulturl - hxxp://ph.search.yahoo.com/?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----





















pref(dom.disable_open_during_load, false);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-11 03:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_avast4_\unp157623126.tmp 705439 bytes executable

scan completed successfully
hidden files: 1

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\G arenaPEngine]
"ImagePath"="\??\c:\docume~1\babotz\LOCALS~1\Temp\ KRUA1.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1864)
c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\windows\system32\shimgvw.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\xampp\FileZillaFTP\FileZilla server.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\xampp\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-08-10 4:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 20:04
ComboFix2.txt 2009-08-10 19:23
ComboFix3.txt 2009-08-09 08:42
ComboFix4.txt 2009-07-21 03:30
ComboFix5.txt 2009-08-10 19:50

Pre-Run: 36,627,488,768 bytes free
Post-Run: 36,577,468,416 bytes free

476
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 10-08-2009, 09:08 PM
Junior Member
New Recruit
  
Join Date: Mar 2009
Posts: 29
babotzkie Is a beginner here at D-A-L
Re: [Active] Please help..parasite on my pc
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:55 AM, on 8/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\xampp\FileZillaFTP\FileZilla server.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to Facebook | Facebook
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingle Instance.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\babotz\LOCALS~1\Temp\AVSETUP_49f73b50\ basic\avupgsvc.exe (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\xampp\FileZillaFTP\FileZilla server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (file missing)
O23 - Service: MySQL - Unknown owner - c:\xampp\mysql\bin\mysqld.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8327 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 10-08-2009, 09:20 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 3,146
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Please help..parasite on my pc
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.


2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\docume~1\babotz\LOCALS~1\Temp\KRUA1.tmp


Folder::

Driver::
GarenaPEngine

Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"=-

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #16 (permalink)  
Old 10-08-2009, 09:47 PM
Junior Member
New Recruit
  
Join Date: Mar 2009
Posts: 29
babotzkie Is a beginner here at D-A-L
Re: [Active] Please help..parasite on my pc
ComboFix 09-08-10.01 - babotz 08/11/2009 4:30.8.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1502 [GMT 8:00]
Running from: c:\documents and settings\babotz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\babotz\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090810-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: F-Secure Anti-Virus 2008 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

FILE ::
"c:\docume~1\babotz\LOCALS~1\Temp\KRUA1.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GARENAPENGINE
-------\Service_GarenaPEngine


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 20:24 . 2009-08-10 20:24 83456 --sh--r- c:\windows\system32\drivers\ZrxMgr.exe
2009-08-10 20:24 . 2009-08-10 20:24 83456 ----a-w- c:\windows\system32\26.scr
2009-08-10 14:11 . 2009-08-10 14:11 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Google
2009-08-10 09:28 . 2009-08-10 09:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-08-10 09:27 . 2009-08-10 09:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-10 09:27 . 2009-08-10 09:27 -------- d-----w- c:\documents and settings\babotz\Application Data\SUPERAntiSpyware.com
2009-08-09 12:11 . 2009-08-09 12:12 -------- d-----w- C:\Program FilesFreezeTag Games%Mystery masterpiece-The Moonstone
2009-08-09 12:02 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-09 12:02 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-09 12:02 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-09 12:02 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-09 12:02 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-09 12:02 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-09 12:02 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-09 12:02 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-09 12:02 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-06 14:44 . 2007-03-18 12:37 65602 ----a-w- c:\windows\system32\cook3260.dll
2009-08-06 14:44 . 2006-09-29 04:26 176165 ----a-w- c:\windows\system32\drv23260.dll
2009-08-06 14:44 . 2006-09-29 04:25 208935 ----a-w- c:\windows\system32\drv33260.dll
2009-08-06 14:44 . 2006-09-29 04:24 217127 ----a-w- c:\windows\system32\drv43260.dll
2009-07-26 06:40 . 2009-07-26 06:45 -------- d-----w- c:\documents and settings\Kids\Application Data\Mysteryville2
2009-07-25 04:42 . 2009-07-25 04:42 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Astar Games
2009-07-24 02:18 . 2009-07-24 02:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\FLEXnet
2009-07-24 02:15 . 2009-07-24 02:15 -------- d-----w- c:\program files\Bonjour
2009-07-24 02:09 . 2009-07-24 02:09 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-23 20:12 . 2009-07-23 20:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-07-23 10:49 . 2009-08-02 10:57 -------- d-----w- c:\documents and settings\babotz\Application Data\iWin
2009-07-21 03:38 . 2009-07-21 03:38 -------- d-----w- c:\documents and settings\babotz\Application Data\Uniblue
2009-07-21 03:12 . 2009-07-21 15:13 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SITEguard
2009-07-21 03:11 . 2009-07-23 06:29 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla!
2009-07-21 03:11 . 2009-07-21 03:11 -------- d-----w- c:\program files\Common Files\iS3
2009-07-19 15:32 . 2009-07-19 15:32 -------- d--h--w- c:\windows\PIF
2009-07-19 15:05 . 2009-07-19 15:05 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Oberon Games
2009-07-19 09:45 . 2009-08-02 11:01 -------- d-----w- c:\documents and settings\babotz\Saved Games
2009-07-18 17:40 . 2009-07-18 17:40 -------- d-----w- c:\program files\Laura Jones and the Gates of Good and Evil
2009-07-18 17:40 . 2009-07-18 17:40 -------- d-----w- c:\windows\Laura Jones and the Gates of Good and Evil
2009-07-18 16:04 . 2009-07-18 16:04 -------- d-----w- c:\program files\Dream Chronicles The Chosen Child
2009-07-18 16:04 . 2009-07-18 16:04 -------- d-----w- c:\windows\Dream Chronicles The Chosen Child
2009-07-18 11:48 . 2009-07-18 12:05 -------- d-----w- c:\documents and settings\babotz\Application Data\Mysteryville2
2009-07-18 11:48 . 2009-07-18 11:48 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Trymedia
2009-07-18 11:47 . 2009-08-01 06:04 -------- d-----w- c:\program files\Yahoo! Games
2009-07-18 09:58 . 2009-07-18 09:58 -------- d-----w- c:\program files\Web Publish
2009-07-18 03:35 . 2009-07-20 05:21 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Ashampoo Movie Shrink & Burn 3
2009-07-18 03:35 . 2009-07-18 03:35 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\ashampoo
2009-07-18 03:35 . 2009-07-18 03:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ashampoo
2009-07-18 03:35 . 2009-07-18 03:35 -------- d-----w- c:\program files\Ashampoo
2009-07-17 07:56 . 2009-07-17 07:56 -------- d-----w- c:\documents and settings\babotz\Application Data\AdobeUM
2009-07-13 06:54 . 2009-07-17 07:56 -------- d-----w- c:\documents and settings\babotz\Local Settings\Application Data\Adobe
2009-07-12 19:33 . 2009-08-09 16:41 -------- d-----w- c:\program files\Microsoft SQL Server
2009-07-12 19:32 . 2009-07-12 19:32 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-07-12 19:32 . 2009-07-12 19:32 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2009-07-12 19:31 . 2009-07-12 19:31 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-07-12 19:31 . 2009-07-12 19:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-07-12 19:18 . 2009-07-12 19:18 -------- d-----w- c:\program files\Microsoft SDKs
2009-07-12 19:18 . 2009-08-10 14:05 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-07-12 19:18 . 2009-07-12 19:18 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2009-07-12 19:16 . 2009-07-12 21:06 321632 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-12 19:15 . 2009-08-09 16:55 -------- d-----w- c:\program files\MSBuild
2009-07-12 19:15 . 2009-07-12 19:15 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-12 19:15 . 2009-07-12 19:15 -------- d-----w- c:\program files\Reference Assemblies
2009-07-12 19:15 . 2006-06-29 05:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-12 19:12 . 2006-10-16 08:10 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-12 01:47 . 2009-07-12 01:51 -------- d-----w- c:\program files\TC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-08-10 14:06 . 2009-05-09 00:18 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-08-10 09:25 . 2009-04-09 11:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 09:18 . 2009-06-25 01:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 05:17 . 2009-04-22 11:49 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-09 17:43 . 2009-04-09 09:41 70768 ----a-w- c:\documents and settings\babotz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 17:39 . 2009-06-28 04:51 -------- d-----w- c:\documents and settings\babotz\Application Data\BitTorrent
2009-08-09 16:42 . 2009-05-09 00:22 -------- d-----w- c:\program files\Microsoft.NET
2009-08-09 12:16 . 2009-05-12 13:49 -------- d-----w- c:\program files\Games
2009-08-09 09:57 . 2009-05-08 06:45 -------- d-----w- c:\program files\Winamp
2009-08-09 08:56 . 2009-06-02 01:29 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-08 07:15 . 2009-08-01 14:21 -------- d-----w- c:\documents and settings\babotz\Application Data\Vso
2009-08-07 15:19 . 2009-08-06 11:55 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2009-08-06 14:44 . 2009-08-01 14:21 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-06 14:44 . 2009-08-01 14:21 47360 ----a-w- c:\documents and settings\babotz\Application Data\pcouffin.sys
2009-08-06 14:44 . 2009-08-06 14:44 -------- d-----w- c:\program files\VSO
2009-08-06 11:57 . 2009-08-06 11:57 -------- d-----w- c:\program files\bfgclient
2009-08-05 11:33 . 2009-06-26 11:45 -------- d-----w- c:\program files\Garena
2009-08-04 09:14 . 2009-08-04 09:13 21842 ----a-w- c:\windows\scunin.dat
2009-08-04 09:14 . 2009-08-04 09:13 967 ----a-w- c:\windows\ScUnin.pif
2009-08-04 09:14 . 2009-08-04 09:13 94208 ----a-w- c:\windows\ScUnin.exe
2009-08-04 04:48 . 2009-06-28 04:42 -------- d-----w- c:\program files\AskBarDis
2009-08-03 05:36 . 2009-06-25 01:45 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 05:36 . 2009-06-25 01:45 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 06:51 . 2009-04-21 01:11 71208 ----a-w- c:\documents and settings\Kids\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-30 18:04 . 2009-05-10 17:09 -------- d-----w- c:\program files\Warcraft III
2009-07-30 14:12 . 2009-05-08 06:45 -------- d-----w- c:\documents and settings\babotz\Application Data\Winamp
2009-07-24 08:20 . 2009-04-20 03:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-23 06:26 . 2009-07-23 06:25 1024 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-18 16:04 . 2009-05-12 19:12 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PlayFirst
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\XFNTRPB7.DAT
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\E9RVPJ13.DAT
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\63VHR3HV.DAT
2009-07-18 08:20 . 2009-07-18 08:20 2678 ----a-w- c:\windows\java\Packages\Data\HRF73D35.DAT
2009-07-11 07:37 . 2009-07-01 05:41 -------- d-----w- c:\documents and settings\babotz\Application Data\Skype
2009-07-11 06:04 . 2009-07-09 11:23 -------- d-----w- c:\documents and settings\babotz\Application Data\FileZilla
2009-07-11 04:30 . 2009-05-10 06:09 -------- d-----w- c:\program files\Avira
2009-07-10 06:21 . 2009-06-27 08:21 -------- d-----w- c:\program files\Winferno
2009-07-10 06:20 . 2009-05-12 09:53 -------- d-----w- c:\program files\Left 4 Dead
2009-07-09 11:23 . 2009-07-09 11:23 -------- d-----w- c:\program files\FileZilla FTP Client
2009-07-09 10:17 . 2009-05-09 00:29 -------- d-----w- c:\program files\Autorun Eater
2009-07-09 10:17 . 2009-07-09 10:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Autorun Eater
2009-07-05 19:52 . 2009-05-25 13:43 -------- d-----w- c:\documents and settings\babotz\Application Data\DMCache
2009-07-05 17:49 . 2009-07-05 08:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2009-07-05 08:38 . 2009-06-26 08:28 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo!
2009-07-05 08:38 . 2009-06-01 14:35 -------- d-----w- c:\program files\Yahoo!
2009-07-04 23:53 . 2009-04-14 05:44 261 ----a-w- c:\windows\popcinfo.dat
2009-07-03 02:27 . 2009-07-03 02:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\DVD Shrink
2009-07-02 18:12 . 2009-06-26 17:05 -------- d-----w- c:\documents and settings\babotz\Application Data\Camfrog
2009-07-01 05:41 . 2009-07-01 05:41 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-01 05:41 . 2009-07-01 05:41 -------- d-----w- c:\documents and settings\babotz\Application Data\skypePM
2009-07-01 05:41 . 2009-07-01 05:41 -------- d-----w- c:\program files\Common Files\Skype
2009-07-01 05:41 . 2009-07-01 05:40 -------- d-----r- c:\program files\Skype
2009-07-01 05:41 . 2009-07-01 05:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Skype
2009-06-30 20:41 . 2009-06-28 04:42 -------- d-----w- c:\documents and settings\babotz\Application Data\DNA
2009-06-30 07:32 . 2009-06-28 04:42 -------- d-----w- c:\program files\DNA
2009-06-30 06:09 . 2009-06-30 06:09 -------- d-----w- c:\documents and settings\babotz\Application Data\cerasus.media
2009-06-30 06:09 . 2009-06-30 06:09 -------- d-----w- c:\documents and settings\babotz\Application Data\cerasus
2009-06-28 21:01 . 2009-04-24 10:42 -------- d-----w- c:\program files\Jewel Quest
2009-06-28 05:20 . 2009-06-01 14:35 -------- d-----w- c:\program files\IObit
2009-06-28 04:42 . 2009-06-28 04:42 -------- d-----w- c:\program files\BitTorrent
2009-06-27 08:47 . 2009-06-27 08:47 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-06-27 08:47 . 2009-06-27 08:43 -------- d-----w- c:\documents and settings\babotz\Application Data\Digsby
2009-06-27 08:43 . 2009-06-27 08:43 -------- d-----w- c:\program files\Digsby
2009-06-27 08:26 . 2009-06-27 08:26 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Winferno
2009-06-27 05:12 . 2009-06-27 05:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-27 05:12 . 2009-06-27 05:12 -------- d-----w- c:\program files\Java
2009-06-26 22:15 . 2009-06-26 22:15 -------- d-----w- c:\program files\Chikka Messenger
2009-06-26 10:09 . 2009-05-25 13:43 -------- d-----w- c:\documents and settings\babotz\Application Data\IDM
2009-06-26 08:36 . 2009-04-28 17:26 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 08:26 . 2009-06-26 08:26 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 10:10 . 2009-06-22 03:32 -------- d-----w- c:\program files\Common Files\SourceTec
2009-06-25 10:09 . 2009-06-25 10:09 -------- d-----w- c:\documents and settings\babotz\Application Data\MSNInstaller
2009-06-25 09:55 . 2009-04-25 02:57 -------- d-----w- c:\program files\Truffle Tray
2009-06-25 09:55 . 2009-04-09 11:47 -------- d-----w- c:\documents and settings\babotz\Application Data\My Battle for Middle-earth(tm) II Files
2009-06-25 01:39 . 2009-06-05 02:40 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-25 01:36 . 2009-06-25 01:36 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Nero
2009-06-24 14:56 . 2009-06-24 14:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\LightScribe
2009-06-24 14:47 . 2009-06-24 14:47 -------- d-----w- c:\program files\Common Files\LightScribe
2009-06-24 12:25 . 2009-06-24 12:25 -------- d-----w- c:\program files\BitDefender
2009-06-23 01:19 . 2009-06-23 01:19 -------- d-----w- c:\documents and settings\babotz\Application Data\Corel
2009-06-23 01:15 . 2009-06-23 01:15 -------- d-----w- c:\program files\Common Files\Corel
2009-06-23 01:15 . 2009-04-09 12:04 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-23 01:15 . 2009-06-23 01:15 -------- d-----w- c:\program files\Corel
2009-06-20 07:30 . 2009-06-20 07:30 -------- d-----w- c:\documents and settings\Kids\Application Data\Yahoo!
2009-06-18 08:38 . 2009-06-01 14:35 -------- d-----w- c:\documents and settings\babotz\Application Data\IObit
2009-06-18 08:36 . 2009-05-12 18:26 -------- d-----w- c:\program files\VirtualDJ
2009-06-16 15:12 . 2009-05-12 19:12 -------- d-----w- c:\program files\Oberon Media
2009-06-14 10:09 . 2009-06-14 10:09 -------- d-----w- c:\program files\TryMedia
2009-06-12 07:52 . 2009-06-12 07:52 -------- d-----w- c:\program files\Xinox Software
2009-06-12 07:52 . 2009-06-12 07:52 -------- d-----w- c:\program files\JavaSoft
2009-06-12 07:52 . 2009-04-09 12:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 07:07 . 2009-05-12 19:12 -------- d-----w- c:\program files\GamesBar
2009-05-25 13:27 . 2009-05-25 13:27 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
.

------- Sigcheck -------

[-] 2009-04-29 04:52 659456 9D6E5AEB8F237E03D5892951EB3D6A7E c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2GDR\wininet.dll
[-] 2009-04-29 04:31 668160 9E36A148748C5DE4EA1F47B9B625F412 c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2QFE\wininet.dll
[-] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3GDR\wininet.dll
[-] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3QFE\wininet.dll
[-] 2006-10-15 15:39 698368 76E63E0D2EFE76EED958511CC724FE6B c:\windows\system32\wininet.dll
[-] 2006-10-15 15:39 698368 76E63E0D2EFE76EED958511CC724FE6B c:\windows\system32\dllcache\wininet.dll

[-] 2006-10-15 15:38 975360 42071C236B7E35271D40DB1D7C37D5BD c:\windows\explorer.exe
[-] 2006-10-15 15:38 975360 42071C236B7E35271D40DB1D7C37D5BD c:\windows\system32\dllcache\explorer.exe

[-] 2009-04-29 04:52 3060736 04AB92BFDDF275D50E3D42CDB4BF110E c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2GDR\mshtml.dll
[-] 2009-04-29 02:01 3068928 7BB862F4CBB8361551C34674291BA5EC c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP2QFE\mshtml.dll
[-] 2009-04-29 04:46 3068928 ABD8093E43E53AEA5898D2214B92E9BA c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3GDR\mshtml.dll
[-] 2009-04-29 04:21 3069440 06CF679E3D24C3DF270556456A0F1EDA c:\windows\SoftwareDistribution\Download\a9c8e0039 7fe4457a25305c397dc3358\SP3QFE\mshtml.dll
[-] 2006-10-15 15:38 3498496 E59EC27FCA1F9BB5700CAAE80CABA406 c:\windows\system32\mshtml.dll
[-] 2006-10-15 15:38 3498496 E59EC27FCA1F9BB5700CAAE80CABA406 c:\windows\system32\dllcache\mshtml.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-08-09_08.37.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 20:35 . 2009-08-10 20:35 16384 c:\windows\Temp\Perflib_Perfdata_620.dat
+ 2009-08-10 20:35 . 2009-08-10 20:35 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat
+ 2001-08-23 12:00 . 2009-08-09 16:40 73230 c:\windows\system32\perfc009.dat
- 2009-04-09 09:11 . 2009-08-09 08:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-09 09:11 . 2009-08-10 18:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-09 09:11 . 2009-08-10 18:27 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
- 2009-04-09 09:11 . 2009-08-09 08:35 16384 c:\windows\system32\config\systemprofile\Cookies\i ndex.dat
+ 2009-08-10 09:27 . 2009-08-10 09:27 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-10 09:27 . 2009-08-10 09:27 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-08-09 08:33 . 2009-08-09 08:33 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 20:34 . 2009-08-10 20:34 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-09 08:33 . 2009-08-09 08:33 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 20:34 . 2009-08-10 20:34 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 219392 c:\windows\system32\qdtvpzxr.dat
+ 2001-08-23 12:00 . 2009-08-09 16:40 446492 c:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 175360 c:\windows\system32\ocuhyhzb.dat
+ 2001-08-23 12:00 . 2001-08-23 12:00 103936 c:\windows\system32\mvrjzak.dll
+ 2001-08-23 12:00 . 2001-08-23 12:00 143872 c:\windows\system32\dualnllc.dll
+ 2009-08-10 20:34 . 2009-08-10 20:34 221184 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-09 08:33 . 2009-08-09 08:33 221184 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 20:34 . 2009-08-10 20:34 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-09 08:33 . 2009-08-09 08:33 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-09 08:33 . 2009-08-09 08:33 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 20:34 . 2009-08-10 20:34 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2001-08-23 12:00 . 2001-08-23 12:00 8122112 c:\windows\system32\zyqhnwfg.dat
+ 2009-02-03 02:15 . 2009-08-10 00:55 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-04-09 16:50 . 2009-08-09 17:42 1558160 c:\windows\system32\FNTCACHE.DAT
+ 2009-08-10 09:27 . 2009-08-10 09:27 1516544 c:\windows\Installer\500e5.msi
+ 2009-08-10 20:34 . 2009-08-10 20:34 8036352 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 09:24 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RocketDock"="c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-18 630784]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-03 13672448]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"Microsoft Driver Setup"="c:\windows\system32\drivers\ZrxMgr.exe" [2009-08-10 83456]

c:\documents and settings\babotz\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 04:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^babotz^Start Menu^Programs^Startup^AutoClick.lnk]
path=c:\documents and settings\babotz\Start Menu\Programs\Startup\AutoClick.lnk
backup=c:\windows\pss\AutoClick.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^babotz^Start Menu^Programs^Startup^nero.bat.lnk]
path=c:\documents and settings\babotz\Start Menu\Programs\Startup\nero.bat.lnk
backup=c:\windows\pss\nero.bat.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^babotz^Start Menu^Programs^Startup^RocketDock.lnk]
path=c:\documents and settings\babotz\Start Menu\Programs\Startup\RocketDock.lnk
backup=c:\windows\pss\RocketDock.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"CorelDRAW Graphics Suite 11b"=c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=070809 serial=DR12WCP-4531862-WWB lang=EN
"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe
"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Wak poh\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\System32\\26.scr"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/9/2009 8:02 PM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [12/10/2008 7:10 AM 24636]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [8/9/2009 8:02 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\babotz\LOCALS~1\Temp\AVSETUP_ 49f73b50\basic\avupgsvc.exe" /TEMPSTART:""c:\docume~1\babotz\LOCALS~1\Temp\AVSET UP_49f73b50\basic\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\docume~1\babotz\LOCALS~1\Temp\AVSETUP_49f73b50\ basic\avupgsvc.exe [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys --> c:\windows\system32\DRIVERS\avfwim.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fmtrblkv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo!
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\babotz\APPLIC~1\Mozilla\Firefox\Profil es\rqqr1q52.default\
FF - prefs.js: browser.search.defaulturl - hxxp://ph.search.yahoo.com/?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://ph.search.yahoo.com/?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

---- FIREFOX POLICIES ----





















pref(dom.disable_open_during_load, false);
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-08-11 04:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2256)
c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
c:\windows\system32\shimgvw.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\xampp\FileZillaFTP\FileZilla server.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\xampp\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-08-10 4:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 20:41
ComboFix2.txt 2009-08-10 20:04
ComboFix3.txt 2009-08-10 19:23
ComboFix4.txt 2009-08-09 08:42
ComboFix5.txt 2009-08-10 20:29

Pre-Run: 36,585,562,112 bytes free
Post-Run: 36,550,848,512 bytes free

469
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #17 (permalink)  
Old 10-08-2009, 09:49 PM
Junior Member
New Recruit
  
Join Date: Mar 2009
Posts: 29
babotzkie Is a beginner here at D-A-L
Re: [Active] Please help..parasite on my pc
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:14 AM, on 8/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xampp\apache\bin\httpd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\xampp\FileZillaFTP\FileZilla server.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\drivers\ZrxMgr.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to Facebook | Facebook
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingle Instance.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\system32\drivers\ZrxMgr.exe
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\babotz\LOCALS~1\Temp\AVSETUP_49f73b50\ basic\avupgsvc.exe (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\xampp\FileZillaFTP\FileZilla server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (file missing)
O23 - Service: MySQL - Unknown owner - c:\xampp\mysql\bin\mysqld.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8623 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #18 (permalink)  
Old 10-08-2009, 10:02 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 3,146
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Please help..parasite on my pc
Very good

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
  • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.


NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


Post fresh HijackThis log as well.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #19 (permalink)  
Old 10-08-2009, 10:05 PM
Junior Member
New Recruit
  
Join Date: Mar 2009
Posts: 29
babotzkie Is a beginner here at D-A-L
Re: [Active] Please help..parasite on my pc
Quote:
Originally Posted by babotzkie View Post
i forgot to post that, during scan, combofix said that i need to note this because combofix detects that rootkit didn't finish his task?

C:\WINDOWS\system32\Drivers\geyekrorjvpvvm.sys
C:\WINDOWS\system32\Drivers\geyekrybwruwqi.dll
C:\WINDOWS\system32\Drivers\geyekrpxjotehr.dat
C:\WINDOWS\system32\Drivers\geyekrrroypyko.dll
C:\WINDOWS\system32\Drivers\geyekryebaqpil.dat

but it seems that i didn't use it after i scan?.. what can i do for this item?
what are we going to do with this?

another question, can i remove bitdefender completely? i cant uninstall it..
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #20 (permalink)  
Old 10-08-2009, 10:15 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 3,146
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
Re: [Active] Please help..parasite on my pc
Quote:
what are we going to do with this?
Those entries are long gone. Don't worry about it.

Quote:
can i remove bitdefender completely? i cant uninstall it
I've noticed. We'll take care of it.
For now, run Dr.Web.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply
Page 2 of 5 1 2 345

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Active] help!! tracie Spyware, Adware, Viruses and HijackThis Logs 1 29-08-2009 09:17 PM
active-x problem Asoke Windows XP Help 2 13-08-2009 01:37 PM
Active X... norman Windows XP Help 1 07-05-2009 02:00 AM
active x shardan Windows XP Help 1 29-09-2006 12:41 AM
Help! stupid home search parasite!! fire_ryu Spyware, Adware, Viruses and HijackThis Logs 1 23-10-2004 11:02 PM


All times are GMT +1. The time now is 01:58 PM.
Member Login
Remember me ?
Forgot password?
Ads
Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav