Urgent help needed completly hijacked by anti malware dr.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
removed sys restore and task manager and safe mode will not load

had to get on my daughters machine to even edit this post....the thing keeps preventing me on my machine.

below is hjt log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:37 PM, on 4/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\m6hhw2py7i.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\install.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\appreg70700.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\avp.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\avp32.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\win32.exe
C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\system.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: C:\WINDOWS\system32\xdt15tzv.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\xdt15tzv.dll
O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Utillities\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,[email protected]
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,[email protected]
O4 - HKCU\..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\m6hhw2py7i.exe
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\install.exe
O4 - HKUS\S-1-5-19\..\Run: [wabiyohejo] Rundll32.exe "C:\WINDOWS\system32\kiyihapa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wabiyohejo] Rundll32.exe "C:\WINDOWS\system32\kiyihapa.dll",s (User 'NETWORK SERVICE')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269659293062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184214368265
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AAD254C1-5B5D-4CDA-A79A-A28E12B65097}: NameServer = 93.188.164.96,93.188.166.144
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.96,93.188.166.144
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.164.96,93.188.166.144
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.96,93.188.166.144
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\xdt15tzv.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7366 bytes
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
got it to stop running using malware bytes...task manager back...still have lost sys restore and reg edit...so I am unsure if it is completley removed.
another thing...
I tried to update malware before running as my version was about a month old and the malware(I assume)prevented this.
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
...something is still terribly wrong...noticed router blinking like crazy when no one was browsing...think this computer is pretty compromised...help if you can. I am leaving the modem turned off most of the time and will check for answers on my daughters computer. And only use this one for things I have to download from this forum....

one other thing, cannot start in safe mode. It does not crash it just keeps coming back to the choice screen and only boots into "start windows normally"...it never did that before!
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

Please do the following:


Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


NEXT


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
Thank you CatByte...I assume you want these seperately so here is exehelper log...

exeHelper by Raktor
Build 20100414
Run at 22:48:14 on 04/15/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Removing HKCR\secfile
Resetting userinit and shell values...
Resetting policies...
--Finished--

I will leave and do next
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
here is dds


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/13/2007 12:06:38 PM
System Uptime: 4/15/2010 9:14:07 PM (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 965P-DS3
Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Socket 775 | 3008/376mhz
Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Socket 775 | 3008/376mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 171.315 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

@BIOS B06.0721.01
3-D_Dancing_Skeleton_DemoESD Screen Saver
3D Canyon Flight Screensaver (remove only)
3DMark03
3DMark05
3DMark06
7-Zip 4.57
7 Wonders of the Ancient World
Acrobat.com
Act 3d Silex Screensaver
Ad-Aware SE Personal
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
AGEIA PhysX v2.6.0
AIDA32 v3.80
Alice's Magical Mahjong
Alice in Wonderland
Amazon MP3 Downloader 1.0.3
American McGee's Alice(tm)
Apple Software Update
AquaMark3
AT&T Self Support Tool
AT&T Yahoo! Applications
Awakening: The Dreamless Castle
Bejeweled
Bejeweled 2 Deluxe
Belarc Advisor 7.2
Big Fish Games Toolbar 2.0
Big Fish Games: Game Manager
Bink and Smacker
BioShock
Born Into Darkness
bubbles Screen Saver
BufferChm
Cafe Mahjongg (remove only)
CardRd81
Caribbean Mah Jong
CCScore
Chainz (remove only)
Chainz 2 Relinked (remove only)
Charm Tale 2
Chuzzle Deluxe (remove only)
Click'N Design 3D (V5)
Clive Barker's Undying(tm)
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CR2
Creative Audio Console
Creative MediaSource
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
Cuckoo
CueTour
D4100
D4100_Help
DeviceManagementQFolder
Diskeeper Lite
Dominic Crane's Dreamscape Mystery
DriverCD
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EasyTune5
EAX Unified
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
eSupportQFolder
ETC B06.0828.01
EVEREST Home Edition v2.20
EVGA Precision 1.3.3
Fairies (remove only)
FastCrawl
FullDPAppQFolder
GameHack 2.0
Ghost Town Mysteries
Gigabyte Raid Configurer
Giza 3d
Google Earth
Google Updater
Groovy Hex Editor v 1.6
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Half-Life(R) 2
Haunted Manor: Lord of Mirrors
HexEdit
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB939209)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB979306)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Print Diagnostic Utility
HP Solution Center 7.0
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
HPProductAssistant
ImgBurn
InstantShareDevices
InstantShareDevicesMFC
InterActual Player
IrfanView (remove only)
Java(TM) 6 Update 7
kiki the nanobot 1.0.2
Kodak EasyShare software
KSU
Lara Croft Tomb Raider: The Angel Of Darkness
lightning Screen Saver
Logitech Gaming Software
Luxor 2
Luxor 3
Luxor Mahjong (remove only)
Luxor Quest for the Afterlife
MadOnion.com/3DMark2001 SE
Magic Tale (remove only)
maguscrow3dsetup
Mah Jong Medley
Mah Jong Quest 3
Mahjong Fortuna 2 Deluxe
Mahjong Journey of Enlightenment
Mahjong Towers Eternity
Mahjongg Artifacts
MailWasher Free
MailWasher Pro
Malwarebytes' Anti-Malware
Managed DirectX (0900)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.01
Microsoft IntelliType Pro 6.01
Microsoft Plus! for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Monarch - The Butterfly King
Mozilla Firefox (3.0.1)
mrlinwp
MS Access 97 SP2
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MyDefrag v4.2.9
Myst IV - Revelation
Myst Uru - The Path of the Shell
MYST® Jigsaw Puzzles
Mystery Case Files Return to Ravenhearst
Mystery Case Files&reg;: Dire Grove™
Natural Color
Nero 7 Essentials
nHancer
Notifier
NVIDIA Drivers
NVIDIA nTune
OfotoXMI
OTtBP
OTtBPSDK
PanoStandAlone
PCMark05
Penny Dreadfuls™ Sweeney Todd
PhotoGallery
Planet Saturn 3D Screensaver 1.0
Poker Superstars III
Portal
PowerDVD
Pro Pinball - The Web
Pro Pinball - Timeshock!
Pro Pinball : Big Race USA
Pro Pinball : Fantastic Journey
PSXMemTool 1.19b (remove only)
QuickTime
Rainbow Web (remove only)
RandMap
Return to Castle Wolfenstein
Rhiannon: Curse of the Four Branches
Riven
RMAA 6.2.1
Roxio Easy DVD Copy 2
Scenic- Haunted House Wallpaper
SeaStorm 3D Screensaver (remove only)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SFR
SHASTA
SimCity 3000 Unlimited
SimCity 4
SiSoftware Sandra Lite XI.SP1a (Win64/32/CE)
SkellerinasDemo Screen Saver
SKIN0001
SkinsHP1
SKINXSDK
SlideShow
Snow Queen Mahjong
SolutionCenter
Sonic_PrimoSDK
Sound Blaster Audigy 2 ZS
SpeedFan (remove only)
Status
Steam(TM)
Stone Jong
Super Mah Jong
SUPERAntiSpyware Free Edition
Superscape Viscape Universal
System Requirements Lab
System Shock2
Test Drive 6
Test Drive Unlimited
The Lost Crown version 2
Thermal Analysis Tool
Tomb Raider:
Tomb Raider: Anniversary 1.0
Toolbox
Totally MAD
TRAOD Startup Configuration Utility
TrayApp
Tweak UI
Unload
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Vampireville
VPRINTOL
Walmart MP3 Music Downloads
Wave 2 Mp3 1.1
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Mobile® Device Handbook
Windows Search 4.0
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WIRELESS

==== Event Viewer Messages From Past Week ========

4/9/2010 9:13:44 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/9/2010 9:13:44 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
4/9/2010 5:43:07 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/8/2010 1:32:48 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
4/8/2010 1:29:12 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/15/2010 9:13:04 PM, error: Service Control Manager [7000] - The PfModNT service failed to start due to the following error: The system cannot find the file specified.
4/14/2010 6:31:12 PM, error: Service Control Manager [7034] - The CAISafe service terminated unexpectedly. It has done this 1 time(s).
4/14/2010 6:30:38 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
4/13/2010 7:01:22 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
4/13/2010 6:50:20 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
4/12/2010 11:38:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: JRAID
4/12/2010 11:36:44 PM, error: PlugPlayManager [11] - The device Root\LEGACY_CODNDB\0000 disappeared from the system without first being prepared for removal.
4/12/2010 10:27:04 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001A4D64FB08 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/12/2010 10:19:23 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/12/2010 10:19:23 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/12/2010 10:18:57 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001A4D64FB08 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/12/2010 10:08:01 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
4/12/2010 10:07:04 PM, error: Service Control Manager [7000] - The 6to4 service failed to start due to the following error: All pipe instances are busy.

==== End Of File ===========================
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Do you have the DDS log (that is the Attach.txt you have posted) and did you have success running the GMER scan?
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
having trouble...when I include a large txt file and click submit reply it says page cannot be displayed
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
had to mail these reports to my daughter


while running gmer the browser opened by itself to a page that said "you are a winner" I quickly yanked the network cable and gmer slowed to a crawl so I let it run and went to bed. It was still running when I got up so I stopped it where it was. The computer was stuck at 100% CPU usage so I was forced to reboot. here are dds txt and gmer txt...I will re run gmer if you wish

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chum Family at 22:55:07.89 on Thu 04/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1603 [GMT -5:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
"C:\WINDOWS\System32\svchost.exe"
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chum Family\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1
TB: Big Fish Games Toolbar: {c7c9fc25-88b0-4682-9c9f-2608e9117647} - c:\program files\bfgbar\bfg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\chumfa~1\locals~1\temp\cmd.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CtxfiReg] CTXFIREG.exe /FAIL1
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269659293062
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184214368265
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chumfa~1\applic~1\mozilla\firefox\profiles\crmim0ui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 66632]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2007-6-16 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2007-6-16 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2007-6-16 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2007-6-16 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-6-16 26787]
R2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2007-6-16 201840]
R3 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2007-6-16 259184]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2007-6-16 108360]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-5-17 16512]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-04-16 02:13:39 31056 ----a-w- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
2010-04-16 02:13:39 31056 ----a-w- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
2010-04-16 02:13:39 30528 ----a-w- c:\windows\system32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
2010-04-16 02:13:39 30528 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
2010-04-16 02:13:39 11564 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
2010-04-16 02:13:39 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
2010-04-16 02:13:39 1080 ----a-w- c:\windows\system32\settings.sfm
2010-04-16 02:13:19 4958588 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000004-20021102}.BAK
2010-04-16 02:12:39 4958588 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000004-20021102}.CDF
2010-04-16 02:11:51 86446 ----a-w- c:\windows\system32\instwdm.ini
2010-04-16 02:11:50 10240 ----a-w- c:\windows\CTDCRES.DLL
2010-04-15 23:51:54 0 d-----w- c:\program files\Haunted Manor - Lord of Mirrors
2010-04-14 00:00:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 03:08:00 823808 ----a-w- c:\windows\system32\drivers\chwplo.sys
2010-04-13 03:07:40 1181 ----a-w- c:\docume~1\alluse~1\applic~1\pragmamfeklnmal.dll
2010-04-13 03:06:57 0 d-----w- C:\spoolerlogs
2010-04-13 03:06:40 0 d-----w- c:\docume~1\chumfa~1\applic~1\26C02D090F760013493CEDE478DDE5E3
2010-04-13 03:05:58 172544 ----a-w- c:\windows\Ajejea.exe
2010-04-12 11:51:12 0 d-----w- c:\docume~1\chumfa~1\applic~1\Top Evidence
2010-04-12 11:51:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Top Evidence
2010-04-12 02:21:33 30544 ----a-w- c:\windows\dirdib.drv
2010-04-12 02:21:33 30464 ----a-w- c:\windows\macromix.dll
2010-04-11 03:38:15 0 d-----w- C:\SHOCK 2
2010-04-09 11:35:02 0 d-----w- C:\ProgramData
2010-04-09 11:06:24 0 d-----w- c:\program files\Dominic Cranes Dreamscape Mystery
2010-04-06 04:19:45 188814 ----a-w- c:\windows\system32\nvapps.xml
2010-04-06 04:19:44 453152 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-06 04:19:44 18477 ----a-w- c:\windows\system32\nvdisp.nvu
2010-04-06 04:19:44 0 d-----w- c:\windows\nview
2010-04-06 04:19:26 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-06 04:08:16 0 d-----w- c:\program files\nHancer
2010-04-03 16:50:57 74 ----a-w- c:\windows\hdkctnts.ini
2010-03-29 01:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Amazon
2010-03-27 05:09:18 0 d-----w- c:\windows\system32\XPSViewer
2010-03-27 05:08:23 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-27 05:08:23 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-27 05:08:23 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-27 05:08:23 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-27 05:08:23 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-27 05:08:23 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-27 05:08:23 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-27 05:08:22 0 d-----w- C:\606d8ea6c5f19ac031
2010-03-27 05:08:07 0 d-----w- c:\windows\SxsCaPendDel
2010-03-27 04:37:27 0 d-----w- c:\windows\ie8updates
2010-03-27 04:29:29 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-27 04:29:21 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-27 04:29:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-27 04:29:20 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-27 04:29:20 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-27 04:29:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-27 04:29:19 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-27 04:01:01 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-27 03:49:43 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-27 03:30:07 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-27 03:10:16 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-03-27 02:54:15 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-19 13:06:49 0 d-----w- c:\docume~1\chumfa~1\applic~1\DarkParablesBriarRose_BFG
2010-03-19 12:14:33 0 d-----w- c:\docume~1\chumfa~1\applic~1\Merscom
2010-03-19 12:14:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Merscom
2010-03-19 10:54:52 0 d-----w- c:\program files\Alice in Wonderland
2010-03-18 20:41:46 0 d-----w- c:\docume~1\chumfa~1\applic~1\Nevosoft
2010-03-18 11:01:44 0 d-----w- c:\program files\Vampireville

==================== Find3M ====================

2010-04-16 02:12:21 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 02:12:21 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 16:28:34 1030144 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.exe
2010-03-04 17:58:50 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
2010-02-17 15:48:10 432640 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.scr
2010-01-22 09:50:59 2283526 ----a-w- c:\windows\system32\nvdata.bin
2007-11-03 13:31:47 774144 ----a-w- c:\program files\RngInterstitial.dll
1998-08-24 17:09:10 10000 ----a-w- c:\windows\inf\unregpn.exe

============= FINISH: 22:56:04.43 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 05:28:06
Windows 5.1.2600 Service Pack 2
Running: zw7c5lli.exe; Driver: C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\kxtdqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? chwplo.sys A device attached to the system is not functioning. !
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBAE82394]
PAGE Ntfs.sys BADB5C55 4 Bytes CALL 8AB81241
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xAEF7E360, 0x32E00D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007C000A
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007D000A
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007B000C
.text C:\WINDOWS\System32\svchost.exe[976] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\svchost.exe[976] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
.text C:\WINDOWS\Explorer.EXE[1432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
? C:\WINDOWS\System32\svchost.exe[3328] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AB14D58

AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8AA41AC8

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] chwplo <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi

Please do the following:


Download Combofix from either of the links below. You must rename it to combo.com before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------​

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------​
  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------​



  • Double click on the renamed ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------​
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
here you go

ComboFix 10-04-15.05 - Chum Family 04/16/2010 19:38:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1508 [GMT -5:00]
Running from: c:\documents and settings\Chum Family\Desktop\combo.com
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
PEV Error: AppFile
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3
c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\appreg70700.exe
c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\enemies-names.txt
c:\documents and settings\Chum Family\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Chum Family\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Chum Family\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows\system32\BReWErS.dll
c:\windows\system32\drivers\chwplo.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\welxswtd.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_chwplo
-------\Service_chwplo


((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-16 02:11 . 2006-08-11 19:55 10240 ----a-w- c:\windows\CTDCRES.DLL
2010-04-15 23:51 . 2010-04-15 23:52 -------- d-----w- c:\program files\Haunted Manor - Lord of Mirrors
2010-04-14 21:15 . 2010-04-14 21:15 47664 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-14 00:00 . 2010-04-14 00:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 10:18 . 2010-04-15 01:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-13 03:06 . 2010-04-13 03:06 -------- d-----w- C:\spoolerlogs
2010-04-13 03:05 . 2010-04-13 03:05 172544 ----a-w- c:\windows\Ajejea.exe
2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Top Evidence
2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
2010-04-12 02:21 . 2010-04-12 02:21 30544 ----a-w- c:\windows\dirdib.drv
2010-04-12 02:21 . 2010-04-12 02:21 30464 ----a-w- c:\windows\macromix.dll
2010-04-11 03:38 . 2010-04-16 03:41 -------- d-----w- C:\SHOCK 2
2010-04-09 11:35 . 2010-04-09 11:35 -------- d-----w- C:\ProgramData
2010-04-09 11:06 . 2010-04-09 11:06 -------- d-----w- c:\program files\Dominic Cranes Dreamscape Mystery
2010-04-06 04:19 . 2010-04-06 04:19 -------- d-----w- c:\windows\nview
2010-04-06 04:19 . 2008-10-07 18:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-06 04:19 . 2008-10-02 15:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-06 04:08 . 2010-04-06 04:08 -------- d-----w- c:\program files\nHancer
2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MSN6
2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-03-29 01:41 . 2010-03-29 01:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
2010-03-29 01:39 . 2010-04-01 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2010-03-27 05:09 . 2010-03-27 05:09 114024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\MSBuild
2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\Reference Assemblies
2010-03-27 05:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-27 05:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-27 05:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-27 05:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-27 05:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-27 05:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-27 05:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-27 05:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-27 05:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-27 05:08 . 2010-03-27 05:08 -------- d-----w- C:\606d8ea6c5f19ac031
2010-03-27 05:08 . 2010-03-27 05:14 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-27 04:53 . 2010-03-27 04:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-27 04:37 . 2010-03-27 04:37 -------- d-----w- c:\windows\ie8updates
2010-03-27 04:29 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-27 04:29 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-27 04:29 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-27 04:29 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-27 04:29 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-27 04:29 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-27 04:29 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-27 04:01 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-27 03:49 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-27 03:30 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-27 02:54 . 2010-03-27 02:54 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-19 13:06 . 2010-03-19 13:08 -------- d-----w- c:\documents and settings\Chum Family\Application Data\DarkParablesBriarRose_BFG
2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Merscom
2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2010-03-19 10:54 . 2010-03-19 10:55 -------- d-----w- c:\program files\Alice in Wonderland
2010-03-18 20:41 . 2010-03-18 20:41 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Nevosoft
2010-03-18 11:01 . 2010-03-18 11:02 -------- d-----w- c:\program files\Vampireville

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 00:19 . 2007-05-27 23:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 23:23 . 2007-06-17 05:55 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MailWasherPro
2010-04-16 16:04 . 2010-02-21 17:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 02:12 . 2007-05-20 01:56 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-16 02:12 . 2007-05-13 17:47 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 02:12 . 2007-05-13 17:49 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Creative
2010-04-16 02:09 . 2007-05-13 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-13 11:49 . 2008-03-15 00:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 04:41 . 2008-08-04 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 04:41 . 2008-09-21 01:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-13 03:07 . 2010-04-13 03:07 1181 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
2010-04-13 03:07 . 2010-04-13 03:07 1181 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
2010-04-06 04:54 . 2007-06-26 01:24 -------- d-----w- c:\program files\SpeedFan
2010-04-06 04:23 . 2008-10-03 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
2010-04-06 03:58 . 2007-09-20 23:50 -------- d-----w- c:\documents and settings\Chum Family\Application Data\nHancer
2010-04-04 20:38 . 2007-06-18 22:37 -------- d-----w- c:\program files\MSN Games
2010-04-03 17:44 . 2007-12-09 04:02 -------- d-----w- c:\program files\Click'N Design 3D (V5)
2010-04-03 17:05 . 2007-12-19 14:39 -------- d-----w- c:\program files\The Great Tree
2010-04-03 17:05 . 2007-09-01 22:50 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-30 05:46 . 2008-08-04 04:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2008-08-04 04:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 01:38 . 2008-03-16 23:57 -------- d-----w- c:\program files\Amazon
2010-03-29 01:34 . 2007-05-13 17:17 47664 ----a-w- c:\documents and settings\Chum Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 05:14 . 2008-08-07 02:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-27 04:14 . 2008-08-07 02:45 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-18 10:23 . 2007-05-13 16:12 -------- d-----w- c:\program files\bfgclient
2010-03-18 10:22 . 2010-03-18 10:21 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2010-03-18 10:21 . 2007-05-27 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-03-08 01:20 . 2008-12-24 13:00 -------- d-----w- c:\program files\Oberon Media
2010-03-06 16:28 . 2010-03-14 23:18 1030144 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.exe
2010-03-05 01:00 . 2010-03-05 01:00 -------- d-----w- c:\documents and settings\Chum Family\Application Data\GTM_Bodie
2010-03-04 17:58 . 2010-03-04 17:58 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
2010-02-24 21:45 . 2010-02-24 21:45 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Boomzap
2010-02-24 12:42 . 2010-02-24 12:41 -------- d-----w- c:\program files\Awakening - The Dreamless Castle
2010-02-23 04:22 . 2010-02-23 04:20 -------- d-----w- c:\program files\Rhiannon - Curse of the Four Branches
2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BigFishGames
2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BfgBar
2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\program files\BfgBar
2010-02-19 05:06 . 2010-02-19 05:05 -------- d-----w- c:\program files\Penny Dreadfuls Sweeney Todd
2010-02-19 03:14 . 2010-02-19 03:14 -------- d-----w- c:\program files\IrfanView
2010-02-17 15:48 . 2010-03-14 23:18 432640 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.scr
2010-02-16 05:04 . 2007-09-04 01:38 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-16 03:56 . 2010-02-15 03:00 -------- d-----w- c:\program files\Nightfall Mysteries - Curse of the Opera(2)
2010-02-16 03:56 . 2008-08-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-16 03:26 . 2010-02-16 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\vampireville_s1_l1_gF5524T1L1_d827659757.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\love-and-death-bitten_s1_l1_gF5578T1L1_d859589501.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d860232223.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d856562713.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dominic-cranes-dreamscape-mystery_s1_l1_gF5610T1L1_d853117596[1].exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dark-parables-curse-briar-rose-collectors_s1_l1_gF5523T1L1_d828746418[1].exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\alice-in-wonderland_s1_l1_gF5535T1L1_d828725970[1].exe
2010-02-03 21:19 . 2010-02-03 21:19 3028800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
2010-01-22 09:50 . 2010-02-16 03:24 2283526 ----a-w- c:\windows\system32\nvdata.bin
2007-11-03 13:31 . 2007-11-03 13:33 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-03-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-09 19:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^..]
path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\..
backup=c:\windows\pss\..Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^Antimalware Doctor.lnk]
path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2006-08-11 19:45 74752 ----a-w- c:\windows\system32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-08-22 13:52 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
2007-06-16 13:13 230512 ----a-w- c:\program files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
2007-06-16 13:13 185456 ----a-w- c:\program files\Yahoo!\Antivirus\CAVRid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-08-11 19:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
2006-08-11 19:53 42496 ----a-w- c:\windows\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
2007-06-17 02:18 207680 ----a-w- c:\program files\GIGABYTE\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
2008-10-27 16:28 240656 ----a-w- c:\utillities\EVGA Precision\EVGAPrecision.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
2006-07-12 22:58 356352 ----a-w- c:\windows\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 12:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nHancer]
2009-01-27 00:37 1295872 ----a-w- c:\program files\nHancer\nHancer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-10-07 18:33 13574144 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-03 17:32 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-10-07 18:33 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-10-07 18:33 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
2003-06-12 14:47 135168 ----a-w- c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 22:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
2002-11-13 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
2002-12-03 23:06 45056 ----a-w- c:\program files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-04-13 11:49 2010864 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2006-07-21 15:43 407032 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ALG"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Games\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Games\\Sshock2\\SHOCK2.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 66632]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/17/2007 10:50 PM 16512]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Chum Family\Application Data\Mozilla\Firefox\Profiles\crmim0ui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-54639c77 - c:\windows\system32\kamujibi.dll
MSConfigStartUp-appreg70700 - c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\appreg70700.exe
MSConfigStartUp-CPM5750afeb - c:\windows\system32\wepanibe.dll
MSConfigStartUp-CreateCD50 - c:\progra~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
MSConfigStartUp-davclnt - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\davclnt.exe
MSConfigStartUp-ewrgetuj - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\geurge.exe
MSConfigStartUp-hf8wefhuaihf8ewfydiujhfdsfdf - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\m6hhw2py7i.exe
MSConfigStartUp-hsf87efjhdsf87f3jfsdi7fhsujfd - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\cmd.exe
MSConfigStartUp-net - c:\windows\system32\net.net
MSConfigStartUp-RelevantKnowledge - c:\program files\RelevantKnowledge\rlvknlg.exe
MSConfigStartUp-SMrhcndej0e77a - c:\program files\rhcndej0e77a\rhcndej0e77a.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-wabiyohejo - c:\windows\system32\kiyihapa.dll
MSConfigStartUp-YVIBBBHA8C - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\Aqg.exe
AddRemove-am-bornintodarkness - c:\program files\RealArcade\Installer\bin\gameinstaller.exe
AddRemove-EVEREST Home Edition_is1 - c:\utilites\EVEREST Home Edition\unins000.exe
AddRemove-FastCrawl_is1 - c:\program files\FastCrawl\ReflexiveArcade\unins000.exe
AddRemove-MailWasher Pro_is1 - c:\program files\FireTrust\MailWasher Pro\unins000.exe
AddRemove-Quest3DGiza 3d - c:\documents and settings\Chum Family\Desktop\Q3DUnInst.exe
AddRemove-SShockDeinstallKey - c:\games\New Sshock2\SShocku.log
AddRemove-Viscape Universal - c:\program files\Superscape\Viscape Universal\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 19:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA27AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf764bfc3
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xbae727b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
NDIS: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xbad78ba0
PacketIndicateHandler -> NDIS.sys @ 0xbad85b21
SendHandler -> NDIS.sys @ 0xbad6387b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:76,51,6d,86,88,ff,4a,09,a1,23,35,70,c5,b3,27,43,fb,62,e6,4d,6e,8b,ce,
b0,9c,d8,38,1d,7b,59,5b,f7,7c,10,c4,4b,26,74,2c,df,d1,ca,a7,df,39,a1,ec,ef,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=" wbpqvz.dll "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(3640)
c:\windows\system32\WININET.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\nHancer\nHancerService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\System32\locator.exe
.
**************************************************************************
.
Completion time: 2010-04-16 19:59:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-17 00:59

Pre-Run: 183,880,577,024 bytes free
Post-Run: 185,497,059,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - D6BC7F63D46EDBD8DDD287F9E6C99E86
 

CatByte

Malware Specialist
Joined
Feb 24, 2009
Messages
3,930
Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
http://forums.techguy.org/7334058-post13.html

Collect::
c:\windows\Ajejea.exe
c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\Windows\system32\wbpqvz.dll 

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=-

TDL::
C:\WINDOWS\system32\drivers\atapi.sys
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.



NEXT


Please delete the copy of GMER that you have on your desktop, please download a fresh copy and re-run GMER,

just check the boxes beside "sections" and the C:\ drive, post the resulting log.
 

Chum

Thread Starter
Joined
Nov 26, 2000
Messages
1,005
here is new combofix log but when I delete and re-run GMER it does not generate a log


ComboFix 10-04-15.05 - Chum Family 04/16/2010 22:31:17.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1715 [GMT -5:00]
Running from: c:\documents and settings\Chum Family\Desktop\combo.com
Command switches used :: c:\docume~1\CHUMFA~1\Desktop\CFScript.txt
AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

file zipped: c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
file zipped: c:\windows\Ajejea.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\windows\Ajejea.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-16 02:11 . 2006-08-11 19:55 10240 ----a-w- c:\windows\CTDCRES.DLL
2010-04-15 23:51 . 2010-04-15 23:52 -------- d-----w- c:\program files\Haunted Manor - Lord of Mirrors
2010-04-14 21:15 . 2010-04-14 21:15 47664 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-14 00:00 . 2010-04-14 00:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 10:18 . 2010-04-15 01:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-13 03:06 . 2010-04-13 03:06 -------- d-----w- C:\spoolerlogs
2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Top Evidence
2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
2010-04-12 02:21 . 2010-04-12 02:21 30544 ----a-w- c:\windows\dirdib.drv
2010-04-12 02:21 . 2010-04-12 02:21 30464 ----a-w- c:\windows\macromix.dll
2010-04-11 03:38 . 2010-04-17 03:07 -------- d-----w- C:\SHOCK 2
2010-04-09 11:35 . 2010-04-09 11:35 -------- d-----w- C:\ProgramData
2010-04-09 11:06 . 2010-04-09 11:06 -------- d-----w- c:\program files\Dominic Cranes Dreamscape Mystery
2010-04-06 04:19 . 2010-04-06 04:19 -------- d-----w- c:\windows\nview
2010-04-06 04:19 . 2008-10-07 18:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-06 04:19 . 2008-10-02 15:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-06 04:08 . 2010-04-06 04:08 -------- d-----w- c:\program files\nHancer
2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MSN6
2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2010-03-29 01:41 . 2010-03-29 01:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
2010-03-29 01:39 . 2010-04-01 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2010-03-27 05:09 . 2010-03-27 05:09 114024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\MSBuild
2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\Reference Assemblies
2010-03-27 05:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-27 05:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-27 05:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-27 05:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-27 05:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-27 05:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-27 05:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-27 05:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-27 05:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-27 05:08 . 2010-03-27 05:08 -------- d-----w- C:\606d8ea6c5f19ac031
2010-03-27 05:08 . 2010-03-27 05:14 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-27 04:53 . 2010-03-27 04:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-27 04:37 . 2010-03-27 04:37 -------- d-----w- c:\windows\ie8updates
2010-03-27 04:29 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-03-27 04:29 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-03-27 04:29 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-03-27 04:29 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-03-27 04:29 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-03-27 04:29 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-03-27 04:29 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-03-27 04:01 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-27 03:49 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-27 03:30 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-27 02:54 . 2010-03-27 02:54 -------- d-----w- c:\windows\system32\wbem\Repository
2010-03-19 13:06 . 2010-03-19 13:08 -------- d-----w- c:\documents and settings\Chum Family\Application Data\DarkParablesBriarRose_BFG
2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Merscom
2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2010-03-19 10:54 . 2010-03-19 10:55 -------- d-----w- c:\program files\Alice in Wonderland
2010-03-18 20:41 . 2010-03-18 20:41 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Nevosoft
2010-03-18 11:01 . 2010-03-18 11:02 -------- d-----w- c:\program files\Vampireville
2010-03-18 10:21 . 2010-03-18 10:22 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 02:00 . 2007-06-17 05:55 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MailWasherPro
2010-04-17 01:02 . 2010-02-21 17:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-17 00:19 . 2007-05-27 23:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-16 02:12 . 2007-05-20 01:56 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-16 02:12 . 2007-05-13 17:47 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-16 02:12 . 2007-05-13 17:49 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Creative
2010-04-16 02:09 . 2007-05-13 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-13 11:49 . 2008-03-15 00:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 04:41 . 2008-08-04 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 04:41 . 2008-09-21 01:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-06 04:54 . 2007-06-26 01:24 -------- d-----w- c:\program files\SpeedFan
2010-04-06 04:23 . 2008-10-03 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
2010-04-06 03:58 . 2007-09-20 23:50 -------- d-----w- c:\documents and settings\Chum Family\Application Data\nHancer
2010-04-04 20:38 . 2007-06-18 22:37 -------- d-----w- c:\program files\MSN Games
2010-04-03 17:44 . 2007-12-09 04:02 -------- d-----w- c:\program files\Click'N Design 3D (V5)
2010-04-03 17:05 . 2007-12-19 14:39 -------- d-----w- c:\program files\The Great Tree
2010-04-03 17:05 . 2007-09-01 22:50 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-30 05:46 . 2008-08-04 04:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2008-08-04 04:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 01:38 . 2008-03-16 23:57 -------- d-----w- c:\program files\Amazon
2010-03-29 01:34 . 2007-05-13 17:17 47664 ----a-w- c:\documents and settings\Chum Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 05:14 . 2008-08-07 02:44 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-27 04:14 . 2008-08-07 02:45 -------- d-----w- c:\program files\Windows Desktop Search
2010-03-18 10:23 . 2007-05-13 16:12 -------- d-----w- c:\program files\bfgclient
2010-03-18 10:21 . 2007-05-27 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-03-08 01:20 . 2008-12-24 13:00 -------- d-----w- c:\program files\Oberon Media
2010-03-06 16:28 . 2010-03-14 23:18 1030144 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.exe
2010-03-05 01:00 . 2010-03-05 01:00 -------- d-----w- c:\documents and settings\Chum Family\Application Data\GTM_Bodie
2010-03-04 17:58 . 2010-03-04 17:58 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
2010-02-24 21:45 . 2010-02-24 21:45 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Boomzap
2010-02-24 12:42 . 2010-02-24 12:41 -------- d-----w- c:\program files\Awakening - The Dreamless Castle
2010-02-23 04:22 . 2010-02-23 04:20 -------- d-----w- c:\program files\Rhiannon - Curse of the Four Branches
2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BigFishGames
2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BfgBar
2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\program files\BfgBar
2010-02-19 05:06 . 2010-02-19 05:05 -------- d-----w- c:\program files\Penny Dreadfuls Sweeney Todd
2010-02-19 03:14 . 2010-02-19 03:14 -------- d-----w- c:\program files\IrfanView
2010-02-17 15:48 . 2010-03-14 23:18 432640 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.scr
2010-02-16 05:04 . 2007-09-04 01:38 -------- d-----w- c:\program files\NVIDIA Corporation
2010-02-16 03:56 . 2010-02-15 03:00 -------- d-----w- c:\program files\Nightfall Mysteries - Curse of the Opera(2)
2010-02-16 03:56 . 2008-08-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\vampireville_s1_l1_gF5524T1L1_d827659757.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\love-and-death-bitten_s1_l1_gF5578T1L1_d859589501.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d860232223.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d856562713.exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dominic-cranes-dreamscape-mystery_s1_l1_gF5610T1L1_d853117596[1].exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dark-parables-curse-briar-rose-collectors_s1_l1_gF5523T1L1_d828746418[1].exe
2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\alice-in-wonderland_s1_l1_gF5535T1L1_d828725970[1].exe
2010-02-03 21:19 . 2010-02-03 21:19 3028800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
2010-01-22 09:50 . 2010-02-16 03:24 2283526 ----a-w- c:\windows\system32\nvdata.bin
2007-11-03 13:31 . 2007-11-03 13:33 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( [email protected]_00.52.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 03:39 . 2010-04-17 03:39 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
+ 2007-05-13 17:12 . 2004-08-04 03:59 95360 c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-03-01 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-09 19:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
backup=c:\windows\pss\Color Calibration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^..]
path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\..
backup=c:\windows\pss\..Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^Antimalware Doctor.lnk]
path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2006-08-11 19:45 74752 ----a-w- c:\windows\system32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-08-22 13:52 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
2007-06-16 13:13 230512 ----a-w- c:\program files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
2007-06-16 13:13 185456 ----a-w- c:\program files\Yahoo!\Antivirus\CAVRid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-08-11 19:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
2006-08-11 19:53 42496 ----a-w- c:\windows\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
2007-06-17 02:18 207680 ----a-w- c:\program files\GIGABYTE\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
2008-10-27 16:28 240656 ----a-w- c:\utillities\EVGA Precision\EVGAPrecision.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
2006-07-12 22:58 356352 ----a-w- c:\windows\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 12:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nHancer]
2009-01-27 00:37 1295872 ----a-w- c:\program files\nHancer\nHancer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-10-07 18:33 13574144 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-03 17:32 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-10-07 18:33 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-10-07 18:33 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
2003-06-12 14:47 135168 ----a-w- c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 22:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
2002-11-13 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
2002-12-03 23:06 45056 ----a-w- c:\program files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-04-13 11:49 2010864 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2006-07-21 15:43 407032 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ALG"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Games\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Games\\Sshock2\\SHOCK2.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 66632]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/17/2007 10:50 PM 16512]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Chum Family\Application Data\Mozilla\Firefox\Profiles\crmim0ui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 22:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:76,51,6d,86,88,ff,4a,09,a1,23,35,70,c5,b3,27,43,fb,62,e6,4d,6e,8b,ce,
b0,9c,d8,38,1d,7b,59,5b,f7,7c,10,c4,4b,26,74,2c,df,d1,ca,a7,df,39,a1,ec,ef,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=" wbpqvz.dll "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(652)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(1132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\nHancer\nHancerService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\System32\locator.exe
.
**************************************************************************
.
Completion time: 2010-04-16 22:43:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-17 03:43
ComboFix2.txt 2010-04-17 00:59

Pre-Run: 185,474,482,176 bytes free
Post-Run: 185,417,596,928 bytes free

- - End Of File - - 5DFAC15F9EE8FF76CE8EEFC724DA6E40
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top