1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Urgent help needed completly hijacked by anti malware dr.

Discussion in 'Virus & Other Malware Removal' started by Chum, Apr 12, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    removed sys restore and task manager and safe mode will not load

    had to get on my daughters machine to even edit this post....the thing keeps preventing me on my machine.

    below is hjt log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:57:37 PM, on 4/12/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\m6hhw2py7i.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\install.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\appreg70700.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\nHancer\nHancerService.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\lsass.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\avp.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\avp32.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\win32.exe
    C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\system.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: C:\WINDOWS\system32\xdt15tzv.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\xdt15tzv.dll
    O3 - Toolbar: Big Fish Games Toolbar - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files\BfgBar\bfg.dll
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EVGAPrecision] "C:\Utillities\EVGA Precision\EVGAPrecision.exe" /s
    O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,[email protected]
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,[email protected]
    O4 - HKCU\..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\m6hhw2py7i.exe
    O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\install.exe
    O4 - HKUS\S-1-5-19\..\Run: [wabiyohejo] Rundll32.exe "C:\WINDOWS\system32\kiyihapa.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [wabiyohejo] Rundll32.exe "C:\WINDOWS\system32\kiyihapa.dll",s (User 'NETWORK SERVICE')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269659293062
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184214368265
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AAD254C1-5B5D-4CDA-A79A-A28E12B65097}: NameServer = 93.188.164.96,93.188.166.144
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.96,93.188.166.144
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.164.96,93.188.166.144
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.96,93.188.166.144
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\xdt15tzv.dll
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O24 - Desktop Component 0: (no name) - (no file)

    --
    End of file - 7366 bytes
     
  2. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    got it to stop running using malware bytes...task manager back...still have lost sys restore and reg edit...so I am unsure if it is completley removed.
    another thing...
    I tried to update malware before running as my version was about a month old and the malware(I assume)prevented this.
     
  3. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    ...something is still terribly wrong...noticed router blinking like crazy when no one was browsing...think this computer is pretty compromised...help if you can. I am leaving the modem turned off most of the time and will check for answers on my daughters computer. And only use this one for things I have to download from this forum....

    one other thing, cannot start in safe mode. It does not crash it just keeps coming back to the choice screen and only boots into "start windows normally"...it never did that before!
     
  4. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    problem getting worse
     
  5. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    bumping
     
  6. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:


    Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    NEXT


    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  7. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    Thank you CatByte...I assume you want these seperately so here is exehelper log...

    exeHelper by Raktor
    Build 20100414
    Run at 22:48:14 on 04/15/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Removing HKCR\secfile
    Resetting filetype association for .com
    Removing HKCR\secfile
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    I will leave and do next
     
  8. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    here is dds


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/13/2007 12:06:38 PM
    System Uptime: 4/15/2010 9:14:07 PM (1 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | 965P-DS3
    Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Socket 775 | 3008/376mhz
    Processor: Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz | Socket 775 | 3008/376mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 298 GiB total, 171.315 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    @BIOS B06.0721.01
    3-D_Dancing_Skeleton_DemoESD Screen Saver
    3D Canyon Flight Screensaver (remove only)
    3DMark03
    3DMark05
    3DMark06
    7-Zip 4.57
    7 Wonders of the Ancient World
    Acrobat.com
    Act 3d Silex Screensaver
    Ad-Aware SE Personal
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 9.3.1
    Adobe Shockwave Player 11.5
    AGEIA PhysX v2.6.0
    AIDA32 v3.80
    Alice's Magical Mahjong
    Alice in Wonderland
    Amazon MP3 Downloader 1.0.3
    American McGee's Alice(tm)
    Apple Software Update
    AquaMark3
    AT&T Self Support Tool
    AT&T Yahoo! Applications
    Awakening: The Dreamless Castle
    Bejeweled
    Bejeweled 2 Deluxe
    Belarc Advisor 7.2
    Big Fish Games Toolbar 2.0
    Big Fish Games: Game Manager
    Bink and Smacker
    BioShock
    Born Into Darkness
    bubbles Screen Saver
    BufferChm
    Cafe Mahjongg (remove only)
    CardRd81
    Caribbean Mah Jong
    CCScore
    Chainz (remove only)
    Chainz 2 Relinked (remove only)
    Charm Tale 2
    Chuzzle Deluxe (remove only)
    Click'N Design 3D (V5)
    Clive Barker's Undying(tm)
    CP_CalendarTemplates1
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Panorama1Config
    cp_PosterPrintConfig
    CR2
    Creative Audio Console
    Creative MediaSource
    Creative System Information
    Critical Update for Windows Media Player 11 (KB959772)
    Cuckoo
    CueTour
    D4100
    D4100_Help
    DeviceManagementQFolder
    Diskeeper Lite
    Dominic Crane's Dreamscape Mystery
    DriverCD
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    EasyTune5
    EAX Unified
    ESSBrwr
    ESSCDBK
    ESScore
    ESSCT
    ESSEMAIL
    ESSgui
    ESShelp
    ESSini
    ESSPCD
    ESSPDock
    ESSSONIC
    ESSTOOLS
    ESSTUTOR
    ESSvpaht
    ESSvpot
    eSupportQFolder
    ETC B06.0828.01
    EVEREST Home Edition v2.20
    EVGA Precision 1.3.3
    Fairies (remove only)
    FastCrawl
    FullDPAppQFolder
    GameHack 2.0
    Ghost Town Mysteries
    Gigabyte Raid Configurer
    Giza 3d
    Google Earth
    Google Updater
    Groovy Hex Editor v 1.6
    Half-Life 2: Episode One
    Half-Life 2: Episode Two
    Half-Life 2: Lost Coast
    Half-Life(R) 2
    Haunted Manor: Lord of Mirrors
    HexEdit
    HijackThis 2.0.2
    HLPIndex
    HLPPDOCK
    HLPSFO
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format 11 SDK (KB939209)
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB979306)
    HP Imaging Device Functions 7.0
    HP Photosmart and Deskjet 7.0 Software
    HP Photosmart Essential
    HP Photosmart Premier Software 6.5
    HP Print Diagnostic Utility
    HP Solution Center 7.0
    hph_ProductContext
    hph_readme
    hph_software
    hph_software_req
    HPPhotoSmartExpress
    HPProductAssistant
    ImgBurn
    InstantShareDevices
    InstantShareDevicesMFC
    InterActual Player
    IrfanView (remove only)
    Java(TM) 6 Update 7
    kiki the nanobot 1.0.2
    Kodak EasyShare software
    KSU
    Lara Croft Tomb Raider: The Angel Of Darkness
    lightning Screen Saver
    Logitech Gaming Software
    Luxor 2
    Luxor 3
    Luxor Mahjong (remove only)
    Luxor Quest for the Afterlife
    MadOnion.com/3DMark2001 SE
    Magic Tale (remove only)
    maguscrow3dsetup
    Mah Jong Medley
    Mah Jong Quest 3
    Mahjong Fortuna 2 Deluxe
    Mahjong Journey of Enlightenment
    Mahjong Towers Eternity
    Mahjongg Artifacts
    MailWasher Free
    MailWasher Pro
    Malwarebytes' Anti-Malware
    Managed DirectX (0900)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 6.01
    Microsoft IntelliType Pro 6.01
    Microsoft Plus! for Windows XP
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Monarch - The Butterfly King
    Mozilla Firefox (3.0.1)
    mrlinwp
    MS Access 97 SP2
    MSN Music Assistant
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    MyDefrag v4.2.9
    Myst IV - Revelation
    Myst Uru - The Path of the Shell
    MYST® Jigsaw Puzzles
    Mystery Case Files Return to Ravenhearst
    Mystery Case Files&reg;: Dire Grove™
    Natural Color
    Nero 7 Essentials
    nHancer
    Notifier
    NVIDIA Drivers
    NVIDIA nTune
    OfotoXMI
    OTtBP
    OTtBPSDK
    PanoStandAlone
    PCMark05
    Penny Dreadfuls™ Sweeney Todd
    PhotoGallery
    Planet Saturn 3D Screensaver 1.0
    Poker Superstars III
    Portal
    PowerDVD
    Pro Pinball - The Web
    Pro Pinball - Timeshock!
    Pro Pinball : Big Race USA
    Pro Pinball : Fantastic Journey
    PSXMemTool 1.19b (remove only)
    QuickTime
    Rainbow Web (remove only)
    RandMap
    Return to Castle Wolfenstein
    Rhiannon: Curse of the Four Branches
    Riven
    RMAA 6.2.1
    Roxio Easy DVD Copy 2
    Scenic- Haunted House Wallpaper
    SeaStorm 3D Screensaver (remove only)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978706)
    SFR
    SHASTA
    SimCity 3000 Unlimited
    SimCity 4
    SiSoftware Sandra Lite XI.SP1a (Win64/32/CE)
    SkellerinasDemo Screen Saver
    SKIN0001
    SkinsHP1
    SKINXSDK
    SlideShow
    Snow Queen Mahjong
    SolutionCenter
    Sonic_PrimoSDK
    Sound Blaster Audigy 2 ZS
    SpeedFan (remove only)
    Status
    Steam(TM)
    Stone Jong
    Super Mah Jong
    SUPERAntiSpyware Free Edition
    Superscape Viscape Universal
    System Requirements Lab
    System Shock2
    Test Drive 6
    Test Drive Unlimited
    The Lost Crown version 2
    Thermal Analysis Tool
    Tomb Raider:
    Tomb Raider: Anniversary 1.0
    Toolbox
    Totally MAD
    TRAOD Startup Configuration Utility
    TrayApp
    Tweak UI
    Unload
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    Vampireville
    VPRINTOL
    Walmart MP3 Music Downloads
    Wave 2 Mp3 1.1
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Mobile® Device Handbook
    Windows Search 4.0
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    WinRAR archiver
    WIRELESS

    ==== Event Viewer Messages From Past Week ========

    4/9/2010 9:13:44 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    4/9/2010 9:13:44 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    4/9/2010 5:43:07 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    4/8/2010 1:32:48 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    4/8/2010 1:29:12 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    4/15/2010 9:13:04 PM, error: Service Control Manager [7000] - The PfModNT service failed to start due to the following error: The system cannot find the file specified.
    4/14/2010 6:31:12 PM, error: Service Control Manager [7034] - The CAISafe service terminated unexpectedly. It has done this 1 time(s).
    4/14/2010 6:30:38 PM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
    4/13/2010 7:01:22 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    4/13/2010 6:50:20 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    4/12/2010 11:38:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: JRAID
    4/12/2010 11:36:44 PM, error: PlugPlayManager [11] - The device Root\LEGACY_CODNDB\0000 disappeared from the system without first being prepared for removal.
    4/12/2010 10:27:04 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001A4D64FB08 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    4/12/2010 10:19:23 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    4/12/2010 10:19:23 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    4/12/2010 10:18:57 PM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001A4D64FB08 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    4/12/2010 10:08:01 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
    4/12/2010 10:07:04 PM, error: Service Control Manager [7000] - The 6to4 service failed to start due to the following error: All pipe instances are busy.

    ==== End Of File ===========================
     
  9. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Do you have the DDS log (that is the Attach.txt you have posted) and did you have success running the GMER scan?
     
  10. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    having trouble...when I include a large txt file and click submit reply it says page cannot be displayed
     
  11. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    had to mail these reports to my daughter


    while running gmer the browser opened by itself to a page that said "you are a winner" I quickly yanked the network cable and gmer slowed to a crawl so I let it run and went to bed. It was still running when I got up so I stopped it where it was. The computer was stuck at 100% CPU usage so I was forced to reboot. here are dds txt and gmer txt...I will re run gmer if you wish

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Chum Family at 22:55:07.89 on Thu 04/15/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1603 [GMT -5:00]

    AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\nHancer\nHancerService.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    "C:\WINDOWS\System32\svchost.exe"
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Chum Family\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = 127.0.0.1
    TB: Big Fish Games Toolbar: {c7c9fc25-88b0-4682-9c9f-2608e9117647} - c:\program files\bfgbar\bfg.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
    uRun: [hsf87efjhdsf87f3jfsdi7fhsujfd] c:\docume~1\chumfa~1\locals~1\temp\cmd.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [CtxfiReg] CTXFIREG.exe /FAIL1
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    uPolicies-explorer: NoFolderOptions = 1 (0x1)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    LSP: c:\windows\system32\VetRedir.dll
    Trusted Zone: aol.com\free
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269659293062
    DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184214368265
    DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15112/CTPID.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\chumfa~1\applic~1\mozilla\firefox\profiles\crmim0ui.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
    FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll
    FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

    ============= SERVICES / DRIVERS ===============

    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 66632]
    R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2007-6-16 21031]
    R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2007-6-16 15478]
    R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2007-6-16 879832]
    R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2007-6-16 15735]
    R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2007-6-16 26787]
    R2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2007-6-16 201840]
    R3 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2007-6-16 259184]
    R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2007-6-16 108360]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-5-17 16512]
    S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]

    ============== File Associations ===============

    regfile=regedit.exe "%1" %*

    =============== Created Last 30 ================

    2010-04-16 02:13:39 31056 ----a-w- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
    2010-04-16 02:13:39 31056 ----a-w- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
    2010-04-16 02:13:39 30528 ----a-w- c:\windows\system32\BMXCtrlState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
    2010-04-16 02:13:39 30528 ----a-w- c:\windows\system32\BMXBkpCtrlState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
    2010-04-16 02:13:39 11564 ----a-w- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000004-20021102}.rfx
    2010-04-16 02:13:39 1080 ----a-w- c:\windows\system32\settingsbkup.sfm
    2010-04-16 02:13:39 1080 ----a-w- c:\windows\system32\settings.sfm
    2010-04-16 02:13:19 4958588 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000004-20021102}.BAK
    2010-04-16 02:12:39 4958588 ----a-w- c:\windows\{00000005-00000000-00000002-00001102-00000004-20021102}.CDF
    2010-04-16 02:11:51 86446 ----a-w- c:\windows\system32\instwdm.ini
    2010-04-16 02:11:50 10240 ----a-w- c:\windows\CTDCRES.DLL
    2010-04-15 23:51:54 0 d-----w- c:\program files\Haunted Manor - Lord of Mirrors
    2010-04-14 00:00:07 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-04-13 03:08:00 823808 ----a-w- c:\windows\system32\drivers\chwplo.sys
    2010-04-13 03:07:40 1181 ----a-w- c:\docume~1\alluse~1\applic~1\pragmamfeklnmal.dll
    2010-04-13 03:06:57 0 d-----w- C:\spoolerlogs
    2010-04-13 03:06:40 0 d-----w- c:\docume~1\chumfa~1\applic~1\26C02D090F760013493CEDE478DDE5E3
    2010-04-13 03:05:58 172544 ----a-w- c:\windows\Ajejea.exe
    2010-04-12 11:51:12 0 d-----w- c:\docume~1\chumfa~1\applic~1\Top Evidence
    2010-04-12 11:51:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Top Evidence
    2010-04-12 02:21:33 30544 ----a-w- c:\windows\dirdib.drv
    2010-04-12 02:21:33 30464 ----a-w- c:\windows\macromix.dll
    2010-04-11 03:38:15 0 d-----w- C:\SHOCK 2
    2010-04-09 11:35:02 0 d-----w- C:\ProgramData
    2010-04-09 11:06:24 0 d-----w- c:\program files\Dominic Cranes Dreamscape Mystery
    2010-04-06 04:19:45 188814 ----a-w- c:\windows\system32\nvapps.xml
    2010-04-06 04:19:44 453152 ----a-w- c:\windows\system32\nvudisp.exe
    2010-04-06 04:19:44 18477 ----a-w- c:\windows\system32\nvdisp.nvu
    2010-04-06 04:19:44 0 d-----w- c:\windows\nview
    2010-04-06 04:19:26 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-04-06 04:08:16 0 d-----w- c:\program files\nHancer
    2010-04-03 16:50:57 74 ----a-w- c:\windows\hdkctnts.ini
    2010-03-29 01:39:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Amazon
    2010-03-27 05:09:18 0 d-----w- c:\windows\system32\XPSViewer
    2010-03-27 05:08:23 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-03-27 05:08:23 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-03-27 05:08:23 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-03-27 05:08:23 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-03-27 05:08:23 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-03-27 05:08:23 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-03-27 05:08:23 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-03-27 05:08:22 0 d-----w- C:\606d8ea6c5f19ac031
    2010-03-27 05:08:07 0 d-----w- c:\windows\SxsCaPendDel
    2010-03-27 04:37:27 0 d-----w- c:\windows\ie8updates
    2010-03-27 04:29:29 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-03-27 04:29:21 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2010-03-27 04:29:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-03-27 04:29:20 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-03-27 04:29:20 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2010-03-27 04:29:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-03-27 04:29:19 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2010-03-27 04:01:01 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-27 03:49:43 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-03-27 03:30:07 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-03-27 03:10:16 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2010-03-27 02:54:15 0 d-----w- c:\windows\system32\wbem\Repository
    2010-03-19 13:06:49 0 d-----w- c:\docume~1\chumfa~1\applic~1\DarkParablesBriarRose_BFG
    2010-03-19 12:14:33 0 d-----w- c:\docume~1\chumfa~1\applic~1\Merscom
    2010-03-19 12:14:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Merscom
    2010-03-19 10:54:52 0 d-----w- c:\program files\Alice in Wonderland
    2010-03-18 20:41:46 0 d-----w- c:\docume~1\chumfa~1\applic~1\Nevosoft
    2010-03-18 11:01:44 0 d-----w- c:\program files\Vampireville

    ==================== Find3M ====================

    2010-04-16 02:12:21 86016 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-04-16 02:12:21 409600 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-06 16:28:34 1030144 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.exe
    2010-03-04 17:58:50 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
    2010-02-17 15:48:10 432640 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.scr
    2010-01-22 09:50:59 2283526 ----a-w- c:\windows\system32\nvdata.bin
    2007-11-03 13:31:47 774144 ----a-w- c:\program files\RngInterstitial.dll
    1998-08-24 17:09:10 10000 ----a-w- c:\windows\inf\unregpn.exe

    ============= FINISH: 22:56:04.43 ===============




    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-16 05:28:06
    Windows 5.1.2600 Service Pack 2
    Running: zw7c5lli.exe; Driver: C:\DOCUME~1\CHUMFA~1\LOCALS~1\Temp\kxtdqpoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? chwplo.sys A device attached to the system is not functioning. !
    .rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xBAE82394]
    PAGE Ntfs.sys BADB5C55 4 Bytes CALL 8AB81241
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xAEF7E360, 0x32E00D, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007C000A
    .text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007D000A
    .text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007B000C
    .text C:\WINDOWS\System32\svchost.exe[976] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\System32\svchost.exe[976] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00C0000A
    .text C:\WINDOWS\Explorer.EXE[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\Explorer.EXE[1432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
    .text C:\WINDOWS\Explorer.EXE[1432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
    ? C:\WINDOWS\System32\svchost.exe[3328] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8AB14D58

    AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8AA41AC8

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] chwplo <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Boot Bus Extender
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Boot Bus Extender

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  12. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi

    Please do the following:


    Download Combofix from either of the links below. You must rename it to combo.com before saving it.
    Save it to your desktop. Change the save as file type to "all files"

    **Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

    • If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".

    Link 1
    Link 2

    -----------------------------------------------------------​

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------​
    • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

      -----------------------------------------------------------​



    • Double click on the renamed ComboFix.exe & follow the prompts.
      • When finished, it will produce a report for you.
      • Please post the C:\ComboFix.txt so we can continue cleaning the system.

    -----------------------------------------------------------​
     
  13. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    here you go

    ComboFix 10-04-15.05 - Chum Family 04/16/2010 19:38:48.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1508 [GMT -5:00]
    Running from: c:\documents and settings\Chum Family\Desktop\combo.com
    AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
    .
    PEV Error: AppFile
    PEV Error: AppFolder

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3
    c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\appreg70700.exe
    c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\enemies-names.txt
    c:\documents and settings\Chum Family\Start Menu\Programs\Antimalware Doctor
    c:\documents and settings\Chum Family\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
    c:\documents and settings\Chum Family\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
    c:\windows\system32\BReWErS.dll
    c:\windows\system32\drivers\chwplo.sys
    c:\windows\system32\dumphive.exe
    c:\windows\system32\Process.exe
    c:\windows\system32\SHELLLNK.TLB
    c:\windows\system32\SrchSTS.exe
    c:\windows\system32\tmp.reg
    c:\windows\system32\VACFix.exe
    c:\windows\system32\VCCLSID.exe
    c:\windows\system32\WS2Fix.exe
    c:\windows\Tasks\welxswtd.job

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Legacy_IAS
    -------\Legacy_chwplo
    -------\Service_chwplo


    ((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
    .

    2010-04-16 02:11 . 2006-08-11 19:55 10240 ----a-w- c:\windows\CTDCRES.DLL
    2010-04-15 23:51 . 2010-04-15 23:52 -------- d-----w- c:\program files\Haunted Manor - Lord of Mirrors
    2010-04-14 21:15 . 2010-04-14 21:15 47664 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-04-14 00:00 . 2010-04-14 00:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-04-13 10:18 . 2010-04-15 01:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-04-13 03:06 . 2010-04-13 03:06 -------- d-----w- C:\spoolerlogs
    2010-04-13 03:05 . 2010-04-13 03:05 172544 ----a-w- c:\windows\Ajejea.exe
    2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Top Evidence
    2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
    2010-04-12 02:21 . 2010-04-12 02:21 30544 ----a-w- c:\windows\dirdib.drv
    2010-04-12 02:21 . 2010-04-12 02:21 30464 ----a-w- c:\windows\macromix.dll
    2010-04-11 03:38 . 2010-04-16 03:41 -------- d-----w- C:\SHOCK 2
    2010-04-09 11:35 . 2010-04-09 11:35 -------- d-----w- C:\ProgramData
    2010-04-09 11:06 . 2010-04-09 11:06 -------- d-----w- c:\program files\Dominic Cranes Dreamscape Mystery
    2010-04-06 04:19 . 2010-04-06 04:19 -------- d-----w- c:\windows\nview
    2010-04-06 04:19 . 2008-10-07 18:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
    2010-04-06 04:19 . 2008-10-02 15:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-04-06 04:08 . 2010-04-06 04:08 -------- d-----w- c:\program files\nHancer
    2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MSN6
    2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
    2010-03-29 01:41 . 2010-03-29 01:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
    2010-03-29 01:39 . 2010-04-01 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
    2010-03-27 05:09 . 2010-03-27 05:09 114024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\windows\system32\XPSViewer
    2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\MSBuild
    2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\Reference Assemblies
    2010-03-27 05:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-03-27 05:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-03-27 05:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-03-27 05:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-03-27 05:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-03-27 05:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-03-27 05:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-03-27 05:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-03-27 05:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-03-27 05:08 . 2010-03-27 05:08 -------- d-----w- C:\606d8ea6c5f19ac031
    2010-03-27 05:08 . 2010-03-27 05:14 -------- d-----w- c:\windows\SxsCaPendDel
    2010-03-27 04:53 . 2010-03-27 04:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-03-27 04:37 . 2010-03-27 04:37 -------- d-----w- c:\windows\ie8updates
    2010-03-27 04:29 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-03-27 04:29 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2010-03-27 04:29 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-03-27 04:29 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-03-27 04:29 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-03-27 04:29 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2010-03-27 04:29 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2010-03-27 04:01 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-27 03:49 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-03-27 03:30 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-03-27 02:54 . 2010-03-27 02:54 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-03-19 13:06 . 2010-03-19 13:08 -------- d-----w- c:\documents and settings\Chum Family\Application Data\DarkParablesBriarRose_BFG
    2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Merscom
    2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
    2010-03-19 10:54 . 2010-03-19 10:55 -------- d-----w- c:\program files\Alice in Wonderland
    2010-03-18 20:41 . 2010-03-18 20:41 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Nevosoft
    2010-03-18 11:01 . 2010-03-18 11:02 -------- d-----w- c:\program files\Vampireville

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-17 00:19 . 2007-05-27 23:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-16 23:23 . 2007-06-17 05:55 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MailWasherPro
    2010-04-16 16:04 . 2010-02-21 17:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-16 02:12 . 2007-05-20 01:56 409600 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-04-16 02:12 . 2007-05-13 17:47 86016 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-04-16 02:12 . 2007-05-13 17:49 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Creative
    2010-04-16 02:09 . 2007-05-13 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-13 11:49 . 2008-03-15 00:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 04:41 . 2008-08-04 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-13 04:41 . 2008-09-21 01:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-13 03:07 . 2010-04-13 03:07 1181 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
    2010-04-13 03:07 . 2010-04-13 03:07 1181 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
    2010-04-06 04:54 . 2007-06-26 01:24 -------- d-----w- c:\program files\SpeedFan
    2010-04-06 04:23 . 2008-10-03 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
    2010-04-06 03:58 . 2007-09-20 23:50 -------- d-----w- c:\documents and settings\Chum Family\Application Data\nHancer
    2010-04-04 20:38 . 2007-06-18 22:37 -------- d-----w- c:\program files\MSN Games
    2010-04-03 17:44 . 2007-12-09 04:02 -------- d-----w- c:\program files\Click'N Design 3D (V5)
    2010-04-03 17:05 . 2007-12-19 14:39 -------- d-----w- c:\program files\The Great Tree
    2010-04-03 17:05 . 2007-09-01 22:50 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-03-30 05:46 . 2008-08-04 04:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 05:45 . 2008-08-04 04:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-29 01:38 . 2008-03-16 23:57 -------- d-----w- c:\program files\Amazon
    2010-03-29 01:34 . 2007-05-13 17:17 47664 ----a-w- c:\documents and settings\Chum Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-27 05:14 . 2008-08-07 02:44 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-03-27 04:14 . 2008-08-07 02:45 -------- d-----w- c:\program files\Windows Desktop Search
    2010-03-18 10:23 . 2007-05-13 16:12 -------- d-----w- c:\program files\bfgclient
    2010-03-18 10:22 . 2010-03-18 10:21 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
    2010-03-18 10:21 . 2007-05-27 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-03-08 01:20 . 2008-12-24 13:00 -------- d-----w- c:\program files\Oberon Media
    2010-03-06 16:28 . 2010-03-14 23:18 1030144 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.exe
    2010-03-05 01:00 . 2010-03-05 01:00 -------- d-----w- c:\documents and settings\Chum Family\Application Data\GTM_Bodie
    2010-03-04 17:58 . 2010-03-04 17:58 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
    2010-02-24 21:45 . 2010-02-24 21:45 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Boomzap
    2010-02-24 12:42 . 2010-02-24 12:41 -------- d-----w- c:\program files\Awakening - The Dreamless Castle
    2010-02-23 04:22 . 2010-02-23 04:20 -------- d-----w- c:\program files\Rhiannon - Curse of the Four Branches
    2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BigFishGames
    2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BfgBar
    2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\program files\BfgBar
    2010-02-19 05:06 . 2010-02-19 05:05 -------- d-----w- c:\program files\Penny Dreadfuls Sweeney Todd
    2010-02-19 03:14 . 2010-02-19 03:14 -------- d-----w- c:\program files\IrfanView
    2010-02-17 15:48 . 2010-03-14 23:18 432640 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.scr
    2010-02-16 05:04 . 2007-09-04 01:38 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-02-16 03:56 . 2010-02-15 03:00 -------- d-----w- c:\program files\Nightfall Mysteries - Curse of the Opera(2)
    2010-02-16 03:56 . 2008-08-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-02-16 03:26 . 2010-02-16 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\vampireville_s1_l1_gF5524T1L1_d827659757.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\love-and-death-bitten_s1_l1_gF5578T1L1_d859589501.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d860232223.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d856562713.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dominic-cranes-dreamscape-mystery_s1_l1_gF5610T1L1_d853117596[1].exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dark-parables-curse-briar-rose-collectors_s1_l1_gF5523T1L1_d828746418[1].exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\alice-in-wonderland_s1_l1_gF5535T1L1_d828725970[1].exe
    2010-02-03 21:19 . 2010-02-03 21:19 3028800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
    2010-01-22 09:50 . 2010-02-16 03:24 2283526 ----a-w- c:\windows\system32\nvdata.bin
    2007-11-03 13:31 . 2007-11-03 13:33 774144 ----a-w- c:\program files\RngInterstitial.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
    "nwiz"="nwiz.exe" [2008-10-07 1630208]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-03-01 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2010-01-09 19:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
    backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
    backup=c:\windows\pss\Color Calibration.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
    backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
    backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
    backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
    backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^..]
    path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\..
    backup=c:\windows\pss\..Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^Antimalware Doctor.lnk]
    path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\Antimalware Doctor.lnk
    backup=c:\windows\pss\Antimalware Doctor.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2006-08-11 19:45 74752 ----a-w- c:\windows\system32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-08-22 13:52 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
    2007-06-16 13:13 230512 ----a-w- c:\program files\Yahoo!\Antivirus\CAVTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
    2007-06-16 13:13 185456 ----a-w- c:\program files\Yahoo!\Antivirus\CAVRid.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
    2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
    2006-08-11 19:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
    2006-08-11 19:53 42496 ----a-w- c:\windows\system32\CTXFIREG.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
    2007-06-17 02:18 207680 ----a-w- c:\program files\GIGABYTE\ET5\GUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
    2008-10-27 16:28 240656 ----a-w- c:\utillities\EVGA Precision\EVGAPrecision.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
    2006-07-12 22:58 356352 ----a-w- c:\windows\system32\JMRaidTool.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
    2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2005-08-24 12:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nHancer]
    2009-01-27 00:37 1295872 ----a-w- c:\program files\nHancer\nHancer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-10-07 18:33 13574144 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    2007-07-03 17:32 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-10-07 18:33 86016 ----a-w- c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2008-10-07 18:33 1630208 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
    2003-06-12 14:47 135168 ----a-w- c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-12-08 22:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
    2002-11-13 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
    2002-12-03 23:06 45056 ----a-w- c:\program files\Creative\SB Drive Det\SBDrvDet.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-04-13 11:49 2010864 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
    2006-07-21 15:43 407032 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ALG"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Games\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
    "c:\\Games\\Sshock2\\SHOCK2.EXE"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 66632]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/17/2007 10:50 PM 16512]
    S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = 127.0.0.1
    LSP: c:\windows\system32\VetRedir.dll
    Trusted Zone: aol.com\free
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Chum Family\Application Data\Mozilla\Firefox\Profiles\crmim0ui.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-54639c77 - c:\windows\system32\kamujibi.dll
    MSConfigStartUp-appreg70700 - c:\documents and settings\Chum Family\Application Data\26C02D090F760013493CEDE478DDE5E3\appreg70700.exe
    MSConfigStartUp-CPM5750afeb - c:\windows\system32\wepanibe.dll
    MSConfigStartUp-CreateCD50 - c:\progra~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    MSConfigStartUp-davclnt - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\davclnt.exe
    MSConfigStartUp-ewrgetuj - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\geurge.exe
    MSConfigStartUp-hf8wefhuaihf8ewfydiujhfdsfdf - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\m6hhw2py7i.exe
    MSConfigStartUp-hsf87efjhdsf87f3jfsdi7fhsujfd - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\cmd.exe
    MSConfigStartUp-net - c:\windows\system32\net.net
    MSConfigStartUp-RelevantKnowledge - c:\program files\RelevantKnowledge\rlvknlg.exe
    MSConfigStartUp-SMrhcndej0e77a - c:\program files\rhcndej0e77a\rhcndej0e77a.exe
    MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    MSConfigStartUp-wabiyohejo - c:\windows\system32\kiyihapa.dll
    MSConfigStartUp-YVIBBBHA8C - c:\docume~1\CHUMFA~1\LOCALS~1\Temp\Aqg.exe
    AddRemove-am-bornintodarkness - c:\program files\RealArcade\Installer\bin\gameinstaller.exe
    AddRemove-EVEREST Home Edition_is1 - c:\utilites\EVEREST Home Edition\unins000.exe
    AddRemove-FastCrawl_is1 - c:\program files\FastCrawl\ReflexiveArcade\unins000.exe
    AddRemove-MailWasher Pro_is1 - c:\program files\FireTrust\MailWasher Pro\unins000.exe
    AddRemove-Quest3DGiza 3d - c:\documents and settings\Chum Family\Desktop\Q3DUnInst.exe
    AddRemove-SShockDeinstallKey - c:\games\New Sshock2\SShocku.log
    AddRemove-Viscape Universal - c:\program files\Superscape\Viscape Universal\Uninst.isu



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-16 19:51
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA27AC8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf764bfc3
    \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
    \Driver\atapi -> atapi.sys @ 0xbae727b4
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
    ParseProcedure -> ntoskrnl.exe @ 0x8057c745
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
    ParseProcedure -> ntoskrnl.exe @ 0x8057c745
    NDIS: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xbad78ba0
    PacketIndicateHandler -> NDIS.sys @ 0xbad85b21
    SendHandler -> NDIS.sys @ 0xbad6387b
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:76,51,6d,86,88,ff,4a,09,a1,23,35,70,c5,b3,27,43,fb,62,e6,4d,6e,8b,ce,
    b0,9c,d8,38,1d,7b,59,5b,f7,7c,10,c4,4b,26,74,2c,df,d1,ca,a7,df,39,a1,ec,ef,\
    "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
    "Appinit_Dlls"=" wbpqvz.dll "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(596)
    c:\windows\system32\WININET.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'lsass.exe'(656)
    c:\windows\system32\WININET.dll
    c:\windows\system32\VetRedir.dll
    c:\windows\system32\ISafeIf.dll

    - - - - - - - > 'explorer.exe'(3640)
    c:\windows\system32\WININET.dll
    c:\windows\system32\VetRedir.dll
    c:\windows\system32\ISafeIf.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\nHancer\nHancerService.exe
    c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\System32\locator.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-16 19:59:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-17 00:59

    Pre-Run: 183,880,577,024 bytes free
    Post-Run: 185,497,059,328 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - D6BC7F63D46EDBD8DDD287F9E6C99E86
     
  14. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
    • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

    Code:
    http://forums.techguy.org/7334058-post13.html
    
    Collect::
    c:\windows\Ajejea.exe
    c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
    c:\Windows\system32\wbpqvz.dll 
    
    RegLockDel::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
    "Appinit_Dlls"=-
    
    TDL::
    C:\WINDOWS\system32\drivers\atapi.sys
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"


    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.



    NEXT


    Please delete the copy of GMER that you have on your desktop, please download a fresh copy and re-run GMER,

    just check the boxes beside "sections" and the C:\ drive, post the resulting log.
     
  15. Chum

    Chum Thread Starter

    Joined:
    Nov 26, 2000
    Messages:
    1,005
    here is new combofix log but when I delete and re-run GMER it does not generate a log


    ComboFix 10-04-15.05 - Chum Family 04/16/2010 22:31:17.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1715 [GMT -5:00]
    Running from: c:\documents and settings\Chum Family\Desktop\combo.com
    Command switches used :: c:\docume~1\CHUMFA~1\Desktop\CFScript.txt
    AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning disabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

    file zipped: c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
    file zipped: c:\windows\Ajejea.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
    c:\windows\Ajejea.exe

    Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
    .

    2010-04-16 02:11 . 2006-08-11 19:55 10240 ----a-w- c:\windows\CTDCRES.DLL
    2010-04-15 23:51 . 2010-04-15 23:52 -------- d-----w- c:\program files\Haunted Manor - Lord of Mirrors
    2010-04-14 21:15 . 2010-04-14 21:15 47664 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-04-14 00:00 . 2010-04-14 00:00 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-04-13 10:18 . 2010-04-15 01:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-04-13 03:06 . 2010-04-13 03:06 -------- d-----w- C:\spoolerlogs
    2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Top Evidence
    2010-04-12 11:51 . 2010-04-12 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Top Evidence
    2010-04-12 02:21 . 2010-04-12 02:21 30544 ----a-w- c:\windows\dirdib.drv
    2010-04-12 02:21 . 2010-04-12 02:21 30464 ----a-w- c:\windows\macromix.dll
    2010-04-11 03:38 . 2010-04-17 03:07 -------- d-----w- C:\SHOCK 2
    2010-04-09 11:35 . 2010-04-09 11:35 -------- d-----w- C:\ProgramData
    2010-04-09 11:06 . 2010-04-09 11:06 -------- d-----w- c:\program files\Dominic Cranes Dreamscape Mystery
    2010-04-06 04:19 . 2010-04-06 04:19 -------- d-----w- c:\windows\nview
    2010-04-06 04:19 . 2008-10-07 18:33 453152 ----a-w- c:\windows\system32\nvudisp.exe
    2010-04-06 04:19 . 2008-10-02 15:07 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
    2010-04-06 04:08 . 2010-04-06 04:08 -------- d-----w- c:\program files\nHancer
    2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MSN6
    2010-04-03 17:18 . 2010-04-03 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
    2010-03-29 01:41 . 2010-03-29 01:41 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\IsolatedStorage
    2010-03-29 01:39 . 2010-04-01 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
    2010-03-27 05:09 . 2010-03-27 05:09 114024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\windows\system32\XPSViewer
    2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\MSBuild
    2010-03-27 05:09 . 2010-03-27 05:09 -------- d-----w- c:\program files\Reference Assemblies
    2010-03-27 05:08 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-03-27 05:08 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-03-27 05:08 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-03-27 05:08 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-03-27 05:08 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-03-27 05:08 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-03-27 05:08 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-03-27 05:08 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-03-27 05:08 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-03-27 05:08 . 2010-03-27 05:08 -------- d-----w- C:\606d8ea6c5f19ac031
    2010-03-27 05:08 . 2010-03-27 05:14 -------- d-----w- c:\windows\SxsCaPendDel
    2010-03-27 04:53 . 2010-03-27 04:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-03-27 04:37 . 2010-03-27 04:37 -------- d-----w- c:\windows\ie8updates
    2010-03-27 04:29 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-03-27 04:29 . 2009-12-21 19:14 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2010-03-27 04:29 . 2009-12-21 19:14 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-03-27 04:29 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-03-27 04:29 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-03-27 04:29 . 2009-12-21 19:14 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2010-03-27 04:29 . 2009-12-21 19:14 11070464 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2010-03-27 04:01 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-03-27 03:49 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-03-27 03:30 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-03-27 02:54 . 2010-03-27 02:54 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-03-19 13:06 . 2010-03-19 13:08 -------- d-----w- c:\documents and settings\Chum Family\Application Data\DarkParablesBriarRose_BFG
    2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Merscom
    2010-03-19 12:14 . 2010-03-19 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
    2010-03-19 10:54 . 2010-03-19 10:55 -------- d-----w- c:\program files\Alice in Wonderland
    2010-03-18 20:41 . 2010-03-18 20:41 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Nevosoft
    2010-03-18 11:01 . 2010-03-18 11:02 -------- d-----w- c:\program files\Vampireville
    2010-03-18 10:21 . 2010-03-18 10:22 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-17 02:00 . 2007-06-17 05:55 -------- d-----w- c:\documents and settings\Chum Family\Application Data\MailWasherPro
    2010-04-17 01:02 . 2010-02-21 17:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-17 00:19 . 2007-05-27 23:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-04-16 02:12 . 2007-05-20 01:56 409600 ----a-w- c:\windows\system32\wrap_oal.dll
    2010-04-16 02:12 . 2007-05-13 17:47 86016 ----a-w- c:\windows\system32\OpenAL32.dll
    2010-04-16 02:12 . 2007-05-13 17:49 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Creative
    2010-04-16 02:09 . 2007-05-13 17:24 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-04-13 11:49 . 2008-03-15 00:47 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-13 04:41 . 2008-08-04 04:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-13 04:41 . 2008-09-21 01:13 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-06 04:54 . 2007-06-26 01:24 -------- d-----w- c:\program files\SpeedFan
    2010-04-06 04:23 . 2008-10-03 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\nHancer
    2010-04-06 03:58 . 2007-09-20 23:50 -------- d-----w- c:\documents and settings\Chum Family\Application Data\nHancer
    2010-04-04 20:38 . 2007-06-18 22:37 -------- d-----w- c:\program files\MSN Games
    2010-04-03 17:44 . 2007-12-09 04:02 -------- d-----w- c:\program files\Click'N Design 3D (V5)
    2010-04-03 17:05 . 2007-12-19 14:39 -------- d-----w- c:\program files\The Great Tree
    2010-04-03 17:05 . 2007-09-01 22:50 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-03-30 05:46 . 2008-08-04 04:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-30 05:45 . 2008-08-04 04:31 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-29 01:38 . 2008-03-16 23:57 -------- d-----w- c:\program files\Amazon
    2010-03-29 01:34 . 2007-05-13 17:17 47664 ----a-w- c:\documents and settings\Chum Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-27 05:14 . 2008-08-07 02:44 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-03-27 04:14 . 2008-08-07 02:45 -------- d-----w- c:\program files\Windows Desktop Search
    2010-03-18 10:23 . 2007-05-13 16:12 -------- d-----w- c:\program files\bfgclient
    2010-03-18 10:21 . 2007-05-27 23:12 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
    2010-03-08 01:20 . 2008-12-24 13:00 -------- d-----w- c:\program files\Oberon Media
    2010-03-06 16:28 . 2010-03-14 23:18 1030144 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.exe
    2010-03-05 01:00 . 2010-03-05 01:00 -------- d-----w- c:\documents and settings\Chum Family\Application Data\GTM_Bodie
    2010-03-04 17:58 . 2010-03-04 17:58 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
    2010-02-24 21:45 . 2010-02-24 21:45 -------- d-----w- c:\documents and settings\Chum Family\Application Data\Boomzap
    2010-02-24 12:42 . 2010-02-24 12:41 -------- d-----w- c:\program files\Awakening - The Dreamless Castle
    2010-02-23 04:22 . 2010-02-23 04:20 -------- d-----w- c:\program files\Rhiannon - Curse of the Four Branches
    2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BigFishGames
    2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\documents and settings\Chum Family\Application Data\BfgBar
    2010-02-19 22:28 . 2010-02-19 22:28 -------- d-----w- c:\program files\BfgBar
    2010-02-19 05:06 . 2010-02-19 05:05 -------- d-----w- c:\program files\Penny Dreadfuls Sweeney Todd
    2010-02-19 03:14 . 2010-02-19 03:14 -------- d-----w- c:\program files\IrfanView
    2010-02-17 15:48 . 2010-03-14 23:18 432640 ----a-w- c:\windows\system32\MyDefragScreenSaver_v4.2.9.scr
    2010-02-16 05:04 . 2007-09-04 01:38 -------- d-----w- c:\program files\NVIDIA Corporation
    2010-02-16 03:56 . 2010-02-15 03:00 -------- d-----w- c:\program files\Nightfall Mysteries - Curse of the Opera(2)
    2010-02-16 03:56 . 2008-08-07 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\vampireville_s1_l1_gF5524T1L1_d827659757.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\love-and-death-bitten_s1_l1_gF5578T1L1_d859589501.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d860232223.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\haunted-manor-lord-of-mirrors_s1_l1_gF5597T1L1_d856562713.exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dominic-cranes-dreamscape-mystery_s1_l1_gF5610T1L1_d853117596[1].exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\dark-parables-curse-briar-rose-collectors_s1_l1_gF5523T1L1_d828746418[1].exe
    2010-02-03 21:19 . 2010-02-03 21:19 143312 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\stub\alice-in-wonderland_s1_l1_gF5535T1L1_d828725970[1].exe
    2010-02-03 21:19 . 2010-02-03 21:19 3028800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\clientinstaller\bfgsetup_s1_l1.exe
    2010-01-22 09:50 . 2010-02-16 03:24 2283526 ----a-w- c:\windows\system32\nvdata.bin
    2007-11-03 13:31 . 2007-11-03 13:33 774144 ----a-w- c:\program files\RngInterstitial.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_00.52.04 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-04-17 03:39 . 2010-04-17 03:39 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
    + 2007-05-13 17:12 . 2004-08-04 03:59 95360 c:\windows\system32\dllcache\atapi.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 57344]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
    "nwiz"="nwiz.exe" [2008-10-07 1630208]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-03-01 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2010-01-09 19:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
    backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Color Calibration.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
    backup=c:\windows\pss\Color Calibration.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
    backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
    backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagicTune 3.6.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MagicTune 3.6.lnk
    backup=c:\windows\pss\MagicTune 3.6.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NaturalColorLoad.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
    backup=c:\windows\pss\NaturalColorLoad.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^..]
    path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\..
    backup=c:\windows\pss\..Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Chum Family^Start Menu^Programs^StartUp^Antimalware Doctor.lnk]
    path=c:\documents and settings\Chum Family\Start Menu\Programs\StartUp\Antimalware Doctor.lnk
    backup=c:\windows\pss\Antimalware Doctor.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
    2006-08-11 19:45 74752 ----a-w- c:\windows\system32\CTASIO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2006-08-22 13:52 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
    2007-06-16 13:13 230512 ----a-w- c:\program files\Yahoo!\Antivirus\CAVTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
    2007-06-16 13:13 185456 ----a-w- c:\program files\Yahoo!\Antivirus\CAVRid.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
    2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-04 05:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
    2006-08-11 19:56 17920 ----a-w- c:\windows\CTHELPER.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
    2006-08-11 19:56 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
    2006-08-11 19:53 42496 ----a-w- c:\windows\system32\CTXFIREG.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
    2007-06-17 02:18 207680 ----a-w- c:\program files\GIGABYTE\ET5\GUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVGAPrecision]
    2008-10-27 16:28 240656 ----a-w- c:\utillities\EVGA Precision\EVGAPrecision.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
    2006-07-12 22:58 356352 ----a-w- c:\windows\system32\JMRaidTool.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2006-11-13 18:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 09:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
    2006-07-07 23:14 576320 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    2005-08-24 12:51 442455 ----a-w- c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nHancer]
    2009-01-27 00:37 1295872 ----a-w- c:\program files\nHancer\nHancer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2008-10-07 18:33 13574144 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    2007-07-03 17:32 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2008-10-07 18:33 86016 ----a-w- c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2008-10-07 18:33 1630208 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteCenter]
    2003-06-12 14:47 135168 ----a-w- c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-12-08 22:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
    2002-11-13 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
    2002-12-03 23:06 45056 ----a-w- c:\program files\Creative\SB Drive Det\SBDrvDet.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2008-06-10 09:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-04-13 11:49 2010864 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
    2006-07-21 15:43 407032 ----a-w- c:\progra~1\Yahoo!\YOP\yop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ALG"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Games\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
    "c:\\Games\\Sshock2\\SHOCK2.EXE"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 66632]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/17/2007 10:50 PM 16512]
    S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = 127.0.0.1
    LSP: c:\windows\system32\VetRedir.dll
    Trusted Zone: aol.com\free
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Chum Family\Application Data\Mozilla\Firefox\Profiles\crmim0ui.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-16 22:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-436374069-1364589140-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:76,51,6d,86,88,ff,4a,09,a1,23,35,70,c5,b3,27,43,fb,62,e6,4d,6e,8b,ce,
    b0,9c,d8,38,1d,7b,59,5b,f7,7c,10,c4,4b,26,74,2c,df,d1,ca,a7,df,39,a1,ec,ef,\
    "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
    "Appinit_Dlls"=" wbpqvz.dll "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(596)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(652)
    c:\windows\system32\VetRedir.dll
    c:\windows\system32\ISafeIf.dll

    - - - - - - - > 'explorer.exe'(1132)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\nHancer\nHancerService.exe
    c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\System32\locator.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-16 22:43:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-17 03:43
    ComboFix2.txt 2010-04-17 00:59

    Pre-Run: 185,474,482,176 bytes free
    Post-Run: 185,417,596,928 bytes free

    - - End Of File - - 5DFAC15F9EE8FF76CE8EEFC724DA6E40
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/916528

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice