PDA

View Full Version : Trojans Help Please.



Necrucifer
2009-09-24, 05:06
Here is my hijack this log, hopefully I can get this fixed. Thank you I will return regularly to check this thread and hope someone could be of help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:44 PM, on 9/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun
O4 - Startup: ikowin32.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8173 bytes

Sorry for double post but I thought this might help.

Malwarebytes' Anti-Malware 1.40
Database version: 2590
Windows 5.1.2600 Service Pack 3

9/23/2009 10:14:58 PM
mbam-log-2009-09-23 (22-14-54).txt

Scan type: Quick Scan
Objects scanned: 89761
Time elapsed: 15 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Michael\Application Data\wiaserva.log (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> No action taken.
C:\WINDOWS\temp\_ex-68.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\temp\wpv141252921009.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\wpv531253007120.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\wpv631252894422.exe (Trojan.Agent) -> No action taken.

shelf life
2009-09-27, 17:25
hi,

Your log is a few days old, if you still need help with potential malware, reply to the post.

Necrucifer
2009-09-28, 01:12
Yea I am still here needing help and tried getting rid of them in safe mode with malware bytes didnt work and when I tryed it on normal mode I would restart to finish removing the viruses after being told to restart and then a few seconds after back to desktop my screen would then shut off so I avoided doing that so I figured I would come here.

shelf life
2009-09-28, 04:00
ok lets try Dr Web first then when its done try running Malwarebytes again after checking it for updates first:

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

Malwarebytes:

Once the program has loaded, click the Update tab, then check for updates. select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

Necrucifer
2009-09-30, 20:56
Cureit is running atm and will perform malware bytes afterwards and since it will take a few hours decided to update on my posts so you know I am still active that and I have some questions. I ended the trojans or viruses in my processes a few days ago when I booted so it would not cause further damage so will cureit still pick them up if thats the case? Running it either way so I will post my logs in a few hours as I havent restarted my pc the past 3 or so since it always creates new ones.

shelf life
2009-10-01, 02:40
ok thanks for the info. Yes cureit will still pick up on ended processes. Then check MBAM for updates and try to run it. In any case after MBAM continue with this next download:

Last: we will get one more download to use. Its called combofix. There is a guide to read first which will explain a lot of things. Read through the guide, download combofix to your desktop, disable any AV and anti malware as explained in the guide. Double click the icon and follow the prompts. Post the combofix log also.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Necrucifer
2009-10-01, 10:34
Hey I am back, We had a power outage while running cureit but the 3 trojans popped up during that time 2 of them deleted and 1 was quarantined just to give you info and nothing popped up on it the 2nd time running the short scan.

I continued the full scan of cure it and mbam afterwards. Mbam for some odd reason will not produce a log upon restart anymore though I did find it saved in logs on the program so thankfully here it is.

A0155793.exe;C:\System Volume Information\_restore{07CDAF88-E586-4F69-848A-D1EC062927B7}\RP120;Trojan.Botnetlog.11;Deleted.;
A0155794.sys;C:\System Volume Information\_restore{07CDAF88-E586-4F69-848A-D1EC062927B7}\RP120;Trojan.Spambot.4621;Incurable.Moved.;
A0155795.exe;C:\System Volume Information\_restore{07CDAF88-E586-4F69-848A-D1EC062927B7}\RP120;Trojan.Fakealert.4850;Deleted.;
ikowin32.exeStartup;C:\WINDOWS\pss;Trojan.Botnetlog.11;Deleted.;
732889a4.sys;C:\WINDOWS\system32\drivers;Trojan.Spambot.4621;Incurable.Moved.;
7e0d5626.sys;C:\WINDOWS\system32\drivers;Trojan.Spambot.4621;Incurable.Moved.;
a9560aa2.sys;C:\WINDOWS\system32\drivers;Trojan.Spambot.4621;Incurable.Moved.;
f1e02e46.sys;C:\WINDOWS\system32\drivers;Trojan.Spambot.4621;Incurable.Moved.;
wpv581254042811.exe;C:\WINDOWS\temp;Trojan.Proxy.6310;Incurable.Moved.;
_ex-68.exe;C:\WINDOWS\temp;Trojan.Fakealert.4960;Deleted.;


Malwarebytes' Anti-Malware 1.41
Database version: 2881
Windows 5.1.2600 Service Pack 3

10/1/2009 2:50:20 AM
mbam-log-2009-10-01 (02-50-20).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 255101
Time elapsed: 34 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\11345464 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Michael\DoctorWeb\Quarantine\732889a0.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\DoctorWeb\Quarantine\732889a4.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\DoctorWeb\Quarantine\7e0d5626.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\DoctorWeb\Quarantine\A0155794.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\DoctorWeb\Quarantine\a9560aa2.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\DoctorWeb\Quarantine\f1e02e46.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{07CDAF88-E586-4F69-848A-D1EC062927B7}\RP120\A0155806.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{07CDAF88-E586-4F69-848A-D1EC062927B7}\RP120\A0155807.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{07CDAF88-E586-4F69-848A-D1EC062927B7}\RP120\A0155808.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\732889a4.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11345464\11345464 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11345464\pc11345464ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Michael\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv141252921009.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv531253007120.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv631252894422.exe (Trojan.Agent) -> Quarantined and deleted successfully.

ComboFix 09-09-30.05 - Michael 10/01/2009 3:03.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -4:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Michael\{E0BEA186-702D-AEE1-C853-B2F338819BB8}-svchost.exe
c:\documents and settings\Michael\My Documents\cc_20090624_003440.reg

.
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-30 17:48 . 2009-09-30 17:50 -------- d-----w- c:\documents and settings\Michael\DoctorWeb
2009-09-29 19:35 . 2009-09-29 19:35 -------- d-----w- c:\windows\system32\AGEIA
2009-09-29 19:35 . 2009-09-29 19:35 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-28 13:17 . 2009-09-30 21:44 16 ----a-w- c:\windows\popcinfo.dat
2009-09-28 13:17 . 2009-09-28 13:17 -------- d-----w- c:\program files\PopCap Games
2009-09-28 13:16 . 2009-09-28 13:16 -------- d--h--w- c:\windows\PIF
2009-09-27 22:29 . 2009-09-27 22:29 -------- d-----w- c:\program files\MSXML 6.0
2009-09-26 09:10 . 2009-09-26 09:10 -------- d-----w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2009-09-26 08:27 . 2009-09-27 22:12 -------- d-----w- c:\program files\Aspyr
2009-09-26 08:22 . 2009-09-26 08:24 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-09-26 08:09 . 2009-09-26 23:34 -------- d-----w- c:\windows\LastGood.Tmp
2009-09-26 07:40 . 2007-02-26 22:15 1421216 ----a-w- c:\windows\system32\WdfCoInstaller01001.dll
2009-09-26 07:40 . 2009-09-26 07:40 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2009-09-26 07:26 . 2009-09-27 22:30 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Aspyr
2009-09-25 22:28 . 2009-09-28 09:58 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-25 22:28 . 2009-09-28 09:58 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-25 22:28 . 2009-09-28 02:54 -------- d-----w- c:\program files\OpenAL
2009-09-25 22:13 . 2009-09-25 22:13 -------- d-----w- c:\program files\Penumbra
2009-09-25 20:16 . 2009-09-25 20:16 -------- d-----w- c:\program files\PAN Vision
2009-09-25 10:08 . 2009-09-25 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WhiteCap (Holiday Edition)
2009-09-25 10:08 . 2009-09-25 10:08 -------- d-----w- c:\program files\Winter Fun Pack 2004 for Windows XP
2009-09-24 06:14 . 2009-09-24 06:14 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-24 05:49 . 2009-09-24 05:51 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\Temp
2009-09-24 02:04 . 2009-09-24 02:04 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-23 00:12 . 2009-09-23 00:12 -------- d-sh--w- c:\documents and settings\Michael\PrivacIE
2009-09-23 00:09 . 2009-09-23 00:09 -------- d-sh--w- c:\documents and settings\Michael\IETldCache
2009-09-23 00:06 . 2009-09-23 00:06 -------- d-----w- c:\windows\ie8updates
2009-09-23 00:06 . 2009-09-23 00:06 -------- dc-h--w- c:\windows\ie8
2009-09-23 00:02 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-23 00:02 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-23 00:02 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-20 03:10 . 2009-09-20 03:20 -------- d-----w- c:\documents and settings\Michael\Application Data\Red Alert 3 Uprising
2009-09-16 17:48 . 2009-09-16 17:55 -------- d-----w- c:\program files\Project64 1.6
2009-09-11 21:11 . 2009-09-24 02:14 -------- d-----w- c:\program files\PokerStars
2009-09-10 07:01 . 2009-09-10 07:01 5395280 ----a-w- c:\documents and settings\Michael\mpengine.dll
2009-09-09 16:06 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-02 14:56 . 2009-09-27 22:29 -------- d-----w- c:\program files\Activision
2009-09-02 07:21 . 2009-09-02 07:21 60416 ----a-w- c:\windows\ALCFDRTM.EXE
2009-09-02 07:21 . 2009-09-02 07:21 -------- d-----w- c:\windows\system32\Lang
2009-09-02 02:25 . 2008-04-14 04:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 07:14 . 2009-04-08 20:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 07:01 . 2009-08-14 16:45 -------- d-----w- c:\documents and settings\Michael\Application Data\uTorrent
2009-09-30 17:46 . 2009-07-16 08:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-29 19:34 . 2009-04-08 19:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-28 13:17 . 2009-07-29 10:57 -------- d-----w- c:\program files\Bethesda Softworks
2009-09-28 13:17 . 2009-04-08 21:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-26 08:22 . 2009-07-14 01:17 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-09-26 07:40 . 2009-09-26 07:40 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-09-25 17:02 . 2009-04-13 21:21 -------- d-----w- c:\program files\SpeedFan
2009-09-25 10:31 . 2009-06-20 15:36 -------- d-----w- c:\documents and settings\Michael\Application Data\Skype
2009-09-25 10:19 . 2009-06-20 15:37 -------- d-----w- c:\documents and settings\Michael\Application Data\skypePM
2009-09-25 09:47 . 2009-08-24 09:02 -------- d-----w- c:\documents and settings\Michael\Application Data\vlc
2009-09-24 06:15 . 2009-09-24 06:14 -------- d-----w- c:\program files\DivX
2009-09-23 22:25 . 2009-09-23 22:25 0 ----a-w- c:\documents and settings\LocalService\SEPB.tmp
2009-09-23 21:32 . 2009-09-23 21:32 131072 ----a-w- c:\documents and settings\LocalService\B86FFCE18B714C9218.tmp
2009-09-23 21:32 . 2009-09-23 21:32 131072 ----a-w- c:\documents and settings\LocalService\ACDB1F95B01F829A11.tmp
2009-09-23 21:31 . 2009-09-23 21:31 131072 ----a-w- c:\documents and settings\LocalService\793301CFDCB914CFC0.tmp
2009-09-23 21:31 . 2009-09-23 21:31 43727 ----a-w- c:\documents and settings\LocalService\43B04F981738424DB4.tmp
2009-09-23 05:32 . 2009-04-08 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-20 02:58 . 2009-06-06 16:52 -------- d-----w- c:\program files\Electronic Arts
2009-09-16 21:02 . 2009-06-18 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-16 16:21 . 2009-06-25 01:25 -------- d-----w- c:\program files\Voyage Century Online
2009-09-10 18:54 . 2009-07-16 08:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-07-16 08:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 07:00 . 2009-06-06 01:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 02:43 . 2009-09-06 02:43 616448 --sha-w- c:\documents and settings\LocalService\kny37fjy.TMP
2009-08-30 02:37 . 2009-08-30 02:37 120 ----a-w- c:\windows\Fsatupujaxakuqe.dat
2009-08-29 15:46 . 2009-08-29 15:46 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-08-29 06:36 . 2009-08-08 13:18 -------- d-----w- c:\program files\DOSBox-0.73
2009-08-28 01:19 . 2009-04-10 05:51 14840 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 11:22 . 2009-06-17 20:56 -------- d-----w- c:\documents and settings\Michael\Application Data\DAEMON Tools Pro
2009-08-26 11:10 . 2009-04-09 23:12 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-26 11:06 . 2009-07-29 13:44 -------- d-----w- c:\program files\DAEMON Tools
2009-08-26 02:14 . 2009-08-26 02:14 -------- d-----w- c:\program files\7-Zip
2009-08-26 00:22 . 2009-08-23 00:50 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-08-24 08:57 . 2009-08-24 08:57 -------- d-----w- c:\program files\VideoLAN
2009-08-23 00:50 . 2009-08-23 00:50 -------- d-----w- c:\documents and settings\Michael\Application Data\Atari
2009-08-23 00:42 . 2009-04-11 02:47 -------- d-----w- c:\program files\Atari
2009-08-22 04:48 . 2009-08-22 04:48 -------- d-----w- c:\program files\Infogrames Interactive
2009-08-22 04:27 . 2009-08-22 04:27 0 ----a-w- c:\windows\PowerReg.dat
2009-08-15 20:53 . 2009-08-15 20:37 -------- d-----w- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2009-08-15 20:53 . 2009-08-15 20:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-15 20:37 . 2009-08-15 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-15 20:36 . 2009-04-08 19:19 -------- d-----w- c:\program files\SpywareBlaster
2009-08-15 15:50 . 2009-08-15 15:46 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-08-15 15:49 . 2009-08-15 15:49 -------- d-----w- c:\documents and settings\Michael\Application Data\PCToolsFirewallPlus
2009-08-15 15:47 . 2009-08-15 15:46 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-15 04:43 . 2009-08-14 19:53 -------- d-----w- c:\program files\Java
2009-08-14 20:19 . 2009-08-14 20:18 -------- d-----w- c:\documents and settings\Michael\Application Data\Camfrog
2009-08-14 20:18 . 2009-08-14 20:18 -------- d-----w- c:\program files\Camfrog
2009-08-14 17:01 . 2009-07-14 01:10 -------- d-----w- c:\program files\zMUD
2009-08-12 03:47 . 2009-08-12 03:47 -------- d-----w- c:\program files\PowerISO
2009-08-11 00:29 . 2009-08-11 00:29 -------- d-----w- c:\program files\Koei
2009-08-10 12:40 . 2009-08-10 12:40 -------- d-----w- c:\program files\Trend Micro
2009-08-10 12:17 . 2009-04-08 19:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 23:51 . 2009-08-07 23:51 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-07 23:51 . 2009-08-07 23:51 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-07-25 09:23 . 2009-08-14 19:53 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 00:17 . 2009-09-24 06:15 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-07-14 00:17 . 2009-09-24 06:15 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-07-14 00:17 . 2009-09-24 06:15 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-07-14 00:17 . 2009-09-24 06:15 129784 ------w- c:\windows\system32\pxafs.dll
2009-07-14 00:17 . 2009-09-24 06:15 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-07-14 00:17 . 2009-09-24 06:15 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-07-14 00:15 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-07-14 00:15 . 2009-07-14 00:15 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-07-14 00:15 . 2009-07-14 00:15 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-07-14 00:15 . 2009-07-14 00:15 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-07-14 00:15 . 2009-07-14 00:15 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-07-14 00:15 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\DivX.dll
2009-07-13 23:10 . 2009-07-13 23:10 0 ----a-w- c:\documents and settings\LocalService\sluBC.tmp
2009-07-13 23:10 . 2009-07-13 23:10 0 ----a-w- c:\documents and settings\LocalService\sluBB.tmp
2009-07-13 23:10 . 2009-07-13 23:10 0 ----a-w- c:\documents and settings\LocalService\sluBA.tmp
2009-07-03 17:09 . 2004-08-04 04:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2002-08-29 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^winter fun wallpaper changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=c:\windows\pss\Winter Fun Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Galactic Civilizations II Launcher.lnk]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\Galactic Civilizations II Launcher.lnk
backup=c:\windows\pss\Galactic Civilizations II Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^ikowin32.exe]
path=c:\documents and settings\Michael\Start Menu\Programs\Startup\ikowin32.exe
backup=c:\windows\pss\ikowin32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Voyage Century Online\\voyagecentury.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2/11/2005 6:11 PM 16640]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/15/2009 11:47 AM 159600]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/5/2009 9:23 PM 55152]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [8/15/2009 11:47 AM 73840]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/24/2007 6:15 PM 547744]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [7/20/2007 6:40 PM 84992]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [6/18/2009 9:07 AM 33792]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/15/2009 11:46 AM 95640]
S0 kiaxaw;kiaxaw;c:\windows\system32\drivers\dbgexaoj.sys --> c:\windows\system32\drivers\dbgexaoj.sys [?]
S0 onlnkgc;onlnkgc;c:\windows\system32\drivers\abbz.sys --> c:\windows\system32\drivers\abbz.sys [?]
S0 pfgeww;pfgeww;c:\windows\system32\drivers\rfufo.sys --> c:\windows\system32\drivers\rfufo.sys [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-776561741-682003330-1004Core.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-24 05:49]

2009-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-776561741-682003330-1004UA.job
- c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-24 05:49]
.
.
------- Supplementary Scan -------
.
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Michael\Application Data\Mozilla\Firefox\Profiles\yhbp5tqx.default\
FF - plugin: c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {A3FAE8AC-8D08-4226-BD34-1CE8BD20434D} - c:\documents and settings\Michael\Local Settings\Application Data\{A3FAE8AC-8D08-4226-BD34-1CE8BD20434D}\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-openal - c:\program files\OpenAL\OpenAL 2.0.3



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 03:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-776561741-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1202660629-776561741-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Koei\ N W_1*1*]
"Order"=hex:08,00,00,00,02,00,00,00,0c,03,00,00,01,00,00,00,06,00,00,00,82,00,
00,00,00,00,00,00,74,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,62,00,32,\

[HKEY_USERS\S-1-5-21-1202660629-776561741-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:04,d3,2c,ff,14,fe,5f,0e,6f,d0,06,89,32,ea,ac,06,13,cb,59,0a,7a,bb,2a,
74,9d,e8,64,12,e9,a4,8c,f7,c2,64,93,63,20,69,24,4f,4a,a7,55,e3,af,a2,56,1d,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12

[HKEY_USERS\S-1-5-21-1202660629-776561741-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:3d,21,df,16,33,e4,74,6a,e2,ad,35,67,19,63,00,d3,31,8d,3e,94,96,
3f,df,0d,48,ee,66,03,3e,36,92,f4,87,a2,e1,a5,d5,de,64,9b,fe,16,b8,19,fa,78,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\L*i*n*k*S*a*n*1*1*R*e*s*.*A*v*`P**[*V*!  \CLSID]
@="{8C306064-52F3-4724-A485-3C44005E7ACA}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1180)
c:\windows\System32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-01 3:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-01 07:19

Pre-Run: 79,598,673,920 bytes free
Post-Run: 80,127,143,936 bytes free

283 --- E O F --- 2009-09-23 20:29

shelf life
2009-10-03, 01:49
hi,

ok thanks for all the info. One more download to get as a check for malware. Its called SDfix and only runs in safe mode. Link and directions:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt in your reply

Necrucifer
2009-10-05, 17:57
I am going to have to go to safe mode, but it would not let me start mbam or drweb as the exe's could not be found and from another nasty. I will try to install these in safe mode and run them if you want and post logs but I am going to keep them just incase you need them so if there is anything else you would want me to do while doing so let me know.

Necrucifer
2009-10-05, 18:11
Think you could help me out? I cant run dr web or mbam anymore as when I try to redownload or resetup mbam .exe becomes missing. I can only use spybot so I have not a clue and am pretty much screwed now. I was going to do a system restore but I doubt that would rly help. Thank you I will be back shortly.

shelf life
2009-10-06, 00:27
Just run Sdfix in safe mode if you can.

Necrucifer
2009-10-06, 01:42
I decided to run this in safe mode since I had the time...I keep getting trojans from who knows where though and I cant scan still even once I think I removed them since spybot only does so much but seems a dll is missing and idk I hate virtumonde :/


SDFix: Version 1.240
Run by Michael on Mon 10/05/2009 at 06:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\final.jpg - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 18:33:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk not found (null)\system32\config\system
scanning hidden registry entries ...

disk not found (null)\system32\config\software
scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:Torrent"
"C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe"="C:\\Program Files\\LucasArts\\Star Wars Galactic Battlegrounds Saga\\Game\\battlegrounds_x1.exe:*:Enabled:Star Wars Galactic Battlegrounds: Clone Campaigns"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"="C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe:*:Enabled:Left 4 Dead"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Voyage Century Online\\voyagecentury.exe"="C:\\Program Files\\Voyage Century Online\\voyagecentury.exe:*:Enabled:Voyage Century Online"
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"="C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 9 Jun 2009 616,448 A.SH. --- "C:\Documents and Settings\LocalService\jk5i7wqy.TMP"
Sat 5 Sep 2009 616,448 A.SH. --- "C:\Documents and Settings\LocalService\kny37fjy.TMP"
Tue 28 Jul 2009 1,548,120 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sun 5 Jul 2009 26,624 A.SH. --- "C:\WINDOWS\system32\bunamige.dll"
Sun 5 Jul 2009 52,224 A.SH. --- "C:\WINDOWS\system32\heterute.dll"
Sun 5 Jul 2009 52,224 A.SH. --- "C:\WINDOWS\system32\liyerano.dll"
Sun 5 Jul 2009 1,048,611 A.SH. --- "C:\WINDOWS\system32\mawivawo.exe"
Sun 5 Jul 2009 1,048,099 A.SH. --- "C:\WINDOWS\system32\tatetimo.exe"
Sun 5 Jul 2009 52,224 A.SH. --- "C:\WINDOWS\system32\todakova.dll"
Sun 5 Jul 2009 1,048,611 A.SH. --- "C:\WINDOWS\system32\wahewuvu.exe"
Thu 9 Apr 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 11 Jul 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 14 Jul 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Thu 13 Aug 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv04.tmp"
Wed 29 Jul 2009 2,834 ...HR --- "C:\Documents and Settings\Michael\Application Data\SecuROM\UserData\securom_v7_01.bak"
Mon 19 Nov 2007 3,481,600 A..H. --- "C:\Documents and Settings\Michael\Application Data\U3\temp\Launchpad Removal.exe"
Mon 7 Sep 2009 234,879 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7e2110c803604799bad6cc14ba892658\download\BITD.tmp"

Finished!

shelf life
2009-10-06, 04:05
ok we will use combofix. Please disable any AV etc before starting.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
C:\WINDOWS\system32\bunamige.dll
C:\WINDOWS\system32\heterute.dll
C:\WINDOWS\system32\liyerano.dll
C:\WINDOWS\system32\mawivawo.exe
C:\WINDOWS\system32\tatetimo.exe
C:\WINDOWS\system32\todakova.dll
C:\WINDOWS\system32\wahewuvu.exe
c:\windows\system32\drivers\dbgexaoj.sys
c:\windows\system32\drivers\abbz.sys
c:\windows\system32\drivers\rfufo.sys

Driver::
kiaxaw
onlnkgc
pfgeww




Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

We will also get another download to use. Link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply along with the combofix log.

Necrucifer
2009-10-07, 16:42
Hey, Thanks for the help but I eventually got a blue screen and can not start it back up. I tryed normal reboot 3 times and safe mode twice, last known configuration once. I guess I will have to take it in though when I find the time.

shelf life
2009-10-08, 03:35
ok your welcome. A reformat re-install of windows could only be a good thing. Once you are back up and running here are a few tips to help remain malware free;



10 Tips for Reducing/Preventing Your Risk To Malware:

Simply knowing what constitutes a safe action on a computer and what may not will help you tremendously.

1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.*

8) Install and understand the limitations of a software firewall.

9) A utility (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. You can also manually make the changes yourself. Read the FAQ's. Changes some of the default settings of IE 8.0

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.